Last updated 2026-04-16. Where we stand on the frameworks enterprise buyers ask about.
| Framework | Status | Notes |
|---|---|---|
| GDPR | Covered | SCCs + UK IDTA in place. See DPA. SAR response within 30 days. |
| CCPA / CPRA | Covered | We do not sell personal information. Opt-out + deletion handled via Privacy. |
| SOC 2 Type II | In progress | Observation started Q1 2026. Report expected Q3 2026 (Prescient Assurance). |
| HIPAA | BAA available | Enterprise tier only. PHI must route through dedicated HIPAA-scoped gateway. Contact sales. |
| PCI DSS | Via Stripe | We never see full PAN. Card data is tokenized by Stripe (a PCI DSS Level 1 Service Provider). |
| ISO 27001 (not yet certified, scheduled) | Roadmap / scheduled | Not yet certified. Planned Stage 1 audit 2027. Controls align with SOC 2 CC-series. |
| ISO 27701 (privacy) | Roadmap | Not yet. Will follow ISO 27001 cert (scheduled). |
| EU AI Act | Monitoring | We're a gateway, not a model provider. Agent-disclosure obligations flow to principals per Agent Terms. |
| FedRAMP (not yet in scope) | Not currently in scope / scheduled review | Not currently in scope for 2026 — planned review 2027. Contact sales if this is a gating requirement. |
We don't set tracking cookies by default. No analytics pixels, no ad retargeting, no cross-site tracking. A session cookie is used after login to keep you signed in. Details: /cookies.html.
Full list in the DPA. Anthropic, Cloudflare, Fly.io, Supabase, Stripe, Coinbase Commerce, Resend.
Default: US (Fly.io iad, Supabase us-east). EU residency via Fly.io cdg available on Growth tier and up on request. More regions coming with paid demand.
Enterprise customers can request our security questionnaire response, pen test exec summary, and SOC 2 letters (when available) under NDA. Email trust@metercall.ai.
Last updated 2026-04-16. Questions → /contact.html