HelloDrew Security & Compliance Policy

1. Compliance with U.S. Laws and Regulations

HelloDrew complies with all relevant privacy, security, and communication laws, including:

• California Consumer Privacy Act (CCPA): Users can access, update, or request the deletion of their data.
• Telephone Consumer Protection Act (TCPA): Users must obtain proper consent before making AI-powered calls or sending SMS messages.
• CAN-SPAM Act: All email communications include opt-out options and adhere to ethical marketing practices.
• Federal Trade Commission (FTC) Data Protection Standards: We maintain responsible data collection and privacy policies.
• Biometric Information Privacy Act (BIPA) (Illinois): If AI-driven voice features require biometric data, explicit consent is obtained.

Users are responsible for ensuring their use of HelloDrew complies with applicable laws in their jurisdiction.

2. Data Protection and Security Measures

Encryption and Secure Storage

• AES-256 encryption for all stored data.
• TLS 1.2/1.3 encryption for data in transit.
• Secure, U.S.-based cloud infrastructure with redundant backups.

Access Control and Authentication

• OAuth2 authentication for all API connections; no direct password storage.
• Role-based access controls (RBAC) to limit access to authorized personnel.
• Multi-factor authentication (MFA) is available for added account security.

Data Retention and Deletion

• Data is retained only as long as necessary for operational and compliance purposes.
• Users may request data deletion at any time by contacting security@hellodrew.ai.

3. Secure API and Third-Party Integrations

HelloDrew integrates with CRMs and other platforms while maintaining strict security standards for API connections.

• OAuth2 authentication ensures secure API access.
• Rate limiting and monitoring prevent unauthorized access.
• Third-party services must meet our security standards before integration.
• Users are responsible for ensuring that third-party tools integrated with HelloDrew comply with applicable laws.

4. Security Monitoring and Incident Response

Threat Monitoring and Response

• Automated threat detection systems actively monitor for security risks.
• Regular security audits and vulnerability assessments maintain platform integrity.
• A structured incident response plan ensures timely action in case of security breaches.

Reporting Security Issues

We encourage responsible disclosure of security vulnerabilities. Please contact security@hellodrew.ai with:

• A description of the issue
• Steps to reproduce the vulnerability
• Any relevant proof-of-concept details

All reports are acknowledged within 48 hours, and confirmed issues are addressed promptly.

5. Responsible AI and Compliance

HelloDrew follows AI ethics and transparency principles to ensure compliance with legal and industry standards.

• AI-powered communications clearly disclose that they are AI-generated.
• No unauthorized biometric data collection occurs without explicit consent.
• AI interactions are monitored and updated to align with evolving regulatory requirements.
• Users are responsible for ensuring their use of AI-driven features complies with applicable laws.

6. Contact and Security Support

For any security or compliance inquiries, please contact:

This Security Policy is updated regularly to reflect best practices and evolving compliance requirements.