// Trust & Security Report
Replicant, Inc.
Enterprise contact center AI automation platform offering Conversation Automation (AI agents for voice, chat, SMS), Conversation Intelligence (analytics and QA), and Replicare (managed AI deployment model)
Certifications held
5
Maturity
Enterprise
Trains on your data
Yes
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on replicant.com“SOC 2 Type 2, PCI DSS, HIPAA certifications - independently validated.”
Verify on replicant.com“SOC 2 Type 2, PCI DSS, HIPAA certifications - independently validated. (Note: homepage has typo 'PCI DDS'; security page uses correct 'PCI DSS')”
Verify on replicant.com“Replicant is certified for SOC 2 Type II, HIPAA, PCI DSS, GDPR, and CCPA, confirming readiness for every use case.”
Verify on replicant.com“Replicant's platform is fully aligned with the requirements of the General Data Protection Regulation (GDPR), supporting global customer service operations... Privacy by design architecture... encrypted storage and transport (AES-256 and TLS 1.2+), strict retention controls, and opt-out support where applicable.”
Verify on replicant.com“Replicant is certified for SOC 2 Type II, HIPAA, PCI DSS, GDPR, and CCPA, confirming readiness for every use case.”
> Show 4 unconfirmed / not-held certifications
source: replicant.comNo mention of ISO 27001 on any vendor page reviewed (safety-ai-security, platform, privacy policy, terms of service, or blog). No public evidence.
source: replicant.comBlog post states 'Replicant is well positioned to stay in compliance with new AI standards' including ISO 42001 - indicates future aspiration, not current certification.
source: replicant.comNo mention of FedRAMP on any vendor page reviewed. No public evidence.
source: replicant.comNo mention of CSA STAR on any vendor page reviewed. No public evidence.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Not offered
Data region
Continental United States (primary). EU and international transfers use Standard Contractual Clauses (SCCs) and adequacy decisions per privacy policy. No confirmed EU-based data center option found in official documentation.
Marketing claims 'Zero public LLM training and complete audit visibility' and 'Customer data is never used to train public models.' However, Terms of Service section 4.3 states: 'Replicant may anonymize and aggregate Customer Content...for the purpose of analyzing and improving the performance of the Service, including the machine learning algorithms underlying the Service.' These two statements are technically compatible (no PUBLIC model training, but internal ML improvement using anonymized/aggregated data is permitted) but enterprises seeking absolute no-training guarantees must negotiate this in their contract. No opt-out clause found in ToS. OpenAI is listed as a subprocessor for LLMs - customer conversation data passes through OpenAI's API for inference.
// Security controls
Cloud infrastructure
Google Cloud Platform (GCP); multi-region, multi-vendor redundancy for telephony, TTS, and LLMs
replicant.comAccess control
Role-Based Access Control (RBAC) with Multi-Factor Authentication (MFA); full audit trails
replicant.comThreat monitoring
Intrusion Detection and Prevention Systems (IDPS) with continuous threat monitoring
replicant.comPII handling
Automatic redaction of PII, payment data, and regulated content from transcripts, analytics, and QA workflows
replicant.comThird-party penetration testing
Third-party pentests mentioned on homepage security claim; blog references MITRE ATLAS, automated pentesting, manual expert testing, and third-party validation
replicant.comSecurity frameworks
NIST Cybersecurity Framework (CSF), NIST AI Risk Management Framework (AI RMF), OWASP Top 10 embedded in development lifecycle
replicant.comAI safety testing
Exhaustive testing for prompt injection, jailbreaks, hallucinations, and adversarial misuse; pre-approved AI responses in high-risk workflows; guaranteed brand-safe outputs
replicant.com// Products & data scope
data: Voice calls, chat, SMS; call recordings, transcripts, customer PII, payment data
Handles mission-critical contact center calls; PII and payment data auto-redacted; integrates with CCaaS and CRM platforms
data: All conversation data, agent performance metrics, QA workflows
Surfaces insights from every interaction; includes AI-driven QA with PII redaction across analytics
data: Customer conversation history, business rules, integration configurations
Described as Replicant's 'true AI partnership model' - a managed service layer for deployment and ongoing optimization; built-in platform capabilities with no hidden costs
// What to watch
- MARKETING vs ToS CONTRADICTION ON AI TRAINING: Security page claims 'Zero public LLM training' and 'Customer data is never used to train public models,' but ToS section 4.3 permits Replicant to use anonymized and aggregated Customer Content to improve the service 'including the machine learning algorithms underlying the Service.' No opt-out clause found. Enterprises seeking absolute no-training guarantees must negotiate contract terms.
- NO PUBLIC DPA OR BAA: Despite claiming HIPAA compliance, no Data Processing Agreement (DPA) or Business Associate Agreement (BAA) is publicly available on the website. Health services customers must request these separately via sales.
- NO PUBLIC TRUST CENTER OR AUDIT REPORT: SOC 2 Type 2 and other certifications are asserted on marketing pages but no publicly accessible trust center portal, attestation report, or Vanta/Drata badge was found. Prospects cannot independently verify certification status without contacting the vendor.
- HOMEPAGE TYPO 'PCI DDS': Homepage security section reads 'SOC 2, HIPAA, PCI DDS, GDPR' - PCI DDS appears to be a typo for PCI DSS. Security page uses the correct acronym. Minor quality concern.
- OPENAI AS SUBPROCESSOR: OpenAI is listed as a subprocessor for Large Language Models. Customer conversation content is processed by OpenAI's API for LLM inference. Enterprises should confirm Replicant maintains zero-retention API agreements with OpenAI and verify this in contract negotiations.
- ISO 27001 NOT HELD: No ISO 27001 certification found or claimed. For enterprise buyers requiring ISO 27001, this is a gap.
- ISO 42001 NOT CERTIFIED: Vendor blog post positions Replicant as 'well positioned to stay in compliance' with ISO 42001 AI governance standard but does not claim current certification.
// At a glance
Pricing model
Enterprise custom pricing; no public pricing listed; demo required to engage
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Replicant, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
replicant.com