Security

Your Pipeline Data Is Sensitive. We Treat It That Way.

Sales call transcripts and CRM pipeline data are among the most commercially sensitive assets your company has. Here is how we protect them.

Security controls

Encryption, access controls, compliance posture, and data handling — each layer specified.

Encryption at Rest & in Transit

All call transcripts and CRM pipeline data are encrypted at rest using AES-256. All data in transit is protected with TLS 1.3. Encryption keys are managed with rotation policies. Your data never touches unencrypted storage at any point in the processing pipeline.

AES-256 at rest
TLS 1.3 in transit
Automated key rotation

Access Controls & Authentication

Role-based access control ensures each user only sees the data appropriate to their role — reps see their own deals, managers see their team's, admins see organization-wide. Scale plan customers get SAML 2.0 SSO. All logins support two-factor authentication.

Role-based access control (RBAC)
SAML 2.0 SSO (Scale plan)
Two-factor authentication

SOC 2-Informed Security Program

Our security program is designed with SOC 2 Trust Services Criteria in mind. We have implemented controls across security, availability, and confidentiality — including change management processes, incident response playbooks, and continuous monitoring.

Security, availability, confidentiality controls
Incident response process
Continuous monitoring

Data Residency & Compliance

We support data processing agreements (DPAs) for customers who require them. Retention controls let organizations define how long call data and signals are stored. Right-to-delete requests are processed within 30 days. We are built to support your GDPR and CCPA compliance requirements.

Data Processing Agreements (DPA) available
Configurable retention policies
Right-to-delete within 30 days

Common questions

Security FAQ

Who at Winpathio can see my call transcripts?

Access to customer data is restricted to a small number of engineers with explicit data access permissions. Access is logged, audited, and requires a specific business justification. We do not access customer call content for any purpose except diagnosing reported issues.

Do you train AI models on my call data?

No. Your call transcripts and pipeline data are used exclusively to generate signals and alerts for your organization. We do not train AI or machine learning models using customer data. Signal taxonomy improvements are based on aggregate, non-identifiable pattern analysis only when customers explicitly opt in to a shared improvement program.

Can we delete all our data if we leave Winpathio?

Yes. When you cancel your subscription, you can request full data deletion. We will delete all stored call transcripts, derived signals, and CRM-linked data within 30 days and provide written confirmation. You can also request a data export before deletion.

What happens to call data when it's processed?

Call audio is processed by our transcription layer (or your existing call recording tool's transcript if you use Gong or Chorus). The resulting transcript is analyzed for signals, stored encrypted, and deleted according to your configured retention policy. Audio files are never stored in our systems — we work from transcripts only.

Do you sign Data Processing Agreements (DPAs)?

Yes. We offer a standard DPA for all customers on any paid plan. For enterprise customers with specific legal or compliance requirements, we can review and negotiate custom DPA terms. Contact us at [email protected] to request a DPA.

Have a security question we didn't answer?

Reach our team directly at [email protected] with the subject line "Security inquiry." We respond within 1 business day.