Trust & Security

How we protect
your operations

PrimeCore Intelligence is built around a single principle: every action is policy-enforced, every decision is logged, and nothing runs in production without explicit approval.

Last updated: March 18, 2026 · Questions: [email protected]
🛡️ Compliance Posture

PrimeCore Intelligence is designed with the following compliance frameworks as architectural requirements. Each framework governs specific deployment configurations — not all apply to all clients.

HIPAA
Architecture-aligned
PHI handling disabled by default. PrimeCore can serve as a HIPAA Business Associate with a signed BAA for healthcare deployments.
GDPR (EU)
Architecture-aligned
Data processing agreements available. EU client data configurable to remain within EU-region infrastructure. Standard Contractual Clauses in EU MSAs.
PCI-DSS
Architecture-aligned
No PAN or CVV is ever stored or logged. Call recordings with payment card data are automatically scrubbed at the infrastructure layer.
TCPA (US)
Enforced in outbound engine
DNC registry checks, consent verification, and time-window enforcement built into the outbound engine. Opt-out handling is automatic and immediate.
SOC 2 Type II
Roadmap — 2026
SOC 2 Type II audit is on our 2026 roadmap. Controls are designed to meet SOC 2 criteria. Contact us to discuss timeline for your procurement.
42 CFR Part 2
Behavioral health deployments
Substance use disorder confidentiality requirements enforced for behavioral health deployments. Crisis routing never logs identifiable information without consent.
🗃️ Data Handling
Data TypeRetentionStorageAccess
Call recordingsClient-configured (default 90 days)Tenant-isolatedClient admin only
Call transcripts4h live · 90 days archivedTenant-prefixed KVClient admin + agents
Pilot lead requests365 daysPrimeCore KV (public tenant)PrimeCore sales only
Policy decision receipts90 daysTenant-isolated KVFounder + authorized operators
AI training dataAnonymized onlyPrimeCore internalPrimeCore ML team only
PAN / CVVNever storedScrubbed at infrastructure layerN/A
PHI (health information)Disabled by defaultOnly if BAA signed + enabledHIPAA-governed chain of custody
🔒 Tenant Isolation

Every piece of data is stored with the format tenant:{clientId}:{category}:{key} — making it architecturally impossible for one client's data to appear in another client's queries, even in the event of a misconfigured request.

Each client deployment runs in an isolated compute context. Call processing, transcript storage, KPI metrics, and audit logs are fully separated at the data layer.

⚙️ Security Controls
Rate limiting — All public endpoints rate-limited per IP per time window. Pilot form: 3/hour. Call events: 500/5 min. Enforced at both relay layer and War Room API layer.
HMAC webhook validation — All CCaaS webhooks (Five9, Genesys, Bliss) validated with HMAC-SHA256 before processing. Invalid signatures rejected with 401 and logged.
Policy engine governance — Every mutation routes through the Policy Router before execution. Privileged actions require explicit founder approval. No silent writes ever.
Bearer token authentication — All authenticated endpoints require Bearer tokens stored as encrypted secrets in Cloudflare's secure environment — never in code or config files.
Audit logging — Every inbound event, policy decision, and data mutation logged with timestamp, IP, tenant ID, and actor. 90-day retention. Append-only.
Zero PAN/CVV storage — Payment card data scrubbed at the Cloudflare Worker layer before reaching any storage. Paddle is the merchant of record.
7-layer hallucination prevention — AI outputs are RAG-grounded, confidence-gated, citation-required, and post-validated by a second model. Refused-answer registry enforces hard stops on high-risk query categories.
Prompt injection protection — AI inference layer includes explicit guardrails against prompt injection attacks. Every AI response is policy-checked before delivery.
🤖 AI Disclosure

PrimeCore Intelligence uses AI to handle phone calls on behalf of clients. Callers interacting with a PrimeCore-powered contact center are speaking with an AI system unless escalated to a human agent.

We never instruct our AI to claim it is human. Our systems are configured to acknowledge being an AI if directly and sincerely asked. This is a non-negotiable design requirement, not a preference. Client disclosure obligations under applicable law remain the client's responsibility.

🔍 Vulnerability Disclosure
Responsible Disclosure Policy
If you discover a security vulnerability in PrimeCore Intelligence systems, please report it to [email protected]. We ask that you give us reasonable time to investigate before public disclosure, and that you not access data that does not belong to you.

We acknowledge all reports within 2 business days. We do not currently offer a bug bounty program but recognize significant contributions publicly with your permission.

Our security.txt is at /.well-known/security.txt.
🌐 Infrastructure

PrimeCore runs on Cloudflare's global edge network — Workers, Pages, and KV across 300+ global data centers. DDoS protection is built in at the infrastructure layer. Cloudflare holds its own SOC 2 Type II certification.

Client call processing (AI inference, STT, TTS) runs on dedicated per-client servers architecturally separated from the PrimeCore control plane. Call data never touches shared infrastructure.