.avif)
What to ask an AI phone vendor about SOC 2 and GDPR before you buy is a shorter list than the compliance pages suggest: ten questions, asked in writing, with the answers attached to the contract. An AI phone vendor will process PII (personally identifiable information) on every call your agency receives: names, premiums, VINs, claims detail: which makes its security posture your security posture. The vendor's marketing will say "enterprise-grade security"; the questions below establish what that actually means, starting with the distinction most buyers miss: SOC 2 Type 1 versus Type 2 are very different documents, and only one of them is the bar.
Key Takeaways
- SOC 2 Type 1 is a snapshot; Type 2 is an audited period of 6–12 months: Type 2 is the procurement bar
- GDPR matters to US-only agencies more than they think: commercial books carry EU-resident exposure
- Ask the ten questions in writing; verbal demo assurances are not procurement artifacts
- Three answers end the evaluation immediately: no shareable report, no breach-notification commitment, no data-deletion process
- For PE-backed or acquisition-minded agencies, the vendor's posture appears in your own diligence
Type 1 vs Type 2: the distinction that filters the field
SOC 2 is the AICPA framework auditing a vendor's controls across security, availability, processing integrity, confidentiality, and privacy. The type distinction is the whole game: Type 1 says the controls were designed properly on one day; Type 2 says an auditor watched them operate over 6–12 months. A vendor waving "SOC 2 compliant" without specifying is usually waving a Type 1: ask which, ask for the report under NDA, and read the exceptions section, because that is where the honest findings live.
Want Sonant's Type 2 report under NDA? → Talk to Sonant
Why GDPR is not just a European problem
A US-only agency carries more GDPR surface than it assumes: commercial accounts with EU-resident employees on the policy, traveling insureds, and data-processing chains that cross borders through subprocessors. A vendor with a documented GDPR posture has necessarily done the underlying work: data mapping, right-to-erasure processes, processing records, subprocessor governance: which protects every client in the book, not just the European ones. GDPR readiness is a proxy for data discipline; its absence is a proxy for the opposite.
The ten questions, in writing
- Which SOC 2 type do you hold, and will you share the report under NDA? (Type 2 or keep looking)
- What were the exceptions in your last Type 2 report, and what changed? (Every honest report has some)
- Is data encrypted at rest and in transit, and to what standards? (AES-256 / TLS 1.2+ as the floor)
- Where does our data reside, and does it cross borders through subprocessors?
- What is your audit log retention period, and can we export our logs?
- What is your breach-notification commitment, in hours, in the MSA?
- What is your penetration-test cadence, and by whom? (Annual third-party minimum)
- Can you provide a current subprocessor list with notification of changes?
- What is the data-deletion process at contract end, and how is it certified?
- Do you offer a HIPAA BAA if our commercial book requires one?
Here is what a passing answer looks like next to the answer that should end the evaluation.
The three answers that end the demo
Most weak answers warrant follow-up; three end the evaluation. "We can't share the report": a vendor that holds a real Type 2 shares it under NDA routinely; refusal means there is nothing to share. "Breach notification timing depends on the situation": without a contractual hour commitment, your own notification obligations to clients and regulators become unmanageable. "Data deletion happens automatically" with no certification process: unverifiable deletion is indistinguishable from retention. The NAIC's AI governance direction is converging on documented accountability for exactly these mechanics: vendors without answers now will be vendors with problems later.
.avif)
Why this matters double for acquisition-minded agencies
If your agency is PE-backed or within five years of a sale, the vendor's posture becomes your diligence exhibit: acquirers increasingly ask how policyholder PII flows through your stack, and "our AI phone vendor, here is their Type 2 and our DPA" is a clean answer that "we never asked" is not. The compliance questions are also operational ones: the verification guardrails and audit logs that satisfy SOC 2 are the same machinery that protects the book daily. The Sonant Consumer AI Readiness Report adds the client-side note: policyholders extend trust to agencies that can articulate how their data is protected: the posture is marketable, not just defensive.
How Sonant answers the ten
Sonant holds SOC 2 Type 2 with the report shareable under NDA, documents its GDPR posture, encrypts at rest (AES-256) and in transit (TLS 1.2+), commits breach-notification timing contractually, maintains a published subprocessor process, runs third-party penetration testing on an annual cadence, certifies data deletion at contract end, and offers HIPAA BAAs where commercial books require them. Every call writes to the audit log and the AMS (agency management system) within 60 seconds across EZLynx, Applied Epic, HawkSoft, AMS360, QQCatalyst, Momentum, AgencyZoom, and Zywave. Output: ten questions, ten written answers, attached to the contract where they belong.
The practical takeaway for the agency heading into vendor demos
What to ask an AI phone vendor about SOC 2 and GDPR before you buy: confirm Type 2 (not Type 1) with the report under NDA, probe the GDPR posture as a data-discipline proxy, put all ten questions in writing, and walk on the three red-flag answers. The vendor processing every call your clients make should clear a higher bar than the software running your calendar: hold them to it before the contract, because afterward their posture is yours.
Want the ten answers in writing this week? Book a Sonant demo →
Related reading

Co-founder & CTO




