The compliance questions every voice AI buyer should ask in 2026

Compliance posture is the line item that gets skimmed in the demo and re-litigated in the redline. By the time legal has flagged the SOC 2 report as expired or the TCPA consent flow as out of step with state law, the eval is already six weeks deep and the procurement clock is ticking. Front-load it. These are the questions we ask vendors during the editorial evaluation for the vendor pages on this site — they map cleanly to the questions a buyer's legal team will eventually ask.

Security: SOC 2 and beyond

• Is the SOC 2 Type II report current — completed within the last twelve months, with no significant exceptions?
• Does the vendor offer the report under NDA, or only a marketing-grade trust page?
• If the buyer handles EU data, is there a GDPR sub-processor list and a Data Processing Addendum ready to sign?
• Where is call audio and transcription stored — and can it be regionalized?

A vendor that cannot produce a Type II report under NDA on the first call is either pre-revenue or pre-compliance. Both are real product states; both are signal.

Healthcare: HIPAA and BAAs

If the voice agent will handle Protected Health Information — and 'will it incidentally hear PHI' is the relevant question for most healthcare deployments — the buyer needs a Business Associate Agreement before launch, not after.

• Will the vendor sign a BAA, and what does the standard BAA include regarding subcontractors and data retention?
• Are call recordings, transcripts, and any LLM-side caches stored in a HIPAA-eligible configuration?
• Is there a PHI redaction layer for transcripts shared into the team's analytics tools?

Thoughtly publishes explicit HIPAA support under a BAA, which is the posture most regulated-vertical buyers in our reviewer set look for; other vendors in the catalog handle this differently, so verify per vendor on the dedicated review page.

TCPA: recorded consent and dialing windows

Outbound voice AI lives or dies on TCPA. Inbound voice AI is mostly insulated — the call is initiated by the consumer — but recorded-consent capture still applies once the AI agent starts talking. Ask:

• How is prior express written consent captured for outbound calls — checkbox UI, double opt-in, language audit trail?
• Does the platform enforce state-by-state dialing windows automatically, or is that left to the buyer's list-management process?
• How does the agent announce itself as AI when state law (Colorado, Florida, others) requires it?
• Where does the call recording disclosure sit in the call flow — is it the first agent turn, before any data collection?

Operational: incident response and uptime

• What is the SLA for voice infrastructure outages, and what are the credit terms?
• Is there a public status page, and how granular is the incident history?
• On a content incident — the agent says something it should not have — what is the rollback path, and how is the team notified?

How to weight the answers

A vendor that answers crisply and shows the artifacts (SOC 2 letter, BAA template, consent UI screenshots, status page URL) is a vendor whose compliance team has internalized the question. A vendor that defers everything to a future call is a vendor whose product team has not. The compliance answer set is not a checklist score — it is a maturity signal. Read it that way and most procurement timelines compress by weeks.