Voice AI security questionnaire: the questions IT-Sec actually needs answered

A — Data flow and per-call-leg residency

The single highest-value section. Most vendors will quote 'data residency in your region' and route inference through a US-based model provider. Both can be true. Ask for the per-call-leg picture.

1. Provide a data-flow diagram showing every leg of a single call: PSTN ingress, capture, ASR, retrieval, LLM inference, TTS, egress, recording storage, transcript storage, derived analytics.
2. For each leg, name the legal entity performing the processing, the jurisdiction, and the sub-processor if not you.
3. Name the model provider for ASR, LLM, and TTS. State whether inference is dedicated, multi-tenant, or routed.
4. State the round-trip transfer mechanism (SCCs, UK IDTA, adequacy decision) for any leg that crosses a border.
5. Confirm that no leg routes to a US-based provider if the contract is for a non-US jurisdiction — or document the lawful basis.

B — Sub-processors

The sub-processor list, not the headline residency, determines where data actually goes. Change notification is where most DPAs are weakest.

• Provide the current sub-processor list with function, entity name, and country of processing.
• State the change-notification SLA when a sub-processor is added, removed, or replaced.
• Provide the customer's right to object to a new sub-processor and the consequence (termination right, transition support).
• Confirm that sub-processors are bound by terms no weaker than the master DPA, with audit rights flowing through.

C — Model training and data use

The default matters more than the opt-out. A vendor whose default is 'we train on customer data unless you opt out' has already exposed historical data before the contract is signed.

• State the default position on training models on customer data: yes, no, or opt-in.
• Where opt-out is available, describe the technical enforcement and the audit evidence the customer can request.
• State whether prompts, transcripts, retrieval inputs, or derived embeddings are retained for any vendor purpose beyond service delivery.
• State the retention period for each data class (audio, transcript, retrieval logs, model inputs) and the deletion SLA on customer request.
• Confirm there is no model fine-tuned on the customer's data that persists after contract termination.

D — Identity, access, and audit

• Confirm SSO via SAML or OIDC, with named identity providers tested in production.
• Describe the role model and the principle of least privilege as applied to vendor staff with access to customer environments.
• Provide the audit log format: who, what, when, before-value, after-value. Confirm export to the customer's SIEM.
• State the cadence of internal access reviews and the artefact the customer can request.

E — Incident response

• State the breach-notification SLA from confirmation, not from disclosure decision.
• Provide the last three customer-impacting incident summaries with root cause and remediation. Redact customer names; keep the technical detail.
• Describe the on-call coverage model: hours, escalation, named accountable engineer per severity.
• Provide the disaster-recovery RPO and RTO for the voice service and the evidence that they have been tested in the last twelve months.

F — Compliance attestations and certifications

• Provide SOC 2 Type II for the most recent twelve-month audit period, including any qualifications.
• Provide ISO 27001 certificate and statement of applicability.
• Provide HITRUST (healthcare), PCI-DSS (payments), or sector-specific attestations as applicable.
• Confirm GDPR and UK GDPR posture, including representative in the EU and UK where required.
• State the EU AI Act position: AI-disclosure obligation in force 2026 and the high-risk obligations roadmap under the 2026 amendment.

G — Exit, portability, and destruction

The cheapest leverage you will negotiate is at signature, before the deployment exists. The most expensive is at exit.

• Provide the data export format and the timeline from termination notice to delivery.
• Confirm proof of destruction across primary, backup, and sub-processor systems within a stated SLA.
• Confirm transition support is available for a defined window post-termination, with a published rate card.
• Confirm there is no contractual barrier to migrating prompts, intents, retrieval content, or call logs to another platform.

DPA clauses the customer should not concede

The list of clauses that, in practice, are negotiable and worth holding the line on. These are the ones that materially change risk exposure rather than legal hygiene.

Disqualifying answers

• Cannot or will not name the model provider for ASR, LLM, and TTS.
• Default is to train on customer data with opt-out (not opt-in).
• Sub-processor list provided but change-notification SLA is undefined.
• Breach notification SLA starts at 'disclosure decision' rather than 'confirmation'.
• Exit clause has no SLA on data export or no proof-of-destruction obligation.
• Cross-border transfer mechanism is 'we'll provide SCCs at signature' rather than the actual document attached.