Trust & Compliance — Continuously Monitored

Enterprise Trust
Built In, Not Bolted On.

Security, privacy, and AI governance are not afterthoughts at Anicalls — they are foundational architecture decisions. Every product, process, and AI deployment meets the highest global enterprise security and compliance standards.

ISO 27001Certified
SOC 2Type II Certified
12+Compliance Frameworks
99.99%Platform Uptime SLA
ISO 27001
SOC 2 Type II
GDPR
POPIA
EU AI Act Ready
HIPAA BAA
UAE DPL
PDPA / PDPL
Security Maturity

Enterprise Security Posture

Continuously Monitored
Identity & Access Management
96%
Data Protection & Privacy
98%
Threat Detection & Response
94%
Cloud Security Controls
97%
AI Governance & Explainability
92%
Regulatory Compliance Coverage
100%
Section 01

Data Privacy Framework

Anicalls processes enterprise data under a comprehensive privacy framework that meets the requirements of every jurisdiction in which we operate. Client data is never used to train AI models without explicit written consent.

  • Data minimisation and purpose limitation built into every AI agent
  • Client data processed only in contracted jurisdictions — no cross-border transfers without explicit DPA
  • Data retention policies: client data deleted within 30 days of contract termination
  • AES-256 encryption at rest, TLS 1.3 in transit
  • Data Processing Agreements (DPAs) available as standard with every contract
  • Privacy Impact Assessments (PIAs) completed for all AI deployments
Data Privacy at a Glance
AES-256
Encryption at Rest
TLS 1.3
In Transit
30 days
Data Deletion SLA
0
Cross-Border Transfers Without DPA
Section 02

Cyber Security

ISO 27001 certified. SOC 2 Type II certified. Continuous security monitoring, penetration testing, and zero-trust architecture across all systems.

Zero Trust Architecture
No implicit trust. Every user, device, and service must authenticate and authorise on every request. Network segmentation and microsegmentation throughout.
24/7 Security Operations
Dedicated SOC with real-time SIEM monitoring, automated threat detection and response, and escalation protocols. MTTR for critical incidents: under 4 hours.
Penetration Testing
Annual third-party penetration tests and quarterly vulnerability assessments. Results reviewed by the Board. All critical/high findings remediated within 30 days.
Access Control
Role-based access control (RBAC), privileged access management (PAM), MFA mandatory for all staff, SSO integration, and just-in-time (JIT) provisioning.
ISO 27001 Certified
Annual ISO 27001 surveillance audits. Full information security management system (ISMS) documented and Board-approved. Statement of Applicability available on request.
Cloud Security
Multi-cloud deployment on AWS, Azure, and GCP with CSA STAR-aligned cloud security controls. VPC isolation, encrypted S3/Blob storage, and cloud-native threat detection.
Section 03

GDPR Compliance

Anicalls is fully compliant with the EU General Data Protection Regulation (GDPR) and UK GDPR. We act as both Data Controller (for our own business processes) and Data Processor (when processing client data) — with appropriate legal bases documented for every processing activity.

All AI processing activities are mapped to documented lawful bases under GDPR Article 6 (and Article 9 for special categories). Contract performance, legitimate interest, and legal obligation bases documented for each processing activity.
Full data subject rights management: right of access (72-hour response SLA), right to erasure, right to rectification, right to restrict processing, data portability, and objection to automated decision-making. Dedicated privacy@anicalls.com request channel.
DPIAs conducted for all high-risk processing activities under GDPR Article 35. Results documented and shared with supervisory authority where required. DPO-reviewed before AI deployment go-live.
Personal data breach response procedure: clients notified within 24 hours of confirmed breach. Supervisory authority notification within 72 hours as required. Full incident documentation and remediation reporting.
GDPR Status
Article 30 Records Maintained
DPO Appointed Yes
SCCs Executed Available
Breach SLA24 hrs
SAR Response72 hrs
Section 04

POPIA Compliance (South Africa)

Anicalls is fully compliant with South Africa's Protection of Personal Information Act (POPIA). As a B-BBEE Level 2 company with a Johannesburg GCC hub, POPIA compliance is fundamental to our South African operations and client commitments.

  • Information Officer appointed and registered with the Information Regulator
  • POPIA-compliant processing records (PAIA Manual updated)
  • Data subject rights management: access, correction, deletion, objection
  • Operator agreements in place for all SA client data processing
  • Cross-border transfer controls: SA data remains in SA unless client authorises transfer
POPIA Status
Information Officer Registered
PAIA Manual Current
Operator Agreements Standard
B-BBEE LevelLevel 2
Section 05

EU AI Act Readiness

The EU AI Act creates the world's first comprehensive legal framework for artificial intelligence. Anicalls has completed EU AI Act readiness assessment and is implementing full compliance ahead of the applicable deadlines.

Risk Classification
All Anicalls AI systems are classified under the EU AI Act four-tier risk framework: minimal, limited, high, or unacceptable risk. Risk registers maintained for all deployments.
High-Risk AI Compliance
For high-risk AI systems (employment, credit, healthcare), full conformity assessments, technical documentation, and registration in the EU AI Act database are in preparation.
Transparency Obligations
All AI-generated outputs are disclosed where required. Emotion recognition, biometric, and GPAI obligations addressed in our AI system documentation.
Human Oversight
Human-in-the-loop controls for all consequential AI decisions. Escalation pathways from AI to human decision-maker documented for every high-risk use case.
Logging & Monitoring
Automated logging of high-risk AI system inputs, outputs, and decisions. Retention for minimum 10 years. Post-market monitoring and incident reporting procedures.
GPAI Model Obligations
For GPAI model integrations, copyright compliance, technical documentation, and systemic risk assessment procedures in place per EU AI Act Title III, Chapter 2.
Section 06

UAE Data Protection Law

Anicalls' Dubai entity operates in full compliance with the UAE Federal Decree-Law No. 45 of 2021 (Personal Data Protection Law — PDPL) and DIFC Data Protection Law 2020 for our DIFC-regulated operations.

  • UAE PDPL compliance: lawful basis, purpose limitation, data minimisation
  • DIFC Data Protection Law 2020 compliant for DIFC operations
  • Saudi PDPL awareness: SAMA-aligned privacy controls for KSA client data
  • Qatar PDPL and QFC Data Protection Regulation compliant
  • Arabic-language privacy notices available
MEA Compliance
UAE PDPL Compliant
DIFC DPL 2020 Compliant
Saudi PDPL Aware
Qatar PDPPP Compliant
Section 07

AI Governance Framework

Anicalls operates a comprehensive AI governance framework — covering model risk management, AI ethics, explainability, bias prevention, and board-level AI oversight.

AI Risk Management
Model risk management framework aligned with SR 11-7 (Federal Reserve), MAS MRM guidelines, and FCA expectations. All AI models go through pre-deployment validation and live monitoring.
Explainability
All consequential AI decisions must be explainable in plain language. XAI techniques (SHAP, LIME) deployed on predictive models. Human-readable explanations generated for every decision.
Bias Prevention
Pre-deployment bias testing across protected characteristics. Ongoing statistical fairness monitoring. Bias alerts trigger immediate model review and, where necessary, suspension.
AI Ethics Committee
Independent AI Ethics Committee reviews all high-risk AI use cases before deployment. Committee includes external ethics experts. Quarterly reporting to the Board.
Shadow AI Detection
Enterprise shadow AI detection and governance tools identify unauthorised AI tool usage by employees. Policies, training, and sanctioned AI tool catalogues deployed for all clients.
AI Inventory
Full AI system inventory maintained: purpose, data inputs, model type, risk classification, owner, and review date. Board-level AI inventory report published annually.
Section 08

Responsible AI Principles

Anicalls' Responsible AI Charter defines the principles that govern how we design, deploy, and monitor AI systems. These principles are operationalised — not just aspirational — with measurable commitments for every deployment.

Fairness
AI systems must not discriminate on protected characteristics. Fairness metrics tested pre-deployment and monitored in production.
Transparency
Users must know when they are interacting with AI. All AI-generated content and decisions are disclosed where material to the user.
Privacy
Privacy-by-design: data minimisation built into AI architecture. No personal data used for training without explicit consent.
Human Oversight
No fully autonomous AI decision-making for consequential human matters without human review capability. Always an escalation path to a human.
Responsible AI Charter

Our full Responsible AI Charter is available on request. It covers all six NIST AI RMF core functions: Govern, Map, Measure, Manage, Communicate, and Monitor.

Request AI Charter
Section 09

Business Continuity & Disaster Recovery

Anicalls operates a comprehensive Business Continuity Management System (BCMS) aligned with ISO 22301. Critical systems are designed for 99.99% availability with automated failover.

  • RTO: 4 hours for critical systems, 24 hours for non-critical
  • RPO: 1 hour data loss tolerance for production systems
  • Multi-region active-active deployment: no single region dependency
  • Annual full DR test + quarterly partial tests. Results Board-reviewed
  • GCC operations: multi-site delivery from 6 global locations for client service continuity
  • Crisis communications: client notification within 30 minutes of Severity-1 incident
BCM Performance
99.99%
Platform Uptime SLA
4 hrs
Critical System RTO
1 hr
RPO
6
Delivery Locations
Section 10

SLA Framework

All Anicalls client contracts include service level agreements with financial consequences — not just best-efforts commitments. Our standard SLA framework includes the following service levels.

Service Level Commitment Measurement Period Remedy
Platform Availability99.99% uptimeMonthlyService credit 10% per 0.01% below SLA
Response Time (P99)≤ 350msWeeklyIncident review + remediation plan
Support Response — P115 minutesPer incidentEscalation to CTO within 30 minutes
Support Response — P22 hoursPer incidentRoot cause analysis delivered within 24 hours
Support Response — P38 hoursPer incidentResolution within agreed timeline
Security Patch — Critical24 hoursPer vulnerabilityImmediate client notification + patch status
Security Patch — High7 daysPer vulnerabilityRemediation report
Data Breach Notification24 hoursPer confirmed breachFull incident report within 72 hours
Section 11

Vendor Risk Management

Anicalls maintains a rigorous vendor risk management programme for all sub-processors and critical technology suppliers. Clients can request our sub-processor list and vendor risk assessment results at any time.

  • Annual vendor security assessments for all critical and high-risk suppliers
  • Data Processing Agreements (DPAs) executed with all sub-processors
  • Sub-processor list maintained and published — clients notified 30 days before additions
  • Cloud providers: AWS, Microsoft Azure, Google Cloud — all ISO 27001 and SOC 2 certified
  • Vendor concentration risk monitoring: no single vendor dependence for critical systems
  • Procurement-ready: B-BBEE L2, SOC 2 Type II, GDPR DPA, ISO 27001 — all available for vendor onboarding
Procurement Credentials
B-BBEE LevelLevel 2
ISO 27001 Certified
SOC 2 Type II Certified
DPA Available Standard
Onboarding SLA14 days
Section 12

Audit & Assurance Framework

Enterprise clients have the right to audit Anicalls' controls. Our audit framework supports client audits, regulatory inspections, and third-party assurance engagements.

Client Audit Rights
Enterprise clients may conduct annual security and compliance audits with 30 days' notice. Audit facilitation team provides documentation, access, and subject-matter expert interviews.
SOC 2 Type II Reports
Annual SOC 2 Type II reports available under NDA to enterprise clients and prospects. Reports cover Security, Availability, Processing Integrity, Confidentiality, and Privacy trust service criteria.
Regulatory Inspection Support
Full support for regulatory inspections (FCA, PRA, FINMA, SAMA, MAS, etc.). Dedicated regulatory affairs team with experience in 14 regulatory jurisdictions.
Internal Audit Programme
Annual internal audit programme covers: information security, AI governance, data privacy, business continuity, and vendor risk. Board Audit Committee oversight.
Evidence Pack
Standard evidence pack for due diligence: ISO 27001 certificate, SOC 2 report summary, penetration test executive summary, privacy policy, DPA template, BCP summary.
Continuous Monitoring
Real-time compliance dashboards track control effectiveness. Anomaly alerts trigger immediate investigation. Monthly compliance reporting to senior leadership.

Request our full security evidence pack, SOC 2 report, or schedule a security review call.

Request Security Pack

Complete Your Vendor Due Diligence

Our procurement team can provide ISO 27001 certificate, SOC 2 Type II report, DPA template, B-BBEE certificate, and completed vendor questionnaires — typically within 5 business days.

Request Compliance Pack Vendor Risk Questionnaire