Compliance & security
Built for compliance from day one.
Calling Round is designed to operate within Australian aged care governance frameworks. This page documents our data residency position, sub-processor list, breach notification obligations, retention defaults, and audit trail: the questions your CFO, Quality Manager, and legal team will ask before a panel decision.
Your data stays in Australia.
Client profile data and all structured call records (summaries, call notes, topic tags, and audit entries) are stored in Supabase Postgres running in the AWS Sydney region (ap-southeast-2). This data does not leave Australia at rest.
Voice processing is handled by a chain of US-based sub-processors during a call. Audio is transmitted to and processed by Vapi, Twilio, Deepgram, and ElevenLabs. This is disclosed to participants at the start of each call. Under APP 8 of the Privacy Act 1988, Calling Round takes reasonable steps to ensure each overseas sub-processor handles personal information consistently with Australian Privacy Principles.
Post-call summaries are generated by Anthropic's Claude via direct API call and written back to the Sydney Supabase instance immediately. Anthropic does not retain call transcripts beyond the duration of the API request.
At rest
AustraliaSydney, Australia
Supabase Postgres in AWS ap-southeast-2. Client profiles, call records, summaries, call notes, audit log.
In transit (voice calls)
United StatesUnited States (transient)
Audio routed via Twilio, transcribed by Deepgram, synthesised by ElevenLabs, orchestrated by Vapi. None retain data after call completion.
Post-call inference
United StatesUnited States (transient)
Call transcript sent to Anthropic for summary generation. Not retained by Anthropic beyond the API request.
Application hosting
Global edgeGlobal edge (Vercel)
The Calling Round web application is served from Vercel's global edge network. No participant personal data is stored on Vercel infrastructure.
Encrypted at rest, TLS in transit, role-based access.
Calling Round is built to HIPAA technical safeguards even though we operate under Australian privacy law today. The standard does not change with the jurisdiction. Every layer that touches participant data meets the controls below.
Encryption at rest
AES-256
All personally identifiable information and health data stored in Supabase is encrypted at rest with AES-256. No exceptions for convenience or cost.
Encryption in transit
TLS 1.2 minimum, TLS 1.3 where available
No plaintext transmission of any personal or health data at any layer. Applies to provider browser sessions, sub-processor connections, webhook callbacks, and internal service calls.
Access control
Role-based, least privilege
No engineer, operator, or staff member has more access than their role requires. Provider, care manager, and administrator roles are scoped to the records they need and nothing else.
Production database access
Logged and audited
Every read or write to a participant record is captured with timestamp, actor, and change description. The same audit trail is exportable by providers without a request to Calling Round.
Our sub-processors, disclosed in full.
Every third-party service that handles personal information on behalf of Calling Round is listed below. This list is current as of May 2026 and updated whenever a sub-processor is added or removed. Providers are notified of material changes with 30 days notice.
Calling Round operates Vapi with Zero Data Retention (ZDR) enabled. Vapi retains no call recordings, transcripts, or chat data on its infrastructure. Under ZDR, Deepgram and ElevenLabs also process audio transiently with no retention.
Supabase
AWS ap-southeast-2 (Sydney)Purpose
Structured data storage: client profiles, call records, summaries, audit log
Personal data handled
Client name, phone number, profile notes, call summaries, call notes
Retention
Duration of provider contract + 7 years
Supabase Data Processing Agreement
Vapi
United StatesPurpose
Voice AI orchestration: manages the outbound call, connects sub-processors, handles end-of-call events. Zero Data Retention enabled.
Personal data handled
Client phone number, audio stream during call, call transcript
Retention
Not retained after end-of-call event is delivered to Calling Round webhook
Vapi Terms of Service, DPA on request
Twilio
United StatesPurpose
Telephony: originates the outbound call to the participant's phone number
Personal data handled
Client phone number, call metadata (duration, timestamps)
Retention
Twilio standard call log retention: 13 months
Twilio Data Protection Agreement
Deepgram
United StatesPurpose
Speech-to-text: transcribes the live call audio in real time
Personal data handled
Audio stream during call
Retention
Not retained after transcription is complete
Deepgram Data Processing Agreement
ElevenLabs
United StatesPurpose
Text-to-speech: synthesises the voice of the AI caller
Personal data handled
No participant personal data. Only AI-generated text response is sent.
Retention
Not applicable
ElevenLabs Data Processing Agreement
Anthropic
United StatesPurpose
LLM inference: generates post-call summaries from the call transcript
Personal data handled
Call transcript including participant name and conversation content
Retention
Not retained beyond the API request
Anthropic Usage Policy, enterprise DPA available on request
Vercel
Global edgePurpose
Application hosting: serves the Calling Round web application
Personal data handled
IP addresses and request metadata only. No participant personal data stored.
Retention
Standard Vercel log retention: 1 day for edge logs
Vercel Data Processing Addendum
Retention defaults
Different data classes have different retention periods based on their sensitivity, their usefulness over time, and obligations under Australian law. All defaults below apply unless a provider specifies otherwise in their service agreement.
| Data type |
|---|
| Client profiles Duration of provider contract |
| Call summaries and call notes 7 years from call date |
| Raw call transcripts 2 years from call date |
| Audio recordings 30 days from call date |
| Audit log entries 7 years |
| Care manager access logs 2 years |
| Participant data on contract termination 90 days post-termination |
Providers may request shorter retention periods for any data class, subject to minimum legal obligations. Custom retention schedules are configured in the service agreement. Contact darius@callinground.com.au to discuss.
Breach notification
Calling Round operates under the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). In the event of an eligible data breach likely to result in serious harm to any affected individual, we are obliged to notify both the Office of the Australian Information Commissioner (OAIC) and the affected individuals as soon as practicable.
Within 72 hours
Provider notification
We notify the affected provider within 72 hours of becoming aware of a suspected eligible data breach: nature of breach, data types affected, likely consequences, and steps taken or proposed.
Within 30 days
OAIC assessment
We complete our assessment of whether the breach is eligible under the NDB scheme within 30 days of becoming aware, as required by the Privacy Act.
Without delay
Individual notification
If the breach is eligible, we work with the provider to notify affected individuals as soon as practicable, providing information about the breach and available remedial steps.
Security contact
Report suspected security incidents or data breaches to security@callinground.com.au. We acknowledge within 4 business hours.
Audit trail and regulator requests
Calling Round is not a regulated aged care provider. The provider deploying Calling Round is the regulated entity under the Aged Care Act 1997 and holds the obligations with the Aged Care Quality and Safety Commission (ACQSC). Calling Round is technology infrastructure.
When a regulator requests records, the provider needs to be able to produce them. Calling Round is built to make that possible.
What the audit log captures
- Every outbound call: timestamp, participant ID, duration, completion status
- Every care manager dashboard access: who accessed which client record and when
- Every data export: who requested it, when, what was included
- Every configuration change: who made it, what changed
- Every note added for the care team: when it was added, when the care manager reviewed it
- Every profile update: field changed, previous and new value, by whom
How to produce records for a regulator
- Export directly from the provider dashboard, no request to Calling Round required
- Filter by participant, date range, or interaction type
- Export formats: structured CSV and human-readable PDF
- A single export covers all interactions for a participant across any date range
- For bulk or formal regulator requests, contact your account manager. Delivered within 5 business days.
- The provider remains the regulated entity and provides records to ACQSC under their own obligations
The audit log is append-only and immutable. No entry can be edited or deleted, including by Calling Round staff. The integrity of the audit trail cannot be dependent on any party's discretion.
Calling Round is a tool. Your organisation is the registered provider.
Calling Round is not a registered aged care provider. We provide technology infrastructure that enables registered providers to deliver Individual social support services under their own registration, governance, and quality frameworks.
What stays with the provider
- The provider remains the registered provider of record for all services delivered using Calling Round
- Care managers retain oversight of participant welfare and care plan decisions
- The provider's quality and compliance obligations under the Aged Care Quality Standards remain unchanged
- Providers are responsible for obtaining participant consent before any calls are delivered
What Calling Round provides
- Technology infrastructure for delivering or processing phone-based social contact
- Call transcripts and call notes that flow into the provider's governance workflows
- A complete audit trail for every participant interaction, exportable for claim review or ACQSC audit
- Documentation and disclosure templates to support the provider's consent and compliance processes
Participants are informed. Consent is explicit.
Calling Round supports providers in meeting their consent obligations under the Australian Privacy Act 1988 and the Aged Care Quality Standards.
What participants are told
- That they will receive phone-based social contact as part of their support plan
- That calls are delivered by an AI voice system on behalf of their provider
- That calls are recorded and transcribed for care record purposes
- That they can opt out at any time by contacting their care manager
How consent is obtained
Providers obtain explicit consent from participants (or their authorised representative) during the support plan discussion, before any calls are delivered.
Calling Round provides a consent disclosure template for providers to incorporate into their standard onboarding process. Contact us to request the current template.
Aligned to the Aged Care Quality Standards.
Calling Round is designed with the strengthened Aged Care Quality Standards (2024) in mind.
Standard 1
The person
Every call is tailored to the participant's care plan goals. Calling Round does not deliver generic content.
Standard 2
The organisation
Calling Round supports provider governance through comprehensive audit trails, call notes, and care manager oversight workflows.
Standard 5
Clinical care
Calling Round is not a medical service. It supports phone-based social contact and places urgent matters into the care manager review workflow.
Standard 6
Food, nutrition and hydration
Not applicable.
Standard 7
The residential community
Applicable for residential deployments where the provider chooses to use Calling Round for resident engagement records.
Questions? We'll answer them directly.
If your CFO, Quality Manager, or legal team has questions not answered on this page, contact us directly. We respond to provider compliance questions within one business day.