How does Weflow handle personal data and PII from sales conversations?

Weflow is GDPR compliant (headquartered in Germany, with server infrastructure in Frankfurt), CCPA compliant, SOC 2 Type II certified with continuous re-certification since 2021, and HIPAA compliant with signed Business Associate Agreements available for healthcare organizations. All data is encrypted in transit (TLS 1.2+) and at rest (AES-256), with role-based access control and least privilege principles applied across all systems.

For conversation intelligence, Weflow applies multi-layer consent controls before any PII is captured. Recap emails are sent only to internal participants, never to external attendees.

• Pre-meeting email opt-in/opt-out so participants can decline recording before the call starts
• In-meeting chat notice with the option to remove the notetaker during the call
• Immediate and permanent deletion of the recording if removal is triggered, with no recovery possible
• On Zoom, the notetaker sits in the lobby and must be admitted by the host before it can join

Weflow maintains a Zero Data Retention policy for AI processing, meaning AI providers do not store your data after processing. Your data is never used to train Weflow's AI models. AI processing runs through AWS Bedrock and internally trained LLMs within strict security protocols, with no sensitive data stored or processed outside Salesforce.

You can configure custom data retention policies to define exactly how long recordings are stored. Weflow also supports regional data residency across EU, US, or APAC regions via AWS and Google Cloud hosting, so you control where your data lives.

How secure are my recordings and data in Weflow?

Your recordings and data are protected by multiple layers of certification, encryption, and access control. Weflow holds SOC 2 Type II certification, continuously audited since 2021, and CASA Tier 2 certification from TAC Security. Weflow is compliant with GDPR, CCPA, and HIPAA. ISO 27001 certification is in progress (coming soon, announced early 2026).

For healthcare organizations, Weflow signs Business Associate Agreements (BAAs) with US-only data storage and access restrictions. All data is encrypted in transit using TLS 1.2+ and at rest using AES-256.

Weflow enforces role-based access control (RBAC) with least-privilege permissions, mandatory SSO/MFA for all internal and customer-facing systems, and supports SSO/SAML via Okta. Infrastructure runs on AWS and Google Cloud, with your choice of EU, US, or APAC regions. Daily encrypted backups are stored across geographically diverse locations.

On the AI side, Weflow maintains a zero data retention policy, meaning AI providers don't retain your data after processing. Your data is never used to train Weflow's models. AI processing runs through AWS Bedrock and internally trained LLMs, with no sensitive data stored or processed outside Salesforce.

• Continuous third-party penetration testing and automated vulnerability scanning
• Configurable consent flows for GDPR and CCPA compliant call recording
• Microsoft Teams opt-in/opt-out via pre-meeting email, with immediate permanent deletion if a participant removes the notetaker
• Data deletion tools for compliance requests
• Regular audits by Microsoft and PwC for sensitive Google Workspace scopes

Does Weflow undergo regular third-party security audits?

Yes. Weflow's third-party audit program covers multiple layers, starting with SOC 2 Type II certification that has been continuously audited and re-certified multiple times since 2021. This is an ongoing commitment to independent verification of data security controls, not a one-time checkbox.

Weflow maintains several additional third-party audit and testing programs:

• Annual third-party penetration tests, plus continuous ongoing penetration testing by an independent auditor
• Regular audits by Microsoft (for the Microsoft Entra ID app) and PwC (for sensitive Google Workspace scopes)
• CASA Tier 2 Certification, security certified by TAC Security
• Continuous automated vulnerability scans with swift remediation
• Static code analysis, dependency scanning, and regular code reviews as part of a Secure Software Development Life Cycle

Weflow uses Vanta for security and compliance operations, which provides continuous monitoring against SOC 2 controls rather than relying solely on point-in-time assessments. ISO 27001 certification is currently in progress (announced, will be available soon).

If your security or procurement team needs documentation, detailed reports and compliance artifacts are available at trust.getweflow.com. Weflow's infrastructure runs on AWS and Google Cloud with TLS 1.2+ encryption in transit and AES-256 at rest, and you can select EU, US, or APAC hosting regions to meet your data residency requirements.

Where does Weflow store customer data — what regions and data centers?

Weflow runs on AWS and Google Cloud infrastructure with region options in the EU, US, and APAC. European customers default to Frankfurt, Germany, where Weflow is headquartered. The transcription service for European customers also runs through the Frankfurt region for GDPR alignment.

US customers can store data in US-based data centers, with HIPAA BAA terms available for healthcare organizations. For APAC-specific data residency requirements, contact the Weflow team directly to confirm available regions and configurations. Weflow is not FedRAMP certified, so it won't meet US federal agency requirements.

Your activity data, including emails, meetings, and contacts, is written permanently to native Salesforce objects in your own Salesforce instance. Weflow doesn't create a proprietary data silo. If you stop using Weflow, all captured data stays in Salesforce.

All data is encrypted in transit using TLS 1.2+ and at rest using AES-256. Daily encrypted backups are maintained across geographically diverse locations. AI processing uses a zero data retention policy, meaning AI providers don't retain your data, and Weflow doesn't use your data to train its models.

Weflow's data centers comply with the following frameworks relevant to procurement and legal review:

• EU Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework
• AWS and Google Cloud Data Processing Agreements (DPAs)
• GDPR compliance with Frankfurt data residency
• HIPAA compliance with BAAs and restricted US-only access under BAA terms
• CCPA compliance
• SOC 2 Type II certification, continuously audited since 2021

How does Weflow comply with data localization requirements in different countries?

Weflow is headquartered in Germany and hosts infrastructure for European customers in Frankfurt, so your data stays in the EU by default if you're a European organization. Transcription processing also runs through the Frankfurt region for GDPR alignment. If you need data stored in other European geos, Weflow supports that based on your preference.

Weflow runs on AWS and Google Cloud, letting you select EU, US, or APAC hosting regions. Cross-border data transfers are covered by EU Standard Contractual Clauses (SCCs), the EU-US Data Privacy Framework, and Data Processing Agreements (DPAs) with both AWS and Google Cloud.

For healthcare organizations that need HIPAA compliance, Weflow signs Business Associate Agreements (BAAs). Under BAA terms, recordings are stored in the US, and no engineer outside the US can access that data, even for troubleshooting. All personnel with BAA access follow HIPAA protocol, including signed policies and awareness training.

AI processing adds no residency risk. Weflow maintains a zero data retention policy for AI processing, uses AWS Bedrock and internally trained LLMs, and does not use your data to train models. No sensitive data is stored or processed outside your Salesforce instance.

• GDPR and CCPA compliance with configurable consent flows for call recording
• SOC 2 Type II certification, continuously audited since 2021
• Custom data retention policies to match your regulatory requirements
• ISO 27001 certification in progress (announced, will be available in 2026)

If you're in a regulated industry or need to confirm region availability for a specific jurisdiction, contact Weflow directly to verify coverage for your use case.

How does Weflow secure recorded calls, transcripts, and CRM data?

Weflow encrypts data in transit with TLS 1.2+ and at rest with AES-256. Access is controlled through role-based access control (RBAC) with least-privilege permissions. All internal and customer-facing systems require SSO and MFA.

Weflow holds SOC 2 Type II certification, continuously audited and re-certified since 2021, along with CASA Tier 2 certification from TAC Security. Weflow is GDPR, CCPA, and HIPAA compliant, and signs Business Associate Agreements (BAAs) with healthcare customers. ISO 27001 certification is in progress (announced, will be available soon). Regular audits are conducted by Microsoft and PwC, and third-party penetration testing runs continuously alongside automated vulnerability scans.

For AI processing, Weflow maintains a zero data retention policy, meaning AI providers don't retain your data. Weflow does not use your data to train its models. AI processing runs through AWS Bedrock and internally trained LLMs, with no sensitive data stored or processed outside Salesforce.

Weflow supports data residency in EU, US, and APAC regions via AWS and Google Cloud. European customers can store data in Frankfurt, where the transcription service also runs for GDPR alignment.

For call recording consent, Weflow provides configurable consent flows per meeting platform. On Microsoft Teams, participants receive a pre-meeting email to opt in or out, plus an in-call chat option to remove the notetaker. If someone removes it, the recording is permanently deleted and can't be recovered.

How is Weflow data access controlled internally (roles, permissions, SSO, MFA)?

Weflow controls data access through a three-tier permission model: Limited Access, Full Access, and Admin. Limited Access users can only see their own data in forecasting and analytics, plus direct reports as defined in Salesforce. Full Access users can see all forecasting and analytics data. Admins get the same visibility plus access to the admin console for managing users, teams, and configurations.

Weflow mandates SSO and MFA for all internal and customer-facing systems. For customer teams, Weflow supports SSO/SAML via Okta, with centralized access managed through Microsoft Entra ID or Google Workspace apps. Both can be restricted to specific organizational units, so access can be limited to just a sales or CS team.

Automated user provisioning is supported. Users can be enrolled individually, by Salesforce profile, or dynamically by querying the Salesforce User object with WHERE clauses.

Internally, Weflow enforces role-based access control (RBAC) with a least privilege principle, meaning systems and personnel only get the minimum permissions required. Weflow also respects existing Salesforce configuration out of the box, including field-level permissions, validation rules, and role hierarchy. A user doesn't need to be a Salesforce admin to hold Admin permissions in Weflow.

Granular controls extend to specific workflows. You can configure who's allowed to submit or adjust forecasts, assign views and AI templates to specific teams, and restrict whether users can create contacts. Weflow AI users only see recordings they already have access to, based on permissions defined in both Salesforce and Weflow.

• Forecast submission and adjustment permissions are configurable per user or team
• Views and AI templates can be assigned to specific teams
• Contact creation can be restricted at the user level
• Weflow AI recording access follows permissions defined in both Salesforce and Weflow

All of this is managed from a self-service admin console, backed by SOC 2 Type II certification.

How does Weflow ensure data segregation between different customer tenants?

Weflow's primary segregation mechanism is architectural. Your captured activity data is stored permanently in your own Salesforce instance as native objects (Task, Event, EmailMessage), not in a shared Weflow database. Each tenant's data lives inside their own Salesforce org, so isolation is inherited from Salesforce's own multi-tenant security model.

Weflow respects your existing Salesforce permissions, role hierarchy, field-level security, and validation rules out of the box. If a user can't see a record in Salesforce, they can't see it in Weflow either. This extends to Weflow AI features, where users only access recordings and data their Salesforce and Weflow permissions allow.

Weflow enforces strict Role-Based Access Control (RBAC) and follows the least privilege principle internally, so Weflow personnel and systems only maintain the minimum permissions required. All data is encrypted with TLS 1.2+ in transit and AES-256 at rest. Weflow also maintains audit logging and real-time monitoring across the platform.

For AI processing, Weflow uses AWS Bedrock and internally trained LLMs with a zero data retention policy, meaning AI providers do not retain your data. Weflow does not use customer data to train its models.

These controls are validated through the following:

• SOC 2 Type II certification, continuously audited since 2021
• Regular penetration testing by a third-party auditor
• Audits by Microsoft and PwC

For detailed infrastructure-level isolation documentation, you can request Weflow's security materials directly from the security team.

How does Weflow handle consent for recording sales calls in different regions?

Weflow gives you three configurable consent modes for call recording: None (recording starts immediately once the bot is admitted), Opt-In (recording only begins after at least one participant actively consents via a confirmation link), and Opt-Out (recording starts immediately but any participant can opt out at any time, which removes the bot and permanently deletes the recording).

Both Opt-In and Opt-Out modes include pre-meeting email notifications sent to external participants. In the Opt-In flow, participants receive an email one hour before the meeting with a consent button. If they take no action, the notetaker may join but won't record anything. They can also block the notetaker from joining entirely.

In the Opt-Out flow, the email informs participants the meeting may be recorded and includes a link to opt out before it starts. If no one opts out, recording begins when the host admits the bot.

Participants can change their consent preference at any time, before or during the meeting, and changes take effect immediately. On Microsoft Teams, an in-call chat message provides an additional mechanism to remove the notetaker, which triggers immediate and permanent deletion of the recording. On Zoom, the notetaker sits in the lobby until the host admits it.

Admins can customize the consent message and rename the bot (for example, "Company Notetaker" instead of "AI Notetaker"). Weflow stores all consent records in a downloadable CSV file for documentation purposes.

• Weflow is SOC 2 Type II certified
• Weflow is GDPR compliant
• Weflow is CCPA compliant
• Data storage is available in Frankfurt for European organizations

One important caveat: Weflow's documentation states that compliance with your local privacy laws is your responsibility, not Weflow's. You should work with your legal team to determine which consent mode fits the jurisdictions you operate in.

Does Weflow provide a trust center or security portal with compliance documentation?

Yes. Weflow maintains a dedicated Trust Center at trust.getweflow.com where you can access compliance documentation, certifications, audit reports, and details on security controls. It's built for both prospects running security due diligence and existing customers who need ongoing access to compliance records.

The Trust Center covers the certifications and frameworks Weflow holds today:

• SOC 2 Type II, continuously audited and re-certified since 2021
• GDPR and CCPA verified compliance
• HIPAA compliance, with Business Associate Agreements available for healthcare organizations
• CASA Tier 2 certification by TAC Security
• ISO 27001 certification (announced, will be available soon)

The portal also documents Weflow's operational security practices. These include TLS 1.2+ encryption in transit, AES-256 encryption at rest, continuous third-party penetration testing, role-based access control, mandatory SSO and MFA, and a secure SDLC with static code analysis and dependency scanning.

Weflow maintains a zero data retention policy for AI processing and does not use your data to train its models. Weflow uses Vanta for security and compliance operations, and undergoes regular audits by Microsoft and PwC for sensitive Google Workspace scopes. Infrastructure runs on AWS and Google Cloud with region selection across EU, US, and APAC.

If you need anything not covered in the Trust Center, reach out to security@getweflow.com.

How long does Weflow retain conversation recordings and transcripts?

Weflow retains conversation recordings for the duration of your active contract plus a 90-day grace period after the contract ends. Once that 90-day window closes, recordings are no longer available on the Weflow platform.

If you need a shorter retention window to meet compliance requirements like HIPAA, you can define a custom retention policy with Weflow. For example, you can request that recordings be automatically deleted after a specific number of months. Under HIPAA BAA terms, recordings are stored in the US, and no engineer outside the US can access the data, even for troubleshooting.

Weflow also syncs conversation data directly into your Salesforce instance. AI summaries are written to the Event object's Description field, and full transcripts are stored in a custom Salesforce object called Weflow Video Recording, installed via the managed package. This data persists in your Salesforce org regardless of your Weflow contract status, so there's no data lock-in.

Weflow enforces a Zero Data Retention policy for AI processing, meaning AI providers do not retain your data. If a participant removes the Weflow notetaker during a Microsoft Teams meeting, the recording is immediately and permanently deleted with no option to recover it. Contact Weflow directly to configure a custom retention policy for your org.

Does Weflow share customer data with any third parties or sub-processors?

Weflow does not share your data with AI providers in any persistent way. AI processing uses AWS Bedrock and internally trained LLMs under a zero data retention policy, meaning AI providers do not store or retain your data after processing. Weflow does not use your data to train its AI models. No sensitive data is externally stored or processed beyond your Salesforce instance.

For cloud infrastructure, Weflow uses AWS and Google Cloud, both governed by formal Data Processing Agreements (DPAs) and EU Standard Contractual Clauses (SCCs). You can select EU, US, or APAC hosting regions. All third-party vendors are evaluated for compliance before integration, and Weflow's data centers adhere to the EU-US Data Privacy Framework.

Sub-processor access controls are strict. Weflow holds SOC 2 Type II certification, continuously audited since 2021, and is GDPR and CCPA compliant. Weflow is also HIPAA compliant with signed Business Associate Agreements for healthcare customers.

Under HIPAA BAA terms, no engineer outside the US can access customer data, and all personnel with access follow HIPAA protocol including signed policies and awareness training. Data is encrypted at rest (AES-256) and in transit (TLS 1.2+), and internal access follows role-based access control with least-privilege permissions.

For a complete, current list of sub-processors, contact Weflow directly or reference the Data Processing Agreement available through your account team. The sub-processor list is maintained as part of Weflow's DPA and updated when vendors change.

Can Weflow meet our enterprise security questionnaire requirements?

Yes. Weflow is built to pass enterprise security reviews. Most questionnaires map to categories where Weflow already holds certifications or has documented controls in place.

Weflow's current certifications and audit standing: SOC 2 Type II (continuously audited since 2021), HIPAA compliant with signed BAAs, GDPR and CCPA compliant, and CASA Tier 2 certified by TAC Security. ISO 27001 certification is in progress (coming Q4 2026).

Here's what maps to the most common questionnaire categories:

• Encryption: TLS 1.2+ in transit, AES-256 at rest.
• Access controls: Role-based access control (RBAC), least privilege enforcement, mandatory SSO and MFA for all internal and customer-facing systems, SSO via Okta, and automated user provisioning.
• AI data handling: Zero data retention by AI providers, no customer data used to train models, processing runs on AWS Bedrock and internally trained LLMs within strict privacy protocols.
• Vulnerability management: Annual third-party penetration tests, continuous automated vulnerability scans, and a secure SDLC with static code analysis and dependency scanning.
• Incident response: Documented and regularly tested incident response plans, audit logging, and real-time monitoring.
• Data residency: Hosted on AWS and Google Cloud with EU, US, or APAC region selection. European customers can use Frankfurt-based infrastructure. Data centers comply with EU SCCs, DPAs, and the EU-US Data Privacy Framework.
• Vendor risk management: Third-party vendors are evaluated for compliance before integration, with regular audits by Microsoft and PwC.

Weflow uses Vanta for continuous compliance monitoring. For detailed documentation, audit reports, and policy artifacts, visit the Weflow Trust Center.

How does Weflow handle data retention, deletion, and portability if you terminate the contract?

All activity data Weflow captures is written to native Salesforce objects: EmailMessage, Task, Event, and Contact. If you terminate your contract, that data stays in your Salesforce instance permanently. You own it, you control it, and you can continue to report on it, use it in Flows, or export it to a data warehouse for analysis in tools like Tableau or Power BI.

Unlike some activity capture providers that store data in proprietary custom objects, Weflow avoids vendor lock-in by design. AI summaries persist in Salesforce Event Description fields, field updates remain in the Salesforce fields where they were pushed, and transcripts stay in the Weflow Video Recording custom object installed via managed package. The only Weflow-specific artifact left after cancellation is one managed package custom object with three fields used for event reconciliation, which you can keep or remove at your discretion.

One exception applies to meeting recordings hosted on Weflow. Recordings are available for the duration of your active contract plus 90 days. After that window, recordings are no longer accessible on Weflow, though any transcripts already synced to Salesforce remain intact.

Weflow is GDPR and CCPA compliant. You can request full account deletion by emailing support@getweflow.com, and individual data erasure requests under GDPR's right to erasure are honored. Weflow maintains a zero data retention policy for AI processing, meaning no AI provider retains your data, and Weflow does not use your data to train its models.

What documentation does Weflow provide that my IT/security team will want to see?

Start with the Weflow Trust Center, which serves as the central hub for all security and compliance documentation your IT team will need during vendor review.

Weflow holds SOC 2 Type II certification, continuously audited and re-certified since 2021, along with CASA Tier 2 certification from TAC Security. HIPAA compliance is in place, and Weflow signs Business Associate Agreements (BAAs) with healthcare customers. GDPR and CCPA compliance documentation is available, including EU Standard Contractual Clauses (SCCs) and Data Processing Agreements (DPAs) for both AWS and Google Cloud. ISO 27001 certification is in progress (announced, will be available soon).

Your security team can request documentation covering these areas:

• Third-party penetration test reports, covering annual pen tests plus continuous automated vulnerability scans
• Encryption standards: TLS 1.2+ in transit, AES-256 at rest
• Role-Based Access Control (RBAC) and least privilege policies for all systems and personnel
• Incident response plans, tested regularly, with daily encrypted backups across geographically diverse locations
• Vendor risk management process for third-party integrations
• AI data handling policy: zero data retention by AI providers, no customer data used for model training
• Secure SDLC documentation including static code analysis, dependency scanning, and code review processes

Weflow is regularly audited by Microsoft (for the Entra ID app) and PwC (for sensitive Google Workspace scopes), and uses Vanta for ongoing compliance operations. For specific documentation requests or custom security questionnaires, reach out to security@getweflow.com.

What's the best way to get my InfoSec team comfortable with Weflow?

Start with the Weflow Trust Center, which is built for exactly this. It contains current certifications, audit reports, and security documentation your InfoSec team can review without waiting on anyone.

Weflow holds SOC 2 Type II certification, continuously audited and re-certified since 2021. Weflow is HIPAA compliant with BAAs available, and is GDPR and CCPA compliant. CASA Tier 2 certification is verified by TAC Security, and ISO 27001 certification is in progress for 2026 (announced, will be available soon). Weflow also undergoes regular audits by Microsoft and PwC for sensitive Google Workspace scopes.

On the technical controls side, your InfoSec team will want to know these specifics:

• Encryption via TLS 1.2+ in transit and AES-256 at rest
• Role-based access control (RBAC) with least-privilege enforcement
• Mandatory SSO/SAML (Okta supported) and MFA for all systems
• Continuous third-party penetration testing and automated vulnerability scanning
• Secure SDLC with static code analysis, dependency scanning, and regular code reviews
• Data hosting on AWS and Google Cloud with EU, US, or APAC region selection (Frankfurt for European customers)

For AI-specific concerns: Weflow maintains a zero data retention policy for AI processing, and your data is never used to train models. AI processing runs through AWS Bedrock and internally trained LLMs within strict privacy protocols. All captured activity data is stored in native Salesforce objects, not in a proprietary silo.

For security questionnaires, BAA requests, or DPA reviews, reach out directly at security@getweflow.com. Weflow uses Vanta for compliance operations, which speeds up questionnaire turnaround.