$1,500

per TCPA violation, no cap

5→2

compliance boundaries eliminated

Day 1

HIPAA, PCI, SOC 2 readiness

20 yrs

telecom compliance heritage

The Compliance Surface Problem

Five Vendors Means Five Audit Surfaces

HIPAA requires platform-level controls

PHI encryption, access logging, BAAs, and breach notification belong in infrastructure. Your LLM pipeline was never designed to provide them.

TCPA applies to AI-generated calls

The FCC confirmed in February 2024 that AI voice calls are subject to TCPA. Consent tracking, opt-out handling, and time restrictions require infrastructure enforcement.

PCI scope grows with every vendor

Each vendor that touches cardholder data needs its own compliance boundary. Five vendors means five breach notification paths and five audit surfaces.

Multi-vendor stacks multiply risk

Separate BAAs for SIP trunking, speech-to-text, LLM inference, and text-to-speech. A gap between any two vendors is a compliance gap.

Build a Voice AI Agent

from signalwire_agents import AgentBase
from signalwire_agents.core.function_result import SwaigFunctionResult

class SupportAgent(AgentBase):
    def __init__(self):
        super().__init__(name="Support Agent", route="/support")
        self.prompt_add_section("Instructions",
            body="You are a customer support agent. "
                 "Greet the caller and resolve their issue.")
        self.add_language("English", "en-US", "rime.spore:mistv2")

    @AgentBase.tool(name="check_order")
    def check_order(self, order_id: str):
        """Check the status of a customer order.

        Args:
            order_id: The order ID to look up
        """
        return SwaigFunctionResult(f"Order {order_id}: shipped, ETA April 2nd")

agent = SupportAgent()
agent.run()

import { AgentBase, FunctionResult } from '@signalwire/sdk';

const agent = new AgentBase({
  name: 'Support Agent',
  route: '/support',
});

agent.promptAddSection('Instructions',
  'You are a customer support agent. Greet the caller and resolve their issue.');

agent.addLanguage({ name: 'English', code: 'en-US', voice: 'rime.spore:mistv2' });

agent.defineTool({
  name: 'check_order',
  description: 'Check the status of a customer order',
  parameters: {
    type: 'object',
    properties: {
      order_id: { type: 'string', description: 'The order ID to look up' },
    },
    required: ['order_id'],
  },
  handler: (args) => {
    return new FunctionResult(`Order ${args.order_id}: shipped, ETA April 2nd`);
  },
});

agent.run();

package main

import (
	"fmt"

	"github.com/signalwire/signalwire-go/pkg/agent"
	"github.com/signalwire/signalwire-go/pkg/swaig"
)

func main() {
	a := agent.NewAgentBase(
		agent.WithName("Support Agent"),
		agent.WithRoute("/support"),
	)

	a.PromptAddSection("Instructions",
		"You are a customer support agent. Greet the caller and resolve their issue.")

	a.AddLanguage(map[string]any{
		"name": "English", "code": "en-US", "voice": "rime.spore:mistv2",
	})

	a.DefineTool(agent.ToolDefinition{
		Name:        "check_order",
		Description: "Check the status of a customer order",
		Parameters: map[string]any{
			"type": "object",
			"properties": map[string]any{
				"order_id": map[string]any{
					"type": "string", "description": "The order ID to look up",
				},
			},
			"required": []string{"order_id"},
		},
		Handler: func(args map[string]any, rawData map[string]any) *swaig.FunctionResult {
			orderID := args["order_id"]
			return swaig.NewFunctionResult(
				fmt.Sprintf("Order %v: shipped, ETA April 2nd", orderID),
			)
		},
	})

	a.Run()
}

import com.signalwire.sdk.agent.AgentBase;
import com.signalwire.sdk.swaig.FunctionResult;

import java.util.List;
import java.util.Map;

public class SupportAgent {
    public static void main(String[] args) throws Exception {
        var agent = AgentBase.builder()
                .name("Support Agent")
                .route("/support")
                .build();

        agent.promptAddSection("Instructions",
                "You are a customer support agent. "
              + "Greet the caller and resolve their issue.");

        agent.addLanguage("English", "en-US", "rime.spore:mistv2");

        agent.defineTool(
                "check_order",
                "Check the status of a customer order",
                Map.of("type", "object",
                       "properties", Map.of(
                           "order_id", Map.of(
                               "type", "string",
                               "description", "The order ID to look up")),
                       "required", List.of("order_id")),
                (toolArgs, rawData) -> {
                    var orderId = toolArgs.get("order_id");
                    return new FunctionResult(
                        "Order " + orderId + ": shipped, ETA April 2nd");
                }
        );

        agent.run();
    }
}

# frozen_string_literal: true

require 'signalwire'

agent = SignalWire::AgentBase.new(name: 'Support Agent', route: '/support')

agent.prompt_add_section('Instructions',
  'You are a customer support agent. Greet the caller and resolve their issue.')

agent.add_language(name: 'English', code: 'en-US', voice: 'rime.spore:mistv2')

agent.define_tool(
  name:        'check_order',
  description: 'Check the status of a customer order',
  parameters:  {
    'order_id' => { 'type' => 'string', 'description' => 'The order ID to look up' }
  }
) do |args, _raw|
  SignalWire::Swaig::FunctionResult.new(
    "Order #{args['order_id']}: shipped, ETA April 2nd"
  )
end

agent.run

<?php
require 'vendor/autoload.php';

use SignalWire\Agent\AgentBase;
use SignalWire\SWAIG\FunctionResult;

$agent = new AgentBase(['name' => 'Support Agent', 'route' => '/support']);

$agent->promptAddSection('Instructions',
    'You are a customer support agent. Greet the caller and resolve their issue.');

$agent->addLanguage('English', 'en-US', 'rime.spore:mistv2');

$agent->defineTool(
    name: 'check_order',
    description: 'Check the status of a customer order',
    parameters: [
        'order_id' => ['type' => 'string', 'description' => 'The order ID to look up'],
    ],
    handler: function (array $args): FunctionResult {
        return new FunctionResult("Order {$args['order_id']}: shipped, ETA April 2nd");
    }
);

$agent->run();

#!/usr/bin/env perl
use strict;
use warnings;
use lib 'lib';
use SignalWire::Agent::AgentBase;
use SignalWire::SWAIG::FunctionResult;

my $agent = SignalWire::Agent::AgentBase->new(
    name  => 'Support Agent',
    route => '/support',
);

$agent->prompt_add_section('Instructions',
    'You are a customer support agent. Greet the caller and resolve their issue.');

$agent->add_language(name => 'English', code => 'en-US', voice => 'rime.spore:mistv2');

$agent->define_tool(
    name        => 'check_order',
    description => 'Check the status of a customer order',
    parameters  => {
        order_id => { type => 'string', description => 'The order ID to look up' },
    },
    handler => sub {
        my ($args, $raw) = @_;
        return SignalWire::SWAIG::FunctionResult->new(
            response => "Order $args->{order_id}: shipped, ETA April 2nd"
        );
    },
);

$agent->run;

#include <signalwire/agent/agent_base.hpp>

using namespace signalwire;
using json = nlohmann::json;

class SupportAgent : public agent::AgentBase {
public:
    SupportAgent() : AgentBase("Support Agent", "/support") {
        prompt_add_section("Instructions",
            "You are a customer support agent. "
            "Greet the caller and resolve their issue.");

        add_language({"English", "en-US", "rime.spore:mistv2"});

        define_tool({
            .name = "check_order",
            .description = "Check the status of a customer order",
            .parameters = {
                {"order_id", {{"type", "string"},
                              {"description", "The order ID to look up"}}}
            },
            .handler = [](const json& args, const json&) {
                auto order_id = args.value("order_id", "unknown");
                return swaig::FunctionResult(
                    "Order " + order_id + ": shipped, ETA April 2nd");
            }
        });
    }
};

int main() {
    SupportAgent().run();
}

using SignalWire.Agent;
using SignalWire.SWAIG;

var agent = new AgentBase(new AgentOptions { Name = "Support Agent", Route = "/support" });

agent.PromptAddSection("Instructions",
    "You are a customer support agent. Greet the caller and resolve their issue.");

agent.AddLanguage("English", "en-US", "rime.spore:mistv2");

agent.DefineTool("check_order", "Check the status of a customer order",
    new { type = "object", properties = new {
        order_id = new { type = "string", description = "The order ID to look up" }
    }, required = new[] { "order_id" } },
    (args, rawData) =>
    {
        var orderId = args.TryGetValue("order_id", out var id) ? id : "unknown";
        return new FunctionResult($"Order {orderId}: shipped, ETA April 2nd");
    });

agent.Run();

use signalwire::agent::AgentBase;
use signalwire::swaig::FunctionResult;
use serde_json::json;

fn main() {
    let mut agent = AgentBase::builder()
        .name("Support Agent")
        .route("/support")
        .build();

    agent
        .prompt_add_section("Instructions",
            "You are a customer support agent. Greet the caller and resolve their issue.", &[])
        .add_language("English", "en-US", "rime.spore:mistv2");

    agent.define_tool(
        "check_order",
        "Check the status of a customer order",
        json!({"type": "object", "properties": {
            "order_id": {"type": "string", "description": "The order ID to look up"}
        }, "required": ["order_id"]}),
        Box::new(|args, _raw| {
            let order_id = args.get("order_id").and_then(|v| v.as_str()).unwrap_or("unknown");
            FunctionResult::with_response(&format!("Order {order_id}: shipped, ETA April 2nd"))
        }),
    );

    agent.run();
}

Five Compliance Boundaries vs. Two

Multi-Vendor Stack (5 BAAs)

SIP trunking provider: separate BAA
Speech-to-text provider: separate BAA
LLM inference provider: separate BAA
Text-to-speech provider: separate BAA
Your app: orchestration and everything else
Five breach notification paths, five audit surfaces

SignalWire + Your AI (2 boundaries)

SignalWire: telephony, compliance infrastructure (one BAA)
Your AI provider: LLM inference (your arrangement)
One vendor to audit for voice transport, recording, and access control
Compliance surface shrinks from five boundaries to two

What Regulators Audit

Regulation	What They Audit	Penalty
HIPAA	PHI handling, encryption, access controls, BAA coverage	Up to $1.5M per violation category per year
TCPA	Consent tracking, opt-out handling, call time restrictions	$500 to $1,500 per violation (AI calls confirmed subject, Feb 2024)
PCI DSS	Cardholder data scope, encryption, access logging	Fines plus loss of card processing ability
SOC 2 Type II	Security controls, availability, processing integrity	Loss of enterprise deals
STIR/SHAKEN	Caller ID attestation, spam prevention	Number blocking, reputation damage

Architecture Enforces Compliance, Not Prompts

Hidden data layer

Sensitive data is available to tool functions but invisible to the LLM context window. The model cannot leak what it cannot see.

Scoped tool access per step

Each conversation step grants access to different tools. An intake step cannot access payment data. A billing step can pause recording during card entry.

Enforced state transitions

The platform validates every state transition. The model cannot skip steps or access capabilities outside its current scope.

Native recording with consent management

Obtain consent, start, pause during sensitive data, resume, stop. Every step is logged with timestamps and method documentation.

Complete audit trails

Every call generates a structured compliance record: consent timestamps, recording events, tool calls executed, and call disposition.

Compliant from Day One

1

Sign up for a SignalWire Space

Single BAA covering the entire platform. No separate agreements per service.

2

Define your agent with the hidden data layer

PII lives in the hidden data layer, accessible to tool functions but invisible to the LLM.

3

Configure recording and consent policies

Two-party consent tracking, encrypted storage, retention policies, and role-based playback access.

4

Ship to production with audit readiness

Every call produces a compliance-ready record. No retrofit required.

At $500 to $1,500 per violation with no cap, a 10,000-call campaign creates up to $15M in exposure. A misconfigured bot makes the same violation on every concurrent call simultaneously.

FAQ

Does SignalWire provide a BAA for HIPAA compliance?

Yes. A single BAA covers the entire platform: telephony, recording, storage, and access control. No separate agreements per service.

How does the hidden data layer prevent PII leaks?

Sensitive data (SSNs, account numbers, payment details) lives in the hidden data layer. Tool functions can access it, but the LLM context window never receives it. The model cannot leak what it cannot see.

What recording consent models are supported?

The platform supports one-party and two-party consent with per-state jurisdiction rules. Consent timestamps, method documentation, and opt-out handling are logged automatically.

How does scoped tool access work?

Each conversation step defines which tools are available. An identity verification step accesses identity tools. A payment step accesses payment tools and can pause recording. No step has access to tools outside its scope.

Can I bring my own LLM and still get compliance controls?

Yes. The compliance layer is infrastructure. Your LLM handles conversations. SignalWire handles encryption, recording, consent tracking, audit trails, and access controls regardless of which AI provider you use.

Trusted by 2,000+ companies

Compliance by Architecture, Not by Prompt

One platform, one BAA, one audit surface for your entire voice AI stack.

Get Started Free Read the Docs

Infrastructure Handles the Audit, Not Prompts