// Trust & Security Report

    Replicant, Inc. logo

    Replicant, Inc.

    Enterprise contact center AI automation platform offering Conversation Automation (AI agents for voice, chat, SMS), Conversation Intelligence (analytics and QA), and Replicare (managed AI deployment model)

    Certifications held

    5

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    SOC 2 Type 2, PCI DSS, HIPAA certifications - independently validated.

    Verify on replicant.com
    PCI DSS
    HELD

    SOC 2 Type 2, PCI DSS, HIPAA certifications - independently validated. (Note: homepage has typo 'PCI DDS'; security page uses correct 'PCI DSS')

    Verify on replicant.com
    HIPAA
    HELD

    Replicant is certified for SOC 2 Type II, HIPAA, PCI DSS, GDPR, and CCPA, confirming readiness for every use case.

    Verify on replicant.com
    GDPR
    HELD

    Replicant's platform is fully aligned with the requirements of the General Data Protection Regulation (GDPR), supporting global customer service operations... Privacy by design architecture... encrypted storage and transport (AES-256 and TLS 1.2+), strict retention controls, and opt-out support where applicable.

    Verify on replicant.com
    CCPA
    HELD

    Replicant is certified for SOC 2 Type II, HIPAA, PCI DSS, GDPR, and CCPA, confirming readiness for every use case.

    Verify on replicant.com
    > Show 4 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No mention of ISO 27001 on any vendor page reviewed (safety-ai-security, platform, privacy policy, terms of service, or blog). No public evidence.

    source: replicant.com
    ISO/IEC 42001 (AI governance)
    NOT CONFIRMED

    Blog post states 'Replicant is well positioned to stay in compliance with new AI standards' including ISO 42001 - indicates future aspiration, not current certification.

    source: replicant.com
    FedRAMP
    NOT CONFIRMED

    No mention of FedRAMP on any vendor page reviewed. No public evidence.

    source: replicant.com
    CSA STAR
    NOT CONFIRMED

    No mention of CSA STAR on any vendor page reviewed. No public evidence.

    source: replicant.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Not offered

    Data region

    Continental United States (primary). EU and international transfers use Standard Contractual Clauses (SCCs) and adequacy decisions per privacy policy. No confirmed EU-based data center option found in official documentation.

    Marketing claims 'Zero public LLM training and complete audit visibility' and 'Customer data is never used to train public models.' However, Terms of Service section 4.3 states: 'Replicant may anonymize and aggregate Customer Content...for the purpose of analyzing and improving the performance of the Service, including the machine learning algorithms underlying the Service.' These two statements are technically compatible (no PUBLIC model training, but internal ML improvement using anonymized/aggregated data is permitted) but enterprises seeking absolute no-training guarantees must negotiate this in their contract. No opt-out clause found in ToS. OpenAI is listed as a subprocessor for LLMs - customer conversation data passes through OpenAI's API for inference.

    // Security controls

    Encryption in transit

    TLS 1.2+

    replicant.com

    Encryption at rest

    AES-256

    replicant.com

    Cloud infrastructure

    Google Cloud Platform (GCP); multi-region, multi-vendor redundancy for telephony, TTS, and LLMs

    replicant.com

    Access control

    Role-Based Access Control (RBAC) with Multi-Factor Authentication (MFA); full audit trails

    replicant.com

    Threat monitoring

    Intrusion Detection and Prevention Systems (IDPS) with continuous threat monitoring

    replicant.com

    PII handling

    Automatic redaction of PII, payment data, and regulated content from transcripts, analytics, and QA workflows

    replicant.com

    Third-party penetration testing

    Third-party pentests mentioned on homepage security claim; blog references MITRE ATLAS, automated pentesting, manual expert testing, and third-party validation

    replicant.com

    Security frameworks

    NIST Cybersecurity Framework (CSF), NIST AI Risk Management Framework (AI RMF), OWASP Top 10 embedded in development lifecycle

    replicant.com

    AI safety testing

    Exhaustive testing for prompt injection, jailbreaks, hallucinations, and adversarial misuse; pre-approved AI responses in high-risk workflows; guaranteed brand-safe outputs

    replicant.com

    Vulnerability Disclosure Program

    Publicly listed in website footer

    replicant.com

    // Products & data scope

    Conversation AutomationContact center AI agents

    data: Voice calls, chat, SMS; call recordings, transcripts, customer PII, payment data

    Handles mission-critical contact center calls; PII and payment data auto-redacted; integrates with CCaaS and CRM platforms

    Conversation IntelligenceContact center analytics / QA

    data: All conversation data, agent performance metrics, QA workflows

    Surfaces insights from every interaction; includes AI-driven QA with PII redaction across analytics

    ReplicareManaged AI services / professional services

    data: Customer conversation history, business rules, integration configurations

    Described as Replicant's 'true AI partnership model' - a managed service layer for deployment and ongoing optimization; built-in platform capabilities with no hidden costs

    // What to watch

    • MARKETING vs ToS CONTRADICTION ON AI TRAINING: Security page claims 'Zero public LLM training' and 'Customer data is never used to train public models,' but ToS section 4.3 permits Replicant to use anonymized and aggregated Customer Content to improve the service 'including the machine learning algorithms underlying the Service.' No opt-out clause found. Enterprises seeking absolute no-training guarantees must negotiate contract terms.
    • NO PUBLIC DPA OR BAA: Despite claiming HIPAA compliance, no Data Processing Agreement (DPA) or Business Associate Agreement (BAA) is publicly available on the website. Health services customers must request these separately via sales.
    • NO PUBLIC TRUST CENTER OR AUDIT REPORT: SOC 2 Type 2 and other certifications are asserted on marketing pages but no publicly accessible trust center portal, attestation report, or Vanta/Drata badge was found. Prospects cannot independently verify certification status without contacting the vendor.
    • HOMEPAGE TYPO 'PCI DDS': Homepage security section reads 'SOC 2, HIPAA, PCI DDS, GDPR' - PCI DDS appears to be a typo for PCI DSS. Security page uses the correct acronym. Minor quality concern.
    • OPENAI AS SUBPROCESSOR: OpenAI is listed as a subprocessor for Large Language Models. Customer conversation content is processed by OpenAI's API for LLM inference. Enterprises should confirm Replicant maintains zero-retention API agreements with OpenAI and verify this in contract negotiations.
    • ISO 27001 NOT HELD: No ISO 27001 certification found or claimed. For enterprise buyers requiring ISO 27001, this is a gap.
    • ISO 42001 NOT CERTIFIED: Vendor blog post positions Replicant as 'well positioned to stay in compliance' with ISO 42001 AI governance standard but does not claim current certification.

    // At a glance

    Pricing model

    Enterprise custom pricing; no public pricing listed; demo required to engage

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Replicant, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    replicant.com

    > Browse all vendor trust reports