Sonant AI Icon

Alejandrina Gonzalez

What to ask an AI phone vendor about SOC 2 and GDPR before you buy

6 min read

Insurance Compliance

|
Publish date ·
2026
|
Last updated ·
2026
Ten SOC 2 and GDPR procurement questions for an AI phone vendor at an insurance agency.

What to ask an AI phone vendor about SOC 2 and GDPR before you buy is a shorter list than the compliance pages suggest: ten questions, asked in writing, with the answers attached to the contract. An AI phone vendor will process PII (personally identifiable information) on every call your agency receives: names, premiums, VINs, claims detail: which makes its security posture your security posture. The vendor's marketing will say "enterprise-grade security"; the questions below establish what that actually means, starting with the distinction most buyers miss: SOC 2 Type 1 versus Type 2 are very different documents, and only one of them is the bar.

Key Takeaways

  • SOC 2 Type 1 is a snapshot; Type 2 is an audited period of 6–12 months: Type 2 is the procurement bar
  • GDPR matters to US-only agencies more than they think: commercial books carry EU-resident exposure
  • Ask the ten questions in writing; verbal demo assurances are not procurement artifacts
  • Three answers end the evaluation immediately: no shareable report, no breach-notification commitment, no data-deletion process
  • For PE-backed or acquisition-minded agencies, the vendor's posture appears in your own diligence

Type 1 vs Type 2: the distinction that filters the field

SOC 2 is the AICPA framework auditing a vendor's controls across security, availability, processing integrity, confidentiality, and privacy. The type distinction is the whole game: Type 1 says the controls were designed properly on one day; Type 2 says an auditor watched them operate over 6–12 months. A vendor waving "SOC 2 compliant" without specifying is usually waving a Type 1: ask which, ask for the report under NDA, and read the exceptions section, because that is where the honest findings live.

Want Sonant's Type 2 report under NDA? → Talk to Sonant

Why GDPR is not just a European problem

A US-only agency carries more GDPR surface than it assumes: commercial accounts with EU-resident employees on the policy, traveling insureds, and data-processing chains that cross borders through subprocessors. A vendor with a documented GDPR posture has necessarily done the underlying work: data mapping, right-to-erasure processes, processing records, subprocessor governance: which protects every client in the book, not just the European ones. GDPR readiness is a proxy for data discipline; its absence is a proxy for the opposite.

The ten questions, in writing

  1. Which SOC 2 type do you hold, and will you share the report under NDA? (Type 2 or keep looking)
  2. What were the exceptions in your last Type 2 report, and what changed? (Every honest report has some)
  3. Is data encrypted at rest and in transit, and to what standards? (AES-256 / TLS 1.2+ as the floor)
  4. Where does our data reside, and does it cross borders through subprocessors?
  5. What is your audit log retention period, and can we export our logs?
  6. What is your breach-notification commitment, in hours, in the MSA?
  7. What is your penetration-test cadence, and by whom? (Annual third-party minimum)
  8. Can you provide a current subprocessor list with notification of changes?
  9. What is the data-deletion process at contract end, and how is it certified?
  10. Do you offer a HIPAA BAA if our commercial book requires one?

Here is what a passing answer looks like next to the answer that should end the evaluation.

Question
Answer that passes
Answer that ends the evaluation
Which SOC 2 type, and will you share the report under NDA?
Type 2, shared under NDA on request
"We can't share the report"
Is data encrypted at rest and in transit?
AES-256 at rest, TLS 1.2+ in transit
No stated standards
What is your breach-notification commitment, in hours?
A defined hours window in the MSA
"Depends on the situation"
What is the data-deletion process at contract end?
Documented process, certified
"Data deletion happens automatically," no certification
Penetration-test cadence, and by whom?
Annual third-party minimum
No third-party testing
Can you provide a current subprocessor list with change notification?
Current list, notification of changes
No list maintained

The three answers that end the demo

Most weak answers warrant follow-up; three end the evaluation. "We can't share the report": a vendor that holds a real Type 2 shares it under NDA routinely; refusal means there is nothing to share. "Breach notification timing depends on the situation": without a contractual hour commitment, your own notification obligations to clients and regulators become unmanageable. "Data deletion happens automatically" with no certification process: unverifiable deletion is indistinguishable from retention. The NAIC's AI governance direction is converging on documented accountability for exactly these mechanics: vendors without answers now will be vendors with problems later.

Three red-flag vendor answers that should end an AI phone vendor evaluation.

Why this matters double for acquisition-minded agencies

If your agency is PE-backed or within five years of a sale, the vendor's posture becomes your diligence exhibit: acquirers increasingly ask how policyholder PII flows through your stack, and "our AI phone vendor, here is their Type 2 and our DPA" is a clean answer that "we never asked" is not. The compliance questions are also operational ones: the verification guardrails and audit logs that satisfy SOC 2 are the same machinery that protects the book daily. The Sonant Consumer AI Readiness Report adds the client-side note: policyholders extend trust to agencies that can articulate how their data is protected: the posture is marketable, not just defensive.

1

Vendor SOC 2 Type 2 + GDPR Posture

Ask the ten questions in writing; attach answers to the contract

2

Agency's Data-Processing Agreement with Vendor

Your DPA documents how policyholder PII flows through their stack

3

Acquisition Diligence Package

"Our AI phone vendor, here is their Type 2 and our DPA" is a clean answer

How Sonant answers the ten

Sonant holds SOC 2 Type 2 with the report shareable under NDA, documents its GDPR posture, encrypts at rest (AES-256) and in transit (TLS 1.2+), commits breach-notification timing contractually, maintains a published subprocessor process, runs third-party penetration testing on an annual cadence, certifies data deletion at contract end, and offers HIPAA BAAs where commercial books require them. Every call writes to the audit log and the AMS (agency management system) within 60 seconds across EZLynx, Applied Epic, HawkSoft, AMS360, QQCatalyst, Momentum, AgencyZoom, and Zywave. Output: ten questions, ten written answers, attached to the contract where they belong.

The practical takeaway for the agency heading into vendor demos

What to ask an AI phone vendor about SOC 2 and GDPR before you buy: confirm Type 2 (not Type 1) with the report under NDA, probe the GDPR posture as a data-discipline proxy, put all ten questions in writing, and walk on the three red-flag answers. The vendor processing every call your clients make should clear a higher bar than the software running your calendar: hold them to it before the contract, because afterward their posture is yours.

Want the ten answers in writing this week? Book a Sonant demo →

Related reading

Alejandrina Gonzalez

Co-founder & CTO

Frequently asked questions

What's the difference between SOC 2 Type 1 and Type 2?

Type 1 audits control design at a point in time; Type 2 audits controls operating over 6–12 months. Type 2 is the procurement standard for vendors handling client PII.

Does my US-only agency really need to care about GDPR?

More than expected: commercial books carry EU-resident exposure, and a vendor's GDPR posture is the best available proxy for overall data discipline.

Is it normal to ask a vendor for their SOC 2 report?

Completely: vendors with real Type 2 reports share them under NDA as routine procurement. Refusal is itself the answer.

What breach-notification window should the contract specify?

A defined commitment in hours (commonly 24–72) in the MSA: "as appropriate" is not a window, it is a liability transfer to you.

Do I need a HIPAA BAA from an AI phone vendor?

If your commercial book touches healthcare-adjacent accounts, yes: confirm availability before signing, not after the account asks.

Who at my agency should own these questions?

The owner or operations lead, in writing, with answers filed alongside the contract: this is a 90-minute exercise that becomes a diligence asset.

Get the latest insights on
Agency Growth