// Trust & Security Report

    PolyAI Limited (PolyAI Technologies, Inc. affiliate for US operations) logo

    PolyAI Limited (PolyAI Technologies, Inc. affiliate for US operations)

    Enterprise voice/dialog AI agent platform ("Agentic Dialog Platform") for customer-facing conversations (phone, chat, and other channels). Built on Poly Agent Builder (no-code builder for non-technical teams) and ADK (Agent Development Kit for developers), both running on PolyAI's proprietary conversational LLM, Raven.

    Certifications held

    6

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO/IEC 27001
    HELD

    We are certified for ISO/IEC 27001, the international standard for information security management systems (ISMS).

    Verify on docs.poly.ai
    SOC 2 Type II
    HELD

    PolyAI has achieved SOC 2 Type II compliance, covering data security, availability, processing integrity, confidentiality, and privacy.

    Verify on docs.poly.ai
    GDPR (compliance posture, not a certification)
    HELD

    PolyAI complies with the General Data Protection Regulation (GDPR) to protect personal data and the privacy of individuals in the European Union.

    Verify on docs.poly.ai
    HIPAA
    HELD

    Where relevant, our systems are designed to meet HIPAA (Health Insurance Portability and Accountability Act) requirements. Protected health information (PHI) is handled securely.

    Verify on docs.poly.ai
    PCI DSS
    HELD

    Where relevant, PolyAI is committed to complying with the PCI-DSS (Payment Card Industry Data Security Standard).

    Verify on docs.poly.ai
    UK NCSC Cyber Essentials / Cyber Essentials Plus
    HELD

    We are certified under the UK NCSC (National Cyber Security Center) Cyber Essentials and Cyber Essentials Plus frameworks, which protect against a wide variety of cyber threats.

    Verify on docs.poly.ai
    > Show 5 unconfirmed / not-held certifications
    SOC 2 Type I
    NOT CONFIRMED

    No public evidence of a separate SOC 2 Type I attestation; vendor's compliance page states only SOC 2 Type II ('PolyAI has achieved SOC 2 Type II compliance').

    source: docs.poly.ai
    ISO 27017 / ISO 27018 / ISO 27701 (cloud & privacy extensions)
    NOT CONFIRMED

    No public evidence on poly.ai or docs.poly.ai naming ISO 27017, 27018, or 27701. Only ISO/IEC 27001 is named.

    source: docs.poly.ai
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 certification on any PolyAI-owned domain.

    source: docs.poly.ai
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR registration/certification on any PolyAI-owned domain.

    source: poly.ai
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization; PolyAI's public materials are UK/commercial-enterprise focused with no US federal government listing found.

    source: poly.ai

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Not explicitly published as a selectable region/residency option. Privacy notice states data may be transferred to the US and EEA using Standard Contractual Clauses and UK/EU adequacy decisions; hosting is on AWS. No dedicated EU-only or in-country hosting option is documented.

    PolyAI's own Raven training-data documentation states data is 'sourced from PolyAI customers to the extent contractually authorized by customers and permitted by applicable law, or otherwise generated by PolyAI,' and that they 'take all reasonable steps to redact personal information from the dataset prior to use.' The privacy notice confirms: 'We extract snippets of voice recordings and/or conversation turns to improve our virtual assistant (including model training).' Legal basis is legitimate interest or consent depending on jurisdiction. No explicit self-service opt-out mechanism is documented on any vendor page found; opt-out/training-exclusion appears to be handled contractually per enterprise agreement rather than as a published toggle. No published tier difference (e.g. does a premium tier exclude training) was found.

    // Security controls

    Encryption

    Not itemized with specific algorithms on vendor pages found (no explicit 'AES-256' / 'TLS 1.2+' language captured); general claims of 'private and secure' interactions and ISO 27001-scoped ISMS. Treat as unverified detail, not absence.

    poly.ai

    Hosting / physical security

    "Hosted on AWS providing robust physical data center security." This is AWS's (the host's) physical/data-center security posture, not an independent PolyAI-held certification.

    poly.ai

    Penetration testing / audits

    "Regular audits, testing and third-party monitoring - ensure that our voice assistants are secure and compliant at all times."

    poly.ai

    Authentication

    "Use natural conversations to authenticate your customers…not vulnerable biometric technology." (voice-conversation-based caller authentication feature, not a security-control statement about admin/account login)

    poly.ai

    Regulatory alignment

    "Aligned with National Cyber Security Centre Guidelines" (UK NCSC)

    poly.ai

    Uptime SLA

    99.9% uptime SLA included in pricing plans per the pricing page.

    poly.ai

    // Products & data scope

    Poly Agent BuilderNo-code dialog agent builder

    data: Enterprise customer conversation data (voice/chat) processed per client contract

    Targeted at non-technical business teams; same underlying runtime as ADK.

    ADK (Agent Development Kit)Developer SDK/API for building custom dialog agents

    data: Enterprise customer conversation data (voice/chat) processed per client contract

    Targeted at developer teams wanting deeper customization; same underlying runtime as Poly Agent Builder.

    Raven (proprietary LLM)Underlying conversational AI model

    data: Trained on a mix of customer-derived conversation data (where contractually authorized, with stated PII redaction) and synthetic data, described as 'proprietary model trained on 1B+ enterprise conversations.'

    Powers both Poly Agent Builder and ADK; this is where the AI-training-on-customer-data posture applies.

    // What to watch

    • Homepage marketing overstates scope: 'Every agent is governed by default, with SOC 2, HIPAA, GDPR, PCI DSS as standard' implies blanket coverage, but the vendor's own compliance page hedges HIPAA and PCI DSS with 'Where relevant' language rather than presenting them as universal, audited certifications the way ISO 27001 and SOC 2 Type II are described. Treat HIPAA/PCI DSS as a conditional/self-attested compliance posture, not an unconditional certification.
    • HIPAA has no formal third-party 'certification' in US law; PolyAI's claim is a self-attested design posture ('systems are designed to meet HIPAA requirements'). No public evidence of Business Associate Agreement (BAA) availability was found or independently confirmed - recommend verifying directly with PolyAI before listing HIPAA-suitable for healthcare buyers.
    • PCI DSS claim uses 'committed to complying' rather than 'certified' or 'validated,' and no Attestation of Compliance (AOC) level (e.g., Level 1 Service Provider) is disclosed.
    • AWS physical/data-center security claim belongs to AWS (the host), not to PolyAI as an independent certification; do not list as a PolyAI-held cert.
    • PolyAI confirms it trains its Raven model on customer conversation data (with stated redaction of PII); no published self-service opt-out mechanism was found on any vendor page - opt-out likely requires contractual negotiation. Flag for buyers with sensitive-data concerns.
    • No independently downloadable SOC 2 report, Vanta/Drata/SafeBase-style trust portal, or subprocessor list was found on any PolyAI-owned domain; certifications are asserted in prose only, not backed by a report-request mechanism visible to this reviewer.

    // At a glance

    Pricing model

    Custom/enterprise: per-minute usage-based billing for voice agent usage, plus platform access; no public self-serve pricing or free tier found ('Ongoing use of the voice agent is priced on a per-minute basis, which includes proactive performance improvements, maintenance and 24/7 support').

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on PolyAI Limited (PolyAI Technologies, Inc. affiliate for US operations)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    poly.ai

    > Browse all vendor trust reports