Krepko: Service Agreement

1. SaaS and Implementation Services

1.1 Application of Terms

These General Terms apply to and form part of the Service Order Form executed between Krepko Pty Ltd (trading as "Krepko") and the Customer.

1.2 Provision of Services

Subject to the Customer paying the Fees, the SaaS Provider agrees to provide the SaaS for the Term and the Implementation Services, as detailed in the Service Order Form and Annexure B, in accordance with this Agreement.

1.3 Nature of Services

The Customer acknowledges and agrees that:

Krepko operates as a systems integrator, integrating third-party AI, telephony, and software platforms
The SaaS incorporates AI technologies that may produce unpredictable, incorrect, or inappropriate outputs
Core functionality depends on third-party services including OpenAI, Google, Azure, Twilio, Stripe, CRM providers, and telecommunications carriers
The Services are administrative and operational tools only and do not constitute medical, pharmaceutical, or clinical advice of any kind
Integration with third-party systems (including dispensing software, email platforms, calendar systems, and telephony infrastructure) is dependent on the availability, compatibility, and permissions of those systems; the SaaS Provider does not guarantee successful integration with all third-party systems

1.4 SaaS Description

The scope, features, usage limits, and Subscription Tiers of the SaaS are described in Annexure A. The Customer's rights to access and use the SaaS are strictly limited to those rights and limits set out in Annexure A and the Service Order Form.

2. Master Agreement

2.1 Additional Products and Services

This Agreement is a master agreement under which the Customer may increase the scope of the SaaS or purchase additional Products or Implementation Services from time to time by agreeing to a Purchase Order or Quote with the SaaS Provider.

2.2 Purchase Orders

The Customer may purchase:

Additional Products
Increase in scope of Use Restrictions
Additional users at $15 per user per month
Additional storage
Additional integrations
Additional consulting services on a time and materials basis

2.3 Quotes

The SaaS Provider may submit electronic Quotes for ad hoc services. Quotes are valid for 30 days unless specified otherwise. Upon signing by the Customer, a Quote becomes a binding Purchase Order.

3. Implementation Services

3.1 Initial Implementation

Implementation Services include:

Telephone infrastructure setup: SIP/VoIP bridge, number provisioning, call flow architecture, testing and QA
AI agent development: Custom persona aligned with brand voice, behavioural optimisation, Knowledge Base configuration
Call pattern analysis: Recording and transcription of sample calls, call flow mapping, peak time analysis
Business owner review: Demonstration calls, iterative refinement, final approval, training documentation
Core system integrations: Three (3) integrations included as part of standard setup

3.2 Additional Integrations

Standard integrations beyond included three: $75 setup fee per integration
Complex or custom API integrations: $150–$300 setup fee (quoted individually)
Phone system integration is automatically included and does not count towards the three included integrations

3.3 Voice Cloning Requirements

Important: If using voice cloning or custom voices, the Customer must:

Obtain express, informed, written consent from each individual whose voice is cloned
Upload and maintain documentary evidence of such consent
Customer indemnifies the SaaS Provider against all claims arising from unauthorised voice cloning

3.4 Pilot Period

If specified in the Service Order Form, a 7-day Pilot Period applies:

Either Party may terminate without penalty by written notice during the Pilot Period
All Fees paid are non-refundable
Agreement automatically converts to full Term if not terminated prior to expiry of the Pilot Period

3.5 Professional Services Rates

Standard consulting: $90 per hour (8-hour day basis)
Ad hoc services: $70 per hour
Out of hours work (outside 9am–5pm AEST on business days): 100% surcharge (2x applicable rate)

4. Access and Use of SaaS

4.1 Client Obligations

The Customer must provide and maintain all necessary access, credentials, systems, and third-party integrations required for the Services, including but not limited to:

Email account access (API credentials or login permissions)
Calendar system access
Telephony system access and relevant number porting or forwarding permissions
Dispensing or pharmacy software access (where applicable), including relevant API keys or credentials
Printer and device access (where applicable)
Stable internet connectivity and supporting infrastructure

The SaaS Provider is not responsible for delays, failures, or degraded performance resulting from incomplete, incorrect, or revoked access provided by the Customer.

Failure to provide any required access releases the SaaS Provider from the relevant performance obligations until such access is restored.

4.2 Data Hosting and Processing

Core application stack hosted in Australia (currently on Contabo infrastructure)

Customer acknowledges and consents that:

AI inference (LLM, voice, speech services) may be processed overseas (US, EU via OpenAI, Google, Azure)
Customer Data may be transmitted to such providers for processing
Industry-standard security: TLS 1.3 encryption in transit, SHA256 encryption at rest

4.3 Call Recording Compliance

Customer is solely responsible for:

Complying with the Surveillance Devices Act and Telecommunications (Interception and Access) Act
Obtaining all necessary consents before recording calls
Recording is disabled by default and may only be enabled by the Customer

4.4 Outbound Calling (Strict Liability)

Customer must comply with all Telemarketing Laws including:

Do Not Call Register Act 2006 (Cth)
Spam Act 2003 (Cth)
Telecommunications Act 1997 (Cth)
Australian Consumer Law

Customer must NOT:

Call numbers on the Do Not Call Register without valid consent
Make calls outside permitted hours (9am–8pm weekdays, 9am–5pm Saturdays)
Make misleading, deceptive, or unconscionable representations
Continue calling individuals who have requested not to be contacted

4.5 Dispensing Software and Stock Data

Where the Services are integrated with pharmacy dispensing software, the Customer acknowledges and agrees that:

The SaaS Provider does not guarantee the accuracy, completeness, or real-time availability of inventory or dispensing data obtained from third-party pharmacy systems
All stock-related outputs are indicative only and must be independently verified by the Customer prior to reliance
The Customer remains solely responsible for all dispensing decisions, patient safety, and compliance with applicable pharmacy and TGA regulatory requirements
The system is an administrative and operational tool only; it does not constitute clinical or pharmaceutical advice

4.6 Email and Automation Disclaimer

Where the Services include email parsing, e-script processing, or automated printing workflows, the Customer acknowledges and agrees that:

The SaaS Provider is not responsible for missed emails, incorrectly parsed emails, duplicate processing, or failed print jobs
The Customer is responsible for monitoring automated outputs and implementing appropriate human oversight procedures
Automated outputs must be verified before being acted upon in any clinical, dispensing, or regulatory context

4.7 White-Label Services

If a White-Label or Reseller agreement is executed, the Customer may resell the SaaS under its own branding, subject to the terms in Schedule 8 and any separate White-Label addendum.

4.8 Acceptable Use

Customer must comply with the Acceptable Use Policy in Schedule 2. Material breach may result in immediate suspension or termination.

5. Support and Updates

5.1 Included Support

The SaaS Provider provides security patches, critical bug fixes, and access to the support team. Support hours, channels, and priority levels depend on the Subscription Tier.

5.2 AI Model Changes

The SaaS Provider may change underlying AI models or infrastructure upon at least 30 days' notice where such change materially affects functionality.

5.3 No Service Credits

Service Levels and response targets are non-compensable targets only. No service credits or financial compensation are payable for failure to meet availability or response time targets, except as required under Australian Consumer Law.

6. Warranties

6.1 SaaS Provider Warranties

The SaaS Provider warrants that the SaaS will, when used in accordance with this Agreement and its Documentation, function in all material respects in accordance with its Specifications and comply with the Privacy Act 1988 (Cth).

6.2 AI Disclaimers

To the maximum extent permitted by law, the SaaS Provider DISCLAIMS liability for:

AI hallucinations or false, fabricated, or inaccurate statements
Misinterpretation of caller intent, sentiment, or instructions
Inappropriate, offensive, or unintended AI outputs
Failed or incorrect payment processing from AI mishearing details
Incorrect routing, classification, or summarisation of calls by AI
Incorrect parsing, classification, or processing of emails or documents by AI

The Customer must implement appropriate human oversight of all AI-driven outputs. The system is assistive only; the Customer remains responsible for verifying outputs before acting on them.

6.3 Australian Consumer Law

Nothing in this Agreement excludes, restricts, or modifies any non-excludable consumer guarantees, warranties, or other rights provided by the Australian Consumer Law.

7. Fees and Invoicing

7.1 Invoicing

Setup Fees: Payable upfront
Subscription Fees: Payable in advance (monthly or annually)
Usage Fees: Billed monthly in arrears via Stripe or nominated payment provider

7.2 No Refunds

All Fees paid to the SaaS Provider are non-refundable. This applies to all Fee types including Setup Fees, Subscription Fees, and Usage Fees, regardless of the circumstances of termination or the stage of the Term, except where a refund is expressly required by the Australian Consumer Law.

7.3 Payment & Suspension

Invoices due within 30 days of invoice date. If unpaid:

30 days overdue: May suspend access upon 7 days' written notice
60 days overdue: May terminate Agreement for non-payment

7.4 CPI & Fee Increases

Fees may increase annually by reference to CPI. The SaaS Provider may also increase renewal pricing by providing at least 60 days' written notice prior to end of the current Term.

7.5 Usage Billing and Overages

Minutes, SMS, and other usage-based elements are subject to a monthly allowance per Subscription Tier. Excess usage is charged on a pay-as-you-go (PAYG) basis.

8. Term and Termination

8.1 Term

Initial Term is one (1) year unless otherwise stated. Agreement automatically renews for successive periods equal to the Initial Term unless either Party provides at least 30 days' written notice of non-renewal.

8.2 Immediate Termination

SaaS Provider may terminate immediately by written notice if Customer:

Commits material breach not remedied within 14 days of notice
Engages in fraud, unlawful conduct, or wilful misconduct
Fails to pay Fees for more than 60 days after the due date

8.3 Effect of Termination

Upon termination or expiry:

Customer's access to SaaS ceases immediately
Customer Data available for export for 30 days following termination
After 30 days, Customer Data may be permanently deleted (except where required by law)
All Fees paid are non-refundable

9. Intellectual Property

9.1 Ownership

SaaS Provider owns: Platform, SaaS, underlying software, Documentation, and all related IP
Customer owns: Customer Data, including call recordings, transcripts, logs, and caller metadata

9.2 AI Training and Data Usage

The SaaS Provider will NOT use Customer call data to train foundational AI models.

AI models trained on licensed, publicly available datasets and proprietary Krepko content
Call recordings disabled by default, must be explicitly enabled by Customer
When enabled, recordings used only for the Customer's quality assurance and compliance purposes

9.3 Aggregate Data and Benchmarking

With Customer permission (withdrawable at any time), the SaaS Provider may use anonymised, aggregated data for benchmarking and product improvement, provided:

All personal information, company identifiers, and specific business details are removed
No re-identification of Customer or its clients is possible
Aggregation is across at least ten (10) or more customers

10. Confidentiality

Each Party must keep confidential all Confidential Information of the other Party and must not disclose it to any third party except:

To personnel, advisors, or contractors who need to know and are bound by confidentiality obligations
As required to deliver the SaaS (including to sub-processors such as OpenAI, Twilio, Stripe, and CRM providers)
As required by law, court order, or regulatory authority

11. Privacy & Security

11.1 Security Measures

The SaaS Provider implements and maintains:

TLS 1.3 encryption in transit
SHA256-based encryption at rest
Access controls and logging
Regular security reviews

11.2 Security Incident Notification

The SaaS Provider will notify the Customer of Security Incidents and AI Content Incidents in accordance with the timeframes and processes in Schedule 4 and Appendix A.

12. Limitation of Liability

12.1 Liability Cap

To the maximum extent permitted by law, the aggregate liability of the SaaS Provider is limited to:

Fees paid by the Customer in the twelve (12) months immediately preceding the event giving rise to the claim.

12.2 Exclusions

To the maximum extent permitted by law, the SaaS Provider is not liable for:

Indirect, consequential, incidental, special, punitive, or exemplary damages
Loss of profit, revenue, or business
AI hallucinations, misinterpretation, or inappropriate outputs
Missed or mis-booked appointments
Third-party outages or failures (Twilio, OpenAI, Google, Stripe, CRM providers, ISPs, telcos)
Customer's failure to configure or operate systems correctly
Losses arising from incorrect or incomplete access credentials provided by the Customer
Losses arising from reliance on unverified AI outputs in clinical, dispensing, or regulatory contexts
Regulatory penalties, fines, or sanctions incurred by the Customer

12.3 Exceptions

Limitations do not apply to:

Liability which cannot be excluded under Australian Consumer Law
Infringement of third-party IP rights caused by the SaaS Provider
Breaches of confidentiality or data privacy caused by the SaaS Provider's negligence or wilful misconduct
Fraud or wilful misconduct by the SaaS Provider

13. Indemnity

13.1 Customer Indemnities

Customer indemnifies and holds harmless the SaaS Provider from losses arising from:

Customer's failure to obtain lawful consent for call recording or voice cloning
Any claim that Customer Data infringes the IP or privacy rights of a third party
Any breach of Telemarketing Laws or the Acceptable Use Policy
Misuse of SaaS by the Customer or its users
Customer's failure to verify AI-generated outputs prior to acting on them in any clinical, dispensing, or regulatory context
Customer's failure to provide complete, accurate, and up-to-date access credentials and system access required for the Services
Any regulatory action, fine, or penalty arising from the Customer's use of the Services in a regulated industry

13.2 Telemarketing Indemnity Cap

For claims arising from breaches of the Spam Act, Do Not Call Register Act, or related Telemarketing Laws, the Customer's indemnity liability is capped as follows:

Starter and Team Tiers: Greater of 12 months of Fees or AUD $50,000
Enterprise Tier: Greater of 24 months of Fees or AUD $250,000

Cap does not apply to wilful or fraudulent violations.

14. Business Continuity and Disaster Recovery

The SaaS Provider maintains a business continuity and disaster recovery regime, including:

Backup procedures
Monitoring and recovery objectives
Recovery Time Objective (RTO): target of 4 hours for critical systems
Recovery Point Objective (RPO): target of 24 hours maximum data loss

15. Governing Law and Dispute Resolution

15.1 Governing Law

This Agreement is governed by the laws of Queensland, Australia. Parties submit to the non-exclusive jurisdiction of Queensland and Commonwealth courts.

15.2 Dispute Resolution

Process for resolving disputes:

Parties must meet in good faith to attempt resolution
If not resolved within 14 days, participate in mediation in Brisbane, Queensland
If not resolved within 30 days after mediation, may refer to arbitration or commence court proceedings

16. General

This Agreement constitutes the entire agreement between the Parties and supersedes all prior discussions, representations, and agreements. Any variation must be in writing and signed by both Parties. If any provision is found invalid or unenforceable, remaining provisions remain in full force and effect.

Schedule 1: Support Services & SLA

Priority	Definition	Response Target	Resolution Target
P1 (Critical)	System Down / Data Breach	4 Hours	1 Business Day
P2 (High)	Major Function Fail	1 Business Day	5 Business Days
P3 (Normal)	Minor Bug / Workaround available	3 Business Days	Next Release
P4 (Low)	Cosmetic / Feature Request	5 Business Days	Future Release

Availability Target: 99% per calendar month

Excluding: planned maintenance, Customer-caused issues, third-party provider outages, telecommunications network failures, internet services, and force majeure events.

Note: Service levels are non-compensable objectives only. No service credits or financial compensation are payable for failure to meet targets, except as required by Australian Consumer Law.

Schedule 2: Acceptable Use Policy

Customer must ensure all use of SaaS complies with this policy.

Customer must NOT:

Use SaaS for any unlawful, harmful, fraudulent, or deceptive purpose
Impersonate any person or entity, or misrepresent affiliation
Use unauthorised voice cloning
Harass, threaten, or abuse callers or any third party
Store, process, or transmit defamatory, obscene, hateful, or objectionable content
Reverse engineer, decompile, or disassemble the SaaS (except where permitted by law)
Use SaaS to build or train a competing product or service
Resell, sublicense, or provide SaaS to a third party without prior written consent
Circumvent usage limits, authentication mechanisms, safety filters, or security controls
Use SaaS in regulated industries without the necessary licences and professional oversight
Upload or transmit content that infringes the IP or privacy rights of third parties

Consequences: SaaS Provider may immediately suspend or restrict access where a breach is suspected. Repeated or serious breaches constitute material breach of the Agreement.

Schedule 3: AI Output Disclaimer

Customer acknowledges the inherent risks and limitations of generative AI and automated telephony.

Risk Area	Description & Disclaimer
Accuracy & Hallucinations	AI is probabilistic and may generate incorrect factual statements, invent details, misstate amounts or dates, or provide misleading information
Misinterpretation of Callers	AI may misinterpret accents, audio quality, background noise, or caller intent, leading to incorrect actions or responses
Voice Cloning Artifacts	AI voices may sound synthetic, robotic, or exhibit artifacts depending on network latency, audio hardware, and voice cloning quality
Payment Failures	If AI is used to capture payment information, it may mishear or miscapture digits, leading to failed transactions or incorrect billing
Inappropriate Content	Despite safety filters, there is a non-zero risk that AI may generate offensive, inappropriate, or harmful content
Email & Document Parsing	AI-driven email parsing and document processing may produce incorrect classifications, missed items, or duplicate actions. Outputs must be monitored and verified by the Customer
Dispensing & Stock Data	Where integrated with dispensing systems, stock availability and dispensing data outputs are indicative only. The Customer must independently verify all such data before reliance

Annexure A: SaaS Description & Use Restrictions

Core Telephony and AI Functions

Inbound call answering (AI receptionist)
Outbound AI-initiated calling
Call routing and call transfer
Appointment booking and scheduling workflows
Payment processing workflows via third-party providers (e.g. Stripe)
Automated identity verification dialogues
Voice cloning and custom voices (subject to consent requirements)
Speech-to-text transcription
Call recording and storage of selected calls
Storage of caller phone numbers and basic metadata
Integration with CRM platforms (e.g. HubSpot, Salesforce)
Integration with booking and calendar systems
Human handoff to real staff (call transfers or warm handoff)

Additional Capabilities

Automated call summaries
Ticket or case creation based on caller requirements
Routing calls to relevant departments or queues based on intent
Email parsing and automated workflow triggering (where enabled)
Integration with dispensing software (where applicable and separately agreed)

Platform Characteristics

Multi-tenant SaaS platform delivered over the internet
Application hosted in Australia (currently Contabo)
LLM inference hosted overseas
Telephony delivered via third-party carriers (e.g. Twilio)
Dashboards and tools providing access to audio, transcripts, logs, and analytics

Subscription Tiers

Starter

$135/month
or $1500/year

250 minutes/month
Up to 2 concurrent calls
1 user
4 GB recording storage
Basic pre-built integrations
Mini LLM engine
Basic support

Team

$299/month
or $3400/year

500 minutes/month
Up to 10 concurrent calls
Up to 3 users
$15/month per additional user
20 GB recording storage
Advanced integrations & workflows
Advanced LLM engine
Enhanced support

Enterprise

$699/month
or $8100/year

1100 minutes/month
Up to 20 concurrent calls
Up to 5 users
100 GB recording storage
Advanced custom integrations
Premium LLM with full customisation
Priority support

Usage Overages: Minutes, storage, or other usage beyond included limits billed on a pay-as-you-go basis at rates specified in the Service Order Form.

Annexure B: Implementation Services

Standard implementation and onboarding services included in one-time setup fee: Currently AUD $500 (unless otherwise specified)

1. Telephone Infrastructure Setup

SIP/VoIP bridge configuration and connectivity
Phone number provisioning and routing configuration
Call flow architecture design aligned with Customer requirements
Testing and quality assurance of call connectivity and routing

2. AI Agent Development & Training

Custom agent persona creation aligned with Customer's brand voice and tone
Behavioural optimisation for key KPIs (customer satisfaction, first-call resolution, conversion rates)
Initial knowledge base configuration (FAQs and scripts)
Response protocol development and escalation logic

3. Call Pattern Analysis & Immersion

Recording and transcription of a sample set of Customer's existing calls
Call flow mapping and pattern identification
Peak time and call volume analysis
Customer pain point identification and industry-specific terminology extraction

4. Business Owner Review & Approval

Demonstration calls using test scenarios
Iterative refinement based on Customer feedback
Final approval and sign-off of call flows and agent behaviour
Provision of training documentation for Customer's internal team

5. Core System Integrations

Implementation of up to 3 integrations from the integration library (CRM, booking system, helpdesk)
Each additional integration beyond 3 included: AUD $75 one-time setup
Complex or custom API integrations: AUD $150–$300 one-time setup (quoted individually)
Phone system integration included automatically (does not count toward 3 included integrations)

6. Professional Services Rates

Standard consulting: AUD $190 per hour (based on 8-hour day)
Ad-hoc work: AUD $270 per hour< /li>
Out of hours surcharge (outside 9am–5pm AEST on business days): 100% (i.e. 2x applicable hourly rate)

Schedule 4: Data Processing & Security

1. Data Hosting and Overseas Processing

Core application hosting located in Australia (currently with Contabo or equivalent)
AI inference (LLM, speech-to-text, voice services) provided by third parties such as OpenAI, Google, Azure
May process data in overseas jurisdictions (US and Europe)
Customer expressly consents to transmission and processing of Customer Data by overseas providers

2. Security Measures

TLS 1.3 encryption for data in transit where technically feasible
SHA256-based encryption (or stronger) for data at rest
Role-based access control and authentication for administrative interfaces
Audit logging and monitoring of access to production systems
Regular security reviews and vulnerability assessments

3. Data Retention and Deletion

Customer Data retained for the Agreement duration and up to 30 days following termination
At end of retention period, Customer Data is deleted or irreversibly anonymised
Customer may request earlier deletion of specific datasets (subject to technical feasibility and legal obligations)

4. Security Incidents

Security Incidents and AI Content Incidents handled per notification processes in Appendix A
SaaS Provider will cooperate reasonably with Customer to investigate and remediate confirmed Security Incidents

Schedule 5: Telemarketing and Outbound Calling Indemnity

1. Customer Responsibility

Customer is solely responsible for ensuring all outbound calls comply with applicable laws including:

Do Not Call Register Act 2006 (Cth)
Spam Act 2003 (Cth)
Australian Consumer Law
Telecommunications Act 1997 (Cth)
Privacy Act 1988 (Cth)
ACMA industry codes, standards, and guidance
Any applicable state or territory consumer protection laws

2. Prohibited Uses

Customer must NOT use SaaS to:

Call numbers listed on the Do Not Call Register without valid consent or exemption
Make calls outside permitted hours under applicable telemarketing standards
Make misleading, deceptive, or unconscionable representations
Fail to properly identify the caller and purpose of the call
Continue calling individuals who have requested not to be contacted

3. Indemnification

Customer agrees to indemnify, defend, and hold harmless Krepko, its officers, directors, employees, and agents from and against any regulatory actions, enforcement proceedings, fines, penalties, third-party claims, damages, legal fees, and related costs arising from Customer's breach of Telemarketing Laws, subject to the liability caps in clause 13.2.

Schedule 6: Business Continuity and Disaster Recovery

1. Infrastructure Resilience

Krepko leverages enterprise-grade cloud infrastructure (AWS/Google Cloud/Azure/Contabo) with:

Built-in redundancy
Automated backups
High-availability architecture
Service continuity through common failure scenarios

2. Backup Procedures

Automated daily backups of relevant databases (typical retention: 30 days)
System configuration and infrastructure-as-code artifacts in version-controlled repositories
Database replication to support point-in-time recovery where feasible
Recovery Time Objective (RTO): Target of 4 hours for critical systems
Recovery Point Objective (RPO): Target of 24 hours maximum data loss

3. Business Continuity Measures

Distributed operational team with documented runbooks and procedures
24/7 on-call engineering rotation for critical incidents
Regular system health monitoring and alerts

4. Disaster Scenarios

In the event of significant service disruption, Krepko will:

Communicate status updates within a reasonable timeframe (target: 2 hours of detection)
Provide an estimated recovery timeline (target: within 4 hours)
Execute recovery procedures to restore service as soon as practicable
Conduct post-incident reviews for major incidents

Schedule 7: White-Label Partner Tiers

Note: These apply only where a separate White-Label or Reseller agreement is executed.

Tier	Base/Month	Revenue Share	Usage Cap	Minimum Payment	Term	Branding & Support
Partner	$1,000	25% of gross revenue	20,000 min/month	$2,000 (base + rev share, whichever higher)	12 months	Full white-label (logo, colours, domain). Dedicated partner manager.
Reseller	$2,000	20% of gross revenue	100,000 min/month	$5,000 (base + rev share, whichever higher)	24 months	Full white-label + custom subdomain. Priority technical support.
Enterprise Reseller	$5,000	15% of gross revenue	Unlimited	$10,000 minimum	36 months	Complete platform customisation. Dedicated infrastructure + custom SLAs.

Appendix A: Incident Detection Technical Controls

1. Security Monitoring Infrastructure

Use of cloud monitoring and security tooling (e.g. CloudWatch, Security Hub, or equivalent)
Automated alerting on anomalous access patterns and error rates
Regular review of logs and alerts with weekly security review cycles

2. AI Safety Monitoring

Automated transcript analysis on a statistically significant sample of calls (e.g. 10% of calls) to detect anomalous or inappropriate AI behaviour
Use of PII-detection algorithms to flag potential data leaks
Sentiment and toxicity analysis to identify harmful or high-risk content
Manual QA review of flagged calls within a reasonable timeframe

3. Incident Response System

24/7 on-call engineering rotation for critical security incidents
Use of incident tracking tools (e.g. Jira, PagerDuty, or similar)
Pre-configured notification templates for customer communication
Documented escalation procedures for severity classification and response

4. Detection Thresholds

Single critical security event (e.g. confirmed unauthorised access) triggers immediate investigation
Multiple similar AI incidents within a short timeframe trigger a pattern investigation
Customer complaints about AI behaviour treated as priority review items
Automated PII detection events trigger immediate human review

Provider Information