Your callers trust your firm with sensitive information. We treat that trust as a non-negotiable obligation. Here is exactly how caller data is captured, transmitted, and protected at every step.
Six steps, every one of them encrypted, every vendor independently certified.
Inbound call hits a U.S. carrier number provisioned through Twilio. Voice traffic is encrypted in transit via industry-standard TLS/SRTP.
Synthflow's AI agent handles the conversation on owned U.S. telephony infrastructure. Sarah is explicitly designed to capture only routing information — never medical details, diagnoses, medications, or PHI.
Before any text message is sent, Sarah asks an explicit SMS opt-in question. The caller's verbal response is recorded, timestamped, and logged. No SMS is ever sent without recorded affirmative consent — full TCPA compliance.
Call data flows over TLS-encrypted webhooks into n8n Cloud, an automation platform with AES-256 encryption at rest using a FIPS-140-2 compliant implementation. The compliance filter blocks any call without explicit consent from triggering downstream actions.
Caller information is delivered to your firm's Gmail inbox and a private Google Sheet log under your control. Data lives inside Google Workspace, which holds the strongest possible compliance posture.
If — and only if — the caller verbally opted in, a confirmation text is sent via Twilio's A2P 10DLC carrier-approved channel. STOP automatically opts the recipient out of all future messages.
Every platform in our data chain is independently audited and certified.
| Platform | Role | Certifications |
|---|---|---|
| Twilio | Voice + SMS carrier | SOC 2, ISO 27001, ISO 27017, ISO 27018, HIPAA, PCI DSS, GDPR, CCPA, NIST |
| Synthflow | AI voice agent | SOC 2, HIPAA, PCI DSS Level 1, ISO 27001, GDPR |
| n8n Cloud | Workflow automation | SOC 2 Type II, GDPR (DPA), AES-256 encryption at rest |
| Google Workspace | Email + data delivery | SOC 2, ISO 27001, ISO 27017, ISO 27018, HIPAA-eligible (with BAA) |
What we will and will not do with caller data, in writing.
Caller information is never sold, rented, or shared with marketing partners, lead brokers, or any third party for promotional purposes. Ever.
Caller conversations and case details are never used to train AI models — ours, our vendors', or anyone else's.
Sarah is explicitly programmed to never capture medical details, diagnoses, medications, SSNs, insurance numbers, or other sensitive identifiers. The attorney handles all of that directly.
No text message is sent without recorded, timestamped, affirmative verbal consent from the caller. Full TCPA-compliant audit trail.
AES-256 encryption at rest. TLS encryption in transit between every system. No exceptions.
A Data Processing Agreement is available for any firm that requests one, before client data flows through the system.
How we map to the regulations that matter for personal injury intake.
Verbal opt-in captured and logged before every SMS. STOP keyword auto-honored. Full consent audit trail per caller. A2P 10DLC carrier-registered messaging campaign.
Sarah is designed to never capture PHI (medical details, diagnoses, medications). Our system reduces your firm's HIPAA surface area rather than expanding it. Twilio and Google Workspace are HIPAA-eligible with BAAs available for firms that require them.
No sale or sharing of personal information. Right-to-delete supported. Privacy practices documented in our published Privacy Policy.
GDPR governs EU residents' data. For firms representing U.S.-based clients, GDPR generally does not apply. For firms with EU client exposure, we can discuss specific requirements.
All four vendors in our data chain (Twilio, Synthflow, n8n, Google Workspace) hold SOC 2 Type II certifications independently audited by third parties. QuickReply AI will pursue its own SOC 2 Type II certification as we scale.
We provide a signed Data Processing Agreement to any firm that requires one before client data flows through the system. Reach out and we will send the template the same day.
Request a DPASee also: Privacy Policy | Terms of Service
QUICKREPLY AI LLC | Wyoming, USA | Last updated: May 2026
This page describes our security architecture as of the date above. Compliance certifications listed reflect the published posture of our underlying vendors and are subject to change. We update this page when material changes occur.