From 159bc319e80763580a81c9dfdff866c44469febd Mon Sep 17 00:00:00 2001 From: Sahil Naphade Date: Wed, 5 Feb 2025 10:39:11 -0600 Subject: [PATCH 1/4] Adding PCI compliance changes --- fern/docs.yml | 2 + fern/security-and-privacy/PCI.mdx | 84 +++++++++++++++++++++++++++++++ 2 files changed, 86 insertions(+) create mode 100644 fern/security-and-privacy/PCI.mdx diff --git a/fern/docs.yml b/fern/docs.yml index 67b23a358..3afd5da69 100644 --- a/fern/docs.yml +++ b/fern/docs.yml @@ -120,6 +120,8 @@ navigation: path: enterprise/onprem.mdx - page: HIPAA Compliance path: security-and-privacy/hipaa.mdx + - page: PCI Compliance + path: security-and-privacy/PCI.mdx - link: SOC-2 Compliance href: https://security.vapi.ai/ - page: Support diff --git a/fern/security-and-privacy/PCI.mdx b/fern/security-and-privacy/PCI.mdx new file mode 100644 index 000000000..65a8a9d21 --- /dev/null +++ b/fern/security-and-privacy/PCI.mdx @@ -0,0 +1,84 @@ +--- +title: PCI Compliance +subtitle: Ensure secure payment data handling while using Vapi’s voice assistant platform. +slug: security-and-privacy/pci +--- + + +## Introduction to Security at Vapi + +At Vapi, we prioritize the security of your data without compromising the quality of our voice assistant services. Protecting sensitive information, especially financial data, is at the core of our mission. + +Our robust security policies and practices ensure you have complete control over your data while accessing all the capabilities of our platform. + +## Understanding PCI Compliance + +The Payment Card Industry Data Security Standard (PCI DSS) is a global framework designed to protect credit card information. Any organization processing, storing, or transmitting cardholder data must comply with PCI DSS to ensure that sensitive financial data is securely handled. +Key requirements for PCI compliance include: + +- Securing data collection, transmission, and storage. +- Implementing strong access control measures. +- Regularly monitoring and testing systems to prevent breaches. + +## PCI Compliance on Vapi’s Platform + +By default, Vapi enables call recording, logging, and transcription features to enhance service quality. However, handling sensitive payment card data requires additional precautions. + +### How We Ensure Security + +When PCI compliance is enabled: + +- **Cloud Storage and Webhooks**: You can choose to store recordings in a PCI DSS Level 1 compliant cloud storage solution (AWS S3, Azure Blob Storage, or Google Cloud Storage) and receive transcripts through your webhook. + +- **No Retention Without Configuration**: If no cloud storage or webhook is specified, recordings and transcripts are permanently deleted to avoid retaining sensitive data. + + +## How to Enable PCI Compliance +If your organization handles payment data, you can enable PCI compliance by updating your assistant’s configuration. + +#### Configuration Steps: +1. Log in to your Vapi account and navigate to your assistant’s settings. +2. Enable the PCI Compliance toggle. +3. Select the PCI-compliant Model, Voice, and Transcriber options for your assistant. +4. Configure **cloud storage credentials** for storing call recordings. +5. Set up **webhooks** for receiving transcriptions. + + + +If either cloud storage or webhook is not configured, the respective data will not be stored and cannot be retrieved. + + +Example configuration for `PCI compliant` assistant is: +```JSON +{ + "pciEnabled": true +} +``` +Note: The default value for pciEnabled is false. Activating this setting aligns your assistant with PCI DSS standards by ensuring data is securely transmitted without being stored on Vapi’s systems. + +## Can PCI be used alongside HIPAA? +Yes, you can enable both HIPAA and PCI compliance for an assistant. In this case, the restrictions from both compliances will apply, meaning that no recordings or transcripts will be stored or transmitted, even if you have specified cloud storage endpoints or webhooks for storing transcripts. + +## FAQs + +**Q: Will enabling PCI compliance affect the quality of Vapi’s service?** + +A: Enabling PCI compliance does not degrade the quality of the voice assistant services. +However, it restricts you to use only the PCI-compliant endpoints, while limiting access to certain features, such as reviewing call logs, recordings or transcriptions, within the Vapi platform. +If the cloud storage endpoints are enabled, you can review the audio recordings in your own storage environment. The recordings follow naming convention: + +``` +call_ID-recording.wav +``` + +**Q: Who should use the PCI compliance feature?** + +A: This feature is particularly useful for businesses and organizations that handle sensitive payment information and must comply with PCI regulations. + +**Q: Can I switch between default and PCI-compliant settings?** + +A: Yes, users can toggle the `pciEnabled` setting as needed. However, we recommend carefully considering the implications of each option on your data security and compliance requirements. + +## Need Further Assistance? + +If you have more questions about security, privacy, PCI compliance, or how to configure your Vapi assistant, our support team is here to help. Contact us at security@vapi.ai for personalized assistance and more information on how to make the most of Vapi’s voice assistant platform while ensuring your data remains protected. From 36d49f5df6b329bbd8c9439b49695dc430966378 Mon Sep 17 00:00:00 2001 From: Sahil Naphade Date: Wed, 5 Feb 2025 11:18:18 -0600 Subject: [PATCH 2/4] Adding cloudflare to PCI compliant storage providers --- fern/security-and-privacy/PCI.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fern/security-and-privacy/PCI.mdx b/fern/security-and-privacy/PCI.mdx index 65a8a9d21..bdc9019bc 100644 --- a/fern/security-and-privacy/PCI.mdx +++ b/fern/security-and-privacy/PCI.mdx @@ -28,7 +28,7 @@ By default, Vapi enables call recording, logging, and transcription features to When PCI compliance is enabled: -- **Cloud Storage and Webhooks**: You can choose to store recordings in a PCI DSS Level 1 compliant cloud storage solution (AWS S3, Azure Blob Storage, or Google Cloud Storage) and receive transcripts through your webhook. +- **Cloud Storage and Webhooks**: You can choose to store recordings in a PCI DSS Level 1 compliant cloud storage solution (AWS S3, Azure Blob Storage, Google Cloud Storage or Cloudflare R2) and receive transcripts through your webhook. - **No Retention Without Configuration**: If no cloud storage or webhook is specified, recordings and transcripts are permanently deleted to avoid retaining sensitive data. From 41f8f0b7ceeb00f433ac72cc7cdc37e1b651b6b6 Mon Sep 17 00:00:00 2001 From: Sahil Naphade Date: Wed, 5 Feb 2025 11:35:55 -0600 Subject: [PATCH 3/4] Explicit clarification of cloud storage endpoints --- fern/security-and-privacy/PCI.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/fern/security-and-privacy/PCI.mdx b/fern/security-and-privacy/PCI.mdx index bdc9019bc..98e333376 100644 --- a/fern/security-and-privacy/PCI.mdx +++ b/fern/security-and-privacy/PCI.mdx @@ -40,8 +40,8 @@ If your organization handles payment data, you can enable PCI compliance by upda 1. Log in to your Vapi account and navigate to your assistant’s settings. 2. Enable the PCI Compliance toggle. 3. Select the PCI-compliant Model, Voice, and Transcriber options for your assistant. -4. Configure **cloud storage credentials** for storing call recordings. -5. Set up **webhooks** for receiving transcriptions. +4. [Optional] Configure cloud storage credentials for storing call recordings. If you have any of the storage endpoint credentials, they will be used to push the recordings. +5. [Optional] Set up **webhooks** for receiving transcriptions. @@ -54,7 +54,7 @@ Example configuration for `PCI compliant` assistant is: "pciEnabled": true } ``` -Note: The default value for pciEnabled is false. Activating this setting aligns your assistant with PCI DSS standards by ensuring data is securely transmitted without being stored on Vapi’s systems. +Note: The default value for `pciEnabled` is false. Activating this setting aligns your assistant with PCI DSS standards by ensuring data is securely transmitted without being stored on Vapi’s systems. ## Can PCI be used alongside HIPAA? Yes, you can enable both HIPAA and PCI compliance for an assistant. In this case, the restrictions from both compliances will apply, meaning that no recordings or transcripts will be stored or transmitted, even if you have specified cloud storage endpoints or webhooks for storing transcripts. @@ -65,7 +65,7 @@ Yes, you can enable both HIPAA and PCI compliance for an assistant. In this case A: Enabling PCI compliance does not degrade the quality of the voice assistant services. However, it restricts you to use only the PCI-compliant endpoints, while limiting access to certain features, such as reviewing call logs, recordings or transcriptions, within the Vapi platform. -If the cloud storage endpoints are enabled, you can review the audio recordings in your own storage environment. The recordings follow naming convention: +If any cloud storage endpoints are provided, you can review the audio recordings in your own storage environment. The recordings follow naming convention: ``` call_ID-recording.wav From 3323dafe48dee0e428eb0956ef3e27633f6db538 Mon Sep 17 00:00:00 2001 From: Sahil Naphade Date: Wed, 5 Feb 2025 23:52:01 -0600 Subject: [PATCH 4/4] Updating the docs --- fern/security-and-privacy/PCI.mdx | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/fern/security-and-privacy/PCI.mdx b/fern/security-and-privacy/PCI.mdx index 98e333376..34f4ee7ef 100644 --- a/fern/security-and-privacy/PCI.mdx +++ b/fern/security-and-privacy/PCI.mdx @@ -51,10 +51,12 @@ If either cloud storage or webhook is not configured, the respective data will n Example configuration for `PCI compliant` assistant is: ```JSON { - "pciEnabled": true + "compliancePlan": { + "pciEnabled": true + } } ``` -Note: The default value for `pciEnabled` is false. Activating this setting aligns your assistant with PCI DSS standards by ensuring data is securely transmitted without being stored on Vapi’s systems. +Note: The default value for `compliancePlan.pciEnabled` is false. Activating this setting aligns your assistant with PCI DSS standards by ensuring data is securely transmitted without being stored on Vapi’s systems. ## Can PCI be used alongside HIPAA? Yes, you can enable both HIPAA and PCI compliance for an assistant. In this case, the restrictions from both compliances will apply, meaning that no recordings or transcripts will be stored or transmitted, even if you have specified cloud storage endpoints or webhooks for storing transcripts. @@ -65,10 +67,10 @@ Yes, you can enable both HIPAA and PCI compliance for an assistant. In this case A: Enabling PCI compliance does not degrade the quality of the voice assistant services. However, it restricts you to use only the PCI-compliant endpoints, while limiting access to certain features, such as reviewing call logs, recordings or transcriptions, within the Vapi platform. -If any cloud storage endpoints are provided, you can review the audio recordings in your own storage environment. The recordings follow naming convention: +If any cloud storage endpoints are provided, you can review the audio recordings in your own storage environment. The recordings follow the naming convention: ``` -call_ID-recording.wav +---.wav ``` **Q: Who should use the PCI compliance feature?**