SmartAlex Trust & Security Overview
1. Purpose and scope
This Trust and Security Overview describes the organisational and technical measures that THERCSGROUP PTE. LTD., trading as SmartAlex ("SmartAlex", "we", "us", or "our"), implements to protect Customer Data and the SmartAlex platform. It is written for the security, privacy, and procurement teams who assess SmartAlex as a vendor, and it is intended to support enterprise due diligence alongside our other legal and compliance materials.
This Overview applies to the SmartAlex platform, websites, applications, and APIs (together, the Services or the Platform) and to the data processed through them. It is a public summary, not a contract. It does not vary, limit, or extend the commitments in our Terms of Service, our Data Processing Addendum, or any order form or master agreement. Where this Overview and those documents differ, those documents prevail.
SmartAlex is a multi-tenant business-to-business platform on which our business customers configure AI voice agents that place and receive telephone calls, run outbound campaigns, manage contacts, and view analytics. The Platform records and transcribes calls, processes the resulting audio and transcripts with speech and language AI, and bills by subscription. Because the Platform records voice, this Overview covers measures that apply specifically to call audio, transcripts, and the voice characteristics they may contain, in addition to the general measures expected of an enterprise SaaS provider.
2. Definitions
Capitalised terms used but not defined in this Overview have the meaning given in our Terms of Service and our Data Processing Addendum. The following terms are used throughout.
- Customer or you: the business that contracts for the Services.
- End User: an individual the Customer interacts with through the Services, including a call recipient or a contact in a Customer's records.
- Customer Data: data the Customer or its End Users provide, or that is generated through the Customer's use of the Services, including call audio, transcripts, recording metadata, contacts, messages, knowledge bases, and configuration.
- Personal Data: information relating to an identified or identifiable individual.
- Special-category data: Personal Data of the kinds listed in Article 9 of the GDPR, and the analogous special personal information under the South African Protection of Personal Information Act (POPIA), which can include the content of a call and, where voice is used to identify a person, biometric data.
- Subprocessor: a third party we engage to process Personal Data on our behalf in providing the Services.
- Controller and Processor: as defined in the GDPR.
- Security Incident: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Data.
3. Our role and the shared responsibility model
Security on the Platform is shared. We secure the Platform and the infrastructure on which it runs. The Customer secures its own use of the Platform: its account, its users, the lawfulness of its calling and recording, and the data it chooses to load.
3.1 Our data-protection roles
For the content of calls and for contact data, SmartAlex acts as the Customer's Processor and processes that data only on the Customer's documented instructions. For account, billing, security, fraud-prevention, and product-analytics data, SmartAlex acts as an independent Controller. This allocation is stated consistently in our Privacy Policy and our Data Processing Addendum.
3.2 What we are responsible for
- The security of the application, the database, and the infrastructure that hosts them.
- Tenant isolation, encryption, access control over our own personnel, monitoring, backups, and incident response.
- The diligence and contractual control of our Subprocessors.
3.3 What the Customer is responsible for
- Configuring its account securely, including enabling two-factor authentication, managing its own users and roles, and protecting its credentials and API keys.
- Obtaining all legally required consents for calling, recording, transcription, and the processing of any special-category or biometric data, and giving End Users the notices required by law. These obligations are set out in our Telephony and Call Recording Notice and our Acceptable Use Policy.
- Ensuring End Users are clearly told when they are interacting with an AI system, and not disabling that disclosure.
- The accuracy and lawfulness of the contacts and content it loads, and its use of any outputs the Platform produces.
4. Data classification
Data on the Platform is classified into four tiers, each with defined handling requirements. The table below summarises the tiers and the controls that apply to each.
| Tier | Examples | Handling requirements |
|---|---|---|
| Restricted | Secrets and credentials: API keys, database connection strings, signing keys, and Personal Data at scale. | Encrypted at rest with envelope encryption; access strictly role-limited and logged; never copied into non-production environments. |
| Confidential | Customer Data, including call recordings, transcripts, contacts, messages, knowledge bases, and configuration. | Encrypted at rest; access mediated by row-level security tied to the Customer tenant; access by our personnel only on the limited grounds in the Access controls section. |
| Internal | Operational logs, performance metrics, and aggregate usage statistics. | Access limited to authorised SmartAlex personnel with a business need. |
| Public | Marketing material, public legal documents, and this Overview. | No access controls. |
Call audio and transcripts are treated as Confidential and may contain special-category data. Where they do, the handling controls in this Overview apply, and the Customer remains responsible for establishing a lawful condition for that processing and for giving End Users the required notices.
5. Encryption
5.1 Encryption in transit
All connections between Customer browsers, mobile applications, and the Platform are encrypted using TLS 1.2 or higher, with modern cipher suites and HTTP Strict Transport Security applied to our web origins. Connections to our Subprocessors (including our cloud infrastructure providers, our telephony and real-time voice infrastructure providers, our speech and language AI providers, and our payment processor, Stripe) are encrypted using TLS 1.2 or higher. Internal service-to-service calls within our hosting environment are encrypted in transit. The full list of our Subprocessors, with their real legal names, is set out in our Subprocessor List.
5.2 Encryption at rest
Customer Data at rest is encrypted using AES-256-GCM through the storage-layer encryption provided by our infrastructure Subprocessors. Application-level secrets (API keys and vault entries) are held in an authenticated encryption vault that uses envelope-encrypted keys. Backups are encrypted with the same primitives as the primary store.
5.3 Key management
Encryption keys are managed within the key-management services of our infrastructure Subprocessors. Application secrets are not stored in source code, are not written to logs, and are injected into runtime environments at deploy time. Access to key material and to the secrets vault is limited to the minimum set of automated systems and named personnel required to operate the Platform, and is logged.
6. Access controls
6.1 Customer access and tenant isolation
Customer access to the Platform is governed by per-tenant role-based access control. Each Customer organisation has its own roles (for example super-admin, admin, and member, plus any others the Customer configures). Cross-tenant access is structurally prevented by Postgres row-level-security policies enforced at the database level, so that one Customer's queries cannot reach another Customer's data even in the event of an application-layer error. Tenant isolation is a primary control and is exercised in our testing.
6.2 SmartAlex personnel access
Access by SmartAlex personnel to Customer Data follows the principle of least privilege.
- Production database access is limited to a small set of named engineers, gated through multi-factor authentication, and audited.
- Routine support investigations use service-role tooling that records the operating engineer's identity and the records accessed.
- Production access is reviewed quarterly, and the access of departing personnel is revoked on the day of departure.
SmartAlex personnel may access Customer Data only to deliver the Services, to troubleshoot a specific issue, to prevent or address fraud or abuse, or to comply with law. We do not access Customer Data for any other purpose, and we do not use the content of Customer calls or transcripts to train our own models.
6.3 Authentication
Customer authentication supports email and password, OAuth single sign-on, and time-based one-time-password ("TOTP") two-factor authentication. Passwords are stored only as salted hashes. We strongly recommend that all Customer administrators enable two-factor authentication, and it is mandatory on some Enterprise plans. Session tokens are issued under cryptographically rotating signing keys, are scoped to the tenant, and expire after a defined period of inactivity.
7. Infrastructure and data residency
SmartAlex runs on a managed Postgres database with edge-function compute, serverless compute for ancillary backend workflows, managed web hosting, and a content-delivery and DNS layer that also provides bot management. The full list of the Subprocessors that operate this infrastructure is set out in our Subprocessor List.
Customer Data is hosted with our cloud infrastructure providers in the region identified in our Subprocessor List, and backups are retained in the same region, independent of the primary cluster. The cross-border transfer safeguards that apply when Customer Data moves outside the EEA, the United Kingdom, or Switzerland (the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, the Swiss addendum, and the supplementary measures described in this Overview) are set out in the international transfers clause of our Data Processing Addendum. A copy of the relevant safeguards is available on request to privacy@getsmartalex.com.
Production and staging environments are strictly separated. Production credentials, secrets, and Customer Data never flow into staging or development environments. Test data used in non-production environments is synthetic.
8. Network and platform security
The Platform is protected at the edge by a content-delivery network that provides distributed denial-of-service mitigation, web application firewalling, rate limiting, and bot management. Device-level signals are used to detect and prevent signup fraud and automated abuse at registration. Administrative interfaces are not exposed to the public internet beyond the authenticated application, and infrastructure management consoles are protected by multi-factor authentication.
We apply secure-by-default configuration to our hosting environment, restrict inbound and outbound traffic to what the Platform requires, and monitor for configuration drift. Public-facing endpoints are subject to input validation and output encoding to defend against injection and cross-site scripting.
9. Security of the voice and AI pipeline
Because the Platform records and transcribes calls and processes the audio with speech and language AI, we apply specific controls to that pipeline.
- Live call media is carried over our real-time voice infrastructure provider under encryption in transit, and recordings and transcripts are stored as Confidential data under the controls in this Overview.
- Audio and transcripts sent to our speech and language AI Subprocessors are processed to provide the Services only. Those Subprocessors are contractually bound not to use Customer call content to train their models, and data sent through their APIs is excluded from model training.
- Voice may constitute biometric data where it is used to identify an individual. We process such data only on the Customer's instructions, and the Customer is responsible for establishing the lawful condition and giving the notices required for special-category and biometric data.
- SmartAlex does not make solely automated decisions that produce legal or similarly significant effects on End Users. The AI is used for call handling, routing, transcription, qualification, and analytics under Customer control, and the Customer is responsible for any decision it takes on the basis of the outputs.
- End Users must be told clearly when they are interacting with an AI system, and the Customer must keep that disclosure enabled.
10. Software development lifecycle
All code changes are reviewed before merging to the production branch. Automated checks include static analysis, AI-assisted code review, dependency-vulnerability scanning, secret-scanning, and provider-name disclosure prevention. Database schema changes follow a migration-first workflow with rollback paths, and releases are versioned and revertible. Changes are deployed through controlled pipelines, and higher-risk changes are tested against a staging environment before release.
We separate duties so that the person who authors a change is not the only person able to approve and ship it. We use an application performance monitoring and error-tracking service; error reports are scrubbed to remove Personal Data where reasonably possible before they are captured.
11. Penetration testing and vulnerability management
We run dependency-vulnerability scanning and static analysis continuously as part of our development lifecycle (see Software development lifecycle, above), and we operate a public route for good-faith finders to report issues (see Reporting a vulnerability, below). Independent penetration tests are conducted periodically and before major releases, and remediation is tracked to closure. We triage reported and discovered vulnerabilities by severity and target remediation timelines according to that severity, with critical issues prioritised for prompt fixing. Summary penetration-test results are available to qualified Customers and prospects under non-disclosure on request to security@getsmartalex.com.
12. Logging and monitoring
We log application, infrastructure, and access events and retain them for operational and security purposes. Logs are used to detect anomalous behaviour, to investigate suspected incidents, and to support audit. Administrative and production-data access by our personnel is recorded with the identity of the operator and the records accessed. We do not write secrets or full Customer call content to operational logs.
13. Backup and disaster recovery
The Postgres database is backed up daily, with point-in-time recovery available within the retention window provided by our database Subprocessor. Backups are encrypted with the same primitives as the primary store and are stored in regional storage independent of the primary cluster. Recovery procedures are tested as part of operational drills. We maintain recovery objectives for the Platform and review them as the Platform evolves; specific recovery-time and recovery-point objectives are available to qualified Customers under non-disclosure on request to security@getsmartalex.com.
14. Incident response
SmartAlex maintains a documented incident response runbook covering detection, triage, containment, eradication, recovery, and post-incident review. Roles, escalation paths, and communication responsibilities are defined in advance.
- If we become aware of a Security Incident affecting Customer Data, we will notify affected Customers without undue delay and in line with the timelines set out in our Data Processing Addendum, and we will provide the information the Customer reasonably needs to meet its own obligations.
- Where required, we will assist Customers with their own statutory notifications, for example the seventy-two (72) hour supervisory-authority notification that a Controller must make under GDPR Article 33, and any notification required of a responsible party under POPIA.
- Post-incident reviews focus on the systemic conditions that allowed the incident, not on individual blame, and corrective actions are tracked to closure.
To report a suspected Security Incident, contact security@getsmartalex.com.
15. Vendor and subprocessor risk management
Every third party that touches Customer Data is reviewed for its security and compliance posture before engagement and at least annually thereafter. The review covers regulatory certifications, data-processing terms, sub-subprocessor disclosures, breach-notification commitments, transfer safeguards, and termination obligations.
We engage each Subprocessor under written terms that impose data-protection obligations no less protective than those we owe to Customers, including confidentiality, security, and assistance with data-subject requests and incidents. We maintain a current list of Subprocessors, with their roles and locations, in our Subprocessor List, where Customers may subscribe to be notified of changes and may object to a new Subprocessor as set out in our Data Processing Addendum. A more detailed vendor risk register is available to qualified Customers and prospects under non-disclosure on request to security@getsmartalex.com.
16. Personnel security
SmartAlex personnel sign confidentiality undertakings as a condition of employment and complete data-protection and security training on joining and at least annually thereafter. Background checks are performed where lawful and proportionate to the role. Access for personnel is provisioned on a need-to-know basis, reviewed periodically, and revoked promptly on a change of role or departure. Personnel use company-managed devices and authenticate to internal systems with multi-factor authentication.
17. Data retention and deletion
We retain Customer Data for as long as the Customer's account is active and as needed to provide the Services, and then in line with the periods or criteria below. Where Customer-configurable retention is available, the Customer may set shorter periods. On termination, Customer Data is deleted or returned in line with our Data Processing Addendum, subject to limited retention required by law and to removal from backups in the ordinary backup cycle.
| Data category | Retention |
|---|---|
| Account and profile data | For the life of the account, then deleted or anonymised after closure subject to legal retention. |
| Call recordings and transcripts | For the period set by the Customer in its configuration, or for the life of the account where no shorter period is set, then deleted. |
| Contacts and knowledge bases | For the life of the account, or until deleted by the Customer. |
| Billing and transaction records | As required to meet tax, accounting, and audit obligations, typically several years. |
| Security, access, and audit logs | For a limited period proportionate to security and operational needs. |
| Backups | For the rolling backup window, after which data ages out of backup media. |
Customers and End Users can exercise data-subject rights as described in our Privacy Policy and our Data Subject Access Request Procedure.
18. Business continuity and availability
The Platform runs on managed, resilient infrastructure with redundancy at the database, compute, and edge layers. We monitor availability and performance and maintain procedures to respond to outages. Planned maintenance is scheduled to minimise disruption, and material incidents affecting availability are communicated to affected Customers. Specific availability commitments, where offered, are set out in the applicable order form or service-level terms rather than in this Overview.
19. Compliance certifications and assurance
SmartAlex's compliance posture is in active development. SmartAlex does not currently hold its own SOC 2 or ISO 27001 attestation, and we never imply that it does. We are working towards SOC 2 Type II readiness. The SOC 2 and ISO 27001 reports we reference below are those of our infrastructure Subprocessors, not our own.
We design and operate the Platform to support our Customers' compliance with the data-protection laws that apply across the regions we serve, including the GDPR in the EEA, the UK GDPR and the Data Protection Act 2018, the Personal Data Protection Act in Singapore, applicable United States federal and state privacy laws, and POPIA in South Africa. Our processing commitments are set out in our Data Processing Addendum and our regional notices.
We share the following with qualified Customers and prospects on request under non-disclosure.
- Our Data Protection Impact Assessment ("DPIA").
- Our supporting vendor risk materials, including our vendor risk register.
- Subprocessor security questionnaires and our infrastructure Subprocessors' SOC 2 and ISO 27001 reports.
- Summary penetration-test results and recovery objectives.
Our current status and any updated certifications are available from security@getsmartalex.com.
20. Reporting a vulnerability
Security researchers and good-faith finders are invited to report vulnerabilities through our Vulnerability Disclosure Policy. We commit to acknowledging reports promptly, working with the reporter on a coordinated-disclosure timeline, and not pursuing legal action against good-faith research conducted within the scope of that Policy.
21. Contact and entity details
For Customer security questions, due-diligence requests, or to request access to assurance documents under non-disclosure, contact security@getsmartalex.com. For privacy or data-subject questions, contact privacy@getsmartalex.com. For general enquiries, contact hello@getsmartalex.com.
SmartAlex is a trading name of THERCSGROUP PTE. LTD. (UEN 202543608D), 160 Robinson Road, #14-04 Singapore Business Federation Center, Singapore 068914. This Overview is governed by the laws of Singapore.
This Trust and Security Overview is version 1.1 and is effective from 1 June 2026.