Security and compliance frameworks for regulated communications
This is how Spoke protects your communications, employee, and business data, who can access it, and how we prove it
Why communication security is a compliance issue for your company
In regulated industries, business conversations are records, and regulators like the SEC, CFTC, and others treat them that way. Companies have been fined for failing to preserve business communications, especially those sent over personal devices and channels such as WhatsApp. The content of those messages was not the violation. A firm’s ability to capture and produce them is.
Spoke Phone enables the control, capture, and preservation of every call and message on any device, including mobile phones.
Spoke’s compliance frameworks include SOC 2, SOC 1, HIPAA and GDPR, and provides the controls allowing financial organizations to meet their FINRA obligations.
The Spoke platform ensures that every call, message, and WhatsApp conversation flows through a compliant, encrypted, and controlled environment, and gives you the ability to store and retrieve those conversations for audit, dispute, and regulatory review.

How your data, the systems it runs on, and access to both are protected
Encryption
All customer data is encrypted at rest and in transit.
Databases are encrypted at rest, and application traffic is transmitted exclusively over TLS/SSL. Recordings and stored data are protected with 256-bit AES encryption.
For additional control, customers can:- Apply private encryption tokens to recordings, retaining sole control of the keys.
- Redact phone numbers and personally identifiable information (PII) from Spoke Phone servers.
Access control
Access to cloud infrastructure and sensitive systems is restricted to authorized personnel with a documented business need, following the principle of least privilege.
Access rights are reviewed quarterly. All personnel are subject to enforced authentication and password-complexity requirements.
Data residency and customer control
Customers determine where their data is stored and who can access it.
Spoke's APIs and pre-built integrations support local data storage and customer-controlled access, allowing organizations to align data handling with their own regulatory and residency obligations.
Threat detection and resilience
How we detect problems, respond to incidents, and maintain availability.
1. Vulnerability management and monitoring
Spoke performs ongoing vulnerability scanning and active threat monitoring across its environment. Cloud services are continuously logged to support detection, investigation, and audit.
Threat detection and resilience
How we detect problems, respond to incidents, and maintain availability.
2. Incident response
Spoke maintains a documented incident-response process covering detection, escalation, mitigation, and customer communication. In the event of a security incident, defined procedures govern how issues are contained and how affected customers are notified.
Threat detection and resilience
How we detect problems, respond to incidents, and maintain availability.
3. Business continuity and disaster recovery
Spoke uses its hosting provider's backup services to protect against data loss in the event of hardware failure. Monitoring services alert the team to failures that could affect availability, so issues are addressed quickly.
Governance, assurance, and compliance
The program, testing, and personnel behind our controls, and how they meet regulatory requirements
Personnel security
All Spoke team members are background-checked in accordance with local law, complete industry-standard security awareness training, and sign a confidentiality agreement before their first day. Every team member is required to review and accept Spoke's security policies.
Independent testing and auditing
Spoke undergoes independent third-party assessments of its security and compliance controls. Third-party penetration testing is conducted at least annually to validate the security posture of our services.
Compliance program and certifications
Spoke is SOC 2, HIPAA, and GDPR certified, and provides frameworks supporting FINRA regulations. Spoke is built on Twilio's compliant infrastructure, certified in: SOC 2 Type II & Type 1, ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, PCI DSS Level 1, HIPAA, GDPR, CCPA, and CPRA.
These standards are supported by an active Information Security Program aligned to the SOC 2 framework, communicated across the organization and formally acknowledged by all personnel. Roles and responsibilities for information security and the protection of customer data are documented and assigned.
Reguatory compliance for Healthcare and Finance
Spoke provides built-in compliance for the industries that matter most
“Our brokers need to be mobile, but we couldn’t afford the compliance blind spots that came with that. Spoke gave us visibility into mobile calls and messages without slowing our teams down — and we’ve seen measurable improvements in both risk and performance.”
