Skip to content

Security, Compliance, and Data Governance

This chapter outlines the security and governance practices recommended for running MiaRec Conversation Analytics as a multi-tenant platform.

Because deployments vary (partner-hosted vs SaaS), treat this section as a framework and fill in the exact controls supported by MiaRec.

Security goals (operator)

  • Ensure strict tenant isolation
  • Protect sensitive data (audio, transcripts, message threads)
  • Control and audit administrative changes (tasks, fields, engines, overrides)
  • Meet regulatory requirements (retention, privacy, residency) where applicable

Identify and document: - content types stored: - audio recordings (voice) - transcripts / threads - AI outputs (custom fields, explanations) - sensitive fields: - personally identifiable information (PII) - payment data (PCI) - health data (HIPAA) (if applicable) - where data flows externally (transcription providers, LLM providers)

Access control model

Recommended role categories: - Platform operator / system admin - Tenant admin - Supervisor / analyst - Agent / standard user - Read-only auditor (optional)

Best practices: - least privilege for each role - separate operator accounts from tenant accounts - MFA/SSO enforcement for admin roles - API keys scoped by tenant and purpose

Audit logging (must-have)

Log and retain changes to: - AI Engines configuration - Global AI Tasks and Custom Fields - Tenant activation of tasks - Tenant overrides (prompt/filter) - Retention settings - User/role changes

Include: - who changed it - what changed (before/after) - when it changed - which tenant(s) are impacted

Data retention and deletion

Document: - retention defaults (audio, transcripts, threads, AI outputs) - configurable per-tenant retention (if supported) - deletion workflows and evidence (audit records) - legal hold and export mechanisms (if applicable)

Data residency and third-party processing

If you use external providers: - document what data is sent (full transcript? metadata? both?) - document provider regions and data handling guarantees - document how to select region-specific engines (if supported)

PII handling and redaction (common patterns)

Depending on product capabilities: - Pre-ingestion redaction (redact before MiaRec receives data) - Post-transcription redaction (redact in transcripts) - Prompt-level redaction (remove sensitive data before sending to LLM) - Storage-level controls (encrypt fields, restrict visibility)

Governance for AI configuration

Because AI Tasks can materially change outputs: - establish a policy for global task changes (review + test + staged rollout) - track tenant overrides as “configuration drift” - document how model changes affect comparability over time

Implementation notes

  • Provide a "Data Flow" diagram for voice and text channels showing all external processors
  • Require audit logs for task/prompt overrides (high value for enterprise customers)
  • Provide default retention settings that partners can tune per tenant
  • Document what data is sent to LLM providers (typically: transcript content with optional metadata)
  • Contact MiaRec for details on specific compliance certifications and data handling practices