How does Weflow handle personal data and PII from sales conversations?

Weflow handles personal data and PII from sales conversations through multiple layers of compliance, consent controls, and data architecture designed for enterprise security review. Weflow is GDPR compliant, CCPA compliant, SOC 2 Type II certified, and HIPAA compliant with signed Business Associate Agreements available for healthcare organizations. All data is encrypted at rest and in transit, with role-based controls that follow your existing Salesforce permissions and role hierarchy.

For conversation intelligence, Weflow applies multi-layer consent controls before any PII is captured. The consent flow includes three steps:

• Pre-meeting email opt-in/opt-out so participants can decline recording before the call starts

• In-meeting chat notice with the option to remove the notetaker during the call

• A 10-minute lobby grace period where the notetaker waits to be admitted. If left in the lobby, it exits automatically after 10 minutes

AI-generated follow-up emails are produced from the meeting transcript and are reviewable and editable before sending, giving teams full control over what gets shared after a call.

Weflow maintains a Zero Data Retention policy for AI processing. AI providers do not store your data after processing, and your data is never used to train Weflow's AI models. AI processing uses latest-generation models, including Claude and OpenAI integrations, within strict security protocols. Captured activity, transcripts, summaries, and AI field updates are permanently stored in native Salesforce objects, so your organization owns the data directly in your CRM.

Weflow provides data deletion tools and stores conversation data in Salesforce. Data residency is available in Frankfurt (EU) and the US, so you control where your data lives. Security certifications and controls are available at trust.getweflow.com.

How secure are my recordings and data in Weflow?

Your recordings and data are protected by multiple layers of certification, encryption, and access control. Weflow holds SOC 2 Type II certification and is compliant with GDPR, CCPA, and HIPAA. ISO 27001 certification is currently in progress. You can review certificates, tests, and controls at trust.getweflow.com.

For healthcare organizations, Weflow signs Business Associate Agreements (BAAs). Data residency is available in the EU (Frankfurt) and US. All data is encrypted at rest and in transit.

Weflow supports role-based controls and SSO/SAML via Okta. Infrastructure supports automated user provisioning, and access permissions can be centrally managed via Entra ID or Google Workspace.

On the AI side, Weflow maintains a zero data retention policy, meaning AI providers such as Claude and OpenAI do not retain your data after processing. Your data is never used to train Weflow's models. Weflow's AI only surfaces data the user already has access to in Salesforce, respecting your existing permission sets and role hierarchy.

• Continuous third-party penetration testing and automated vulnerability scanning

• Configurable consent flows for GDPR and CCPA compliant call recording

• Three-step recording consent flow: pre-meeting email opt-in/opt-out for external participants, in-meeting chat notification, and a 10-minute lobby grace period where the notetaker exits if it is not admitted

• Data deletion tools for compliance requests

Does Weflow undergo regular third-party security audits?

Yes. Weflow undergoes regular third-party security audits as part of an ongoing commitment to independent verification, not a one-time checkbox.

Weflow holds SOC 2 Type II certification (AICPA SOC 2 Type 2) and conducts third-party penetration testing on a regular basis. These are active, recurring programs rather than point-in-time assessments.

Additional security and compliance certifications include:

• HIPAA compliance (BAA available)

• GDPR and CCPA compliance

• Zero Data Retention: AI providers do not retain Weflow customer data

• ISO 27001 certification is currently in progress

Data is encrypted at rest and in transit. Weflow offers EU (Frankfurt) and US data residency options to meet regional data requirements.

If your security or procurement team needs documentation, detailed reports and compliance artifacts are available at trust.getweflow.com.

Where does Weflow store customer data — what regions and data centers?

Weflow stores customer data in two regions: Frankfurt (EU) and the US. European customers use the Frankfurt region, which aligns with GDPR requirements. US customers store data in US-based data centers, withHIPAA BAA terms available for healthcare organizations.

Weflow's core data architecture is Salesforce-native. Activity data, including emails, meetings, and contacts, is written permanently to native Salesforce objects (Task, EmailMessage, Event, Contact) in your own Salesforce instance. Weflow does not create a proprietary data silo or push data into an external database. If you stop using Weflow, all captured data stays in Salesforce.

All data is encrypted at rest and in transit. AI processing uses a zero data retention policy, meaning AI providers do not retain your data, and Weflow does not use your data to train its models.

Weflow is not FedRAMP certified, so it will not meet US federal agency requirements.

Weflow's compliance posture covers the following frameworks relevant to procurement and legal review:

• GDPR compliance with Frankfurt (EU) data residency

• HIPAA compliance with BAA available

• CCPA compliance

• AICPA SOC 2 Type II certification, with third-party penetration testing

For full certificates, test results, and controls, visit trust.getweflow.com.

How does Weflow comply with data localization requirements in different countries?

Weflow addresses data localization requirements through a combination of regional data residency options, compliance certifications, and architectural choices that keep your data in Salesforce rather than a separate vendor database.

European customer data is hosted in Frankfurt (EU), with US data residency also available. If you're a European organization, your data stays in the EU by default. For specific questions about region availability for a particular jurisdiction, contact Weflow directly to confirm coverage for your use case.

Cross-border data transfer mechanisms and the specific cloud infrastructure providers underpinning each region are not publicly documented. If your InfoSec or legal team needs to review transfer safeguards as part of procurement, Weflow's trust center at trust.getweflow.com is the right starting point, and Weflow's team can walk through the specifics during the security review phase.

For healthcare organizations that need HIPAA compliance, Weflow signs Business Associate Agreements (BAAs). The specifics of data handling under BAA terms, including any access restrictions or storage requirements, should be confirmed directly with Weflow during your InfoSec process.

AI processing adds no residency risk. Weflow maintains a zero data retention policy for AI processing and does not use your data to train models. AI providers do not retain Weflow data. Captured activity and AI-extracted field data are permanently stored in native Salesforce objects, so you own your data and it persists in Salesforce even if you stop using Weflow. Conversation recordings and AI processing run through Weflow's infrastructure with EU and US residency options.

• GDPR and CCPA compliance with configurable consent flows for call recording, including pre-meeting opt-in/opt-out and in-meeting notification

• SOC 2 Type II certification (AICPA), with regular third-party penetration testing

• Data deletion tools available across all plans

• ISO 27001 certification in progress

If you're in a regulated industry or need to confirm region availability or transfer mechanisms for a specific jurisdiction, contact Weflow directly or visit trust.getweflow.com to access certificates, test results, and security controls.

How does Weflow secure recorded calls, transcripts, and CRM data?

Weflow secures recorded calls, transcripts, and CRM data through multiple layers of encryption, access controls, compliance certifications, and AI data handling policies.

Data is encrypted at rest and in transit. Access is controlled through role-based controls that follow the permissions configured in Salesforce. If a team member cannot see a colleague's deals in Salesforce, they won't see them in Weflow either. Weflow supports SSO / SAML (Okta) for authentication.

Weflow holds SOC 2 Type II certification and is compliant with GDPR, CCPA, and HIPAA. Business Associate Agreements (BAAs) are available for healthcare customers. ISO 27001 certification is in progress. Weflow conducts third-party penetration testing. Certificates, tests, and controls are available at the Weflow trust center at trust.getweflow.com.

For AI processing, Weflow maintains a zero data retention policy: AI providers do not retain Weflow data, and customer data is never used to train models. All customer data is stored in native Salesforce objects, so it lives in your org, not in a separate data silo.

Weflow supports data residency in the EU (Frankfurt) and US. European customers can store data in Frankfurt to support GDPR alignment.

For call recording consent, Weflow provides configurable consent flows across Zoom, Microsoft Teams, and Google Meet. External participants can receive a pre-meeting email to opt in or out before the meeting starts. An in-meeting chat notification is also available. If the notetaker is not admitted to the meeting lobby, it exits automatically after 10 minutes. Consent flows and logs are configurable by admins to meet GDPR, CCPA, and enterprise security requirements.

How is Weflow data access controlled internally (roles, permissions, SSO, MFA)?

Weflow controls data access through role-based controls and an admin console that manages users, teams, and configurations. Access follows the permissions and role hierarchy already defined in Salesforce, so if a team member can't see a colleague's deals in Salesforce, they won't see them in Weflow either.

For authentication, Weflow supports SSO/SAML via Okta, with centralized access managed through Microsoft Entra ID or Google Workspace apps. Both can be restricted to specific organizational units, so access can be scoped to just a sales or CS team.

Automated user provisioning is supported. Users can be enrolled dynamically into teams and multiple configurations, including assignment by user profile.

Weflow respects existing Salesforce configuration out of the box, including field-level permissions, validation rules, and role hierarchy. Ask Weflow AI authenticates with the user's Salesforce token and only returns data the user already has access to in Salesforce. The AI cannot surface deals or records a user couldn't access directly in the CRM.

Granular controls extend to specific workflows. You can configure who's allowed to submit or adjust forecasts, assign views and AI templates to specific teams, and set admin controls over contact creation (such as only creating contacts when the associated account already exists in Salesforce).

• Forecast submission and adjustment permissions are configurable per user or team

• Views and AI templates can be assigned to specific teams

• Admin controls govern contact creation behavior

• Ask Weflow AI only returns data the user already has access to in Salesforce

All of this is managed from a self-service admin console, backed by SOC 2 Type II certification. Weflow is also HIPAA, GDPR, and CCPA compliant, with zero data retention by AI providers.

How does Weflow ensure data segregation between different customer tenants?

Weflow's primary data segregation mechanism is architectural. Captured activity data is stored permanently in your own Salesforce instance as native objects (Task, Event, EmailMessage), not in a shared Weflow database. Each tenant's data lives inside their own Salesforce org, so isolation is inherited from Salesforce's own multi-tenant security model.

Weflow respects your existing Salesforce permissions, role hierarchy, field-level security, and validation rules out of the box. If a user can't see a record in Salesforce, they can't see it in Weflow either. This extends to Weflow AI features, where users only access recordings and data their Salesforce permissions allow.

Weflow's admin console enforces role-based controls, and the platform follows the principle of minimum necessary access within its product layer. All data is encrypted at rest and in transit. For specific protocol and cipher details, you can request Weflow's security documentation directly from the security team.

For AI processing, Weflow operates a zero data retention policy: AI providers do not retain your data, and Weflow does not use customer data to train its models. Weflow integrates with AI providers including Claude and OpenAI under these terms.

These controls and security are validated through the following:

• SOC 2 Type II certification (AICPA)

• Regular penetration testing by a third-party auditor

• HIPAA, GDPR, and CCPA compliance

You can review Weflow's certificates, tests, and controls at trust.getweflow.com, or request the full security package directly from the security team.

How does Weflow handle consent for recording sales calls in different regions?

Weflow handles consent for call recording through a three-step consent flow designed to satisfy GDPR, CCPA, and enterprise security review requirements. The flow covers pre-meeting email notification, an in-meeting chat notification, and a lobby grace period where the notetaker waits to be admitted before the call begins.

For pre-meeting consent, external participants receive an email before the meeting starts, giving them the option to opt in or opt out of recording. If a participant opts out before the meeting, the notetaker will not record their session. The email notification step applies to both opt-in and opt-out flows.

For in-meeting consent, participants receive a chat notification during the call as an additional mechanism to signal their recording preference. This is part of the standard consent flow and is not specific to any single conferencing platform.

For the lobby grace period, the Weflow notetaker attempts to join the call approximately one minute before it starts. If the host does not admit the notetaker, it will exit the lobby automatically after 10 minutes. This applies as general behavior across supported platforms including Zoom, Microsoft Teams, and Google Meet.

Weflow maintains consent flows and logs for GDPR and CCPA compliance purposes. These logs are part of the platform's compliance infrastructure, which includes:

• Weflow is SOC 2 Type II certified

• Weflow is GDPR compliant

• Weflow is CCPA compliant

• Data storage is available in Frankfurt for European organizations

One important caveat: Weflow's documentation states that compliance with local privacy laws is your responsibility, not Weflow's. You should work with your legal team to determine which consent configuration fits the jurisdictions you operate in and whether the pre-meeting opt-in or opt-out flow is appropriate for your region.

Does Weflow provide a trust center or security portal with compliance documentation?

Yes. Weflow maintains a dedicated Trust Center at trust.getweflow.com where you can access compliance documentation, certifications, audit reports, and details on security controls. It's built for both prospects running security due diligence and existing customers who need ongoing access to compliance records.

The Trust Center covers the certifications and frameworks Weflow holds today:

• SOC 2 Type II certified (AICPA)

• GDPR and CCPA verified compliance

• HIPAA compliance, with Business Associate Agreements available for healthcare organizations

• Zero Data Retention policy for AI processing

The portal also documents Weflow's operational security practices. These include data encryption at rest and in transit, regular third-party penetration testing, role-based controls in the admin console, and SSO/SAML support via Okta.

Weflow maintains a zero data retention policy for AI processing and does not use your data to train its models. Data is stored in native Salesforce objects, not in a separate data silo or external data lake. Data residency is available in the EU (Frankfurt) and US.

If you need anything not covered in the Trust Center, reach out to [email protected].

How long does Weflow retain conversation recordings and transcripts?

Weflow's conversation data retention works differently depending on where the data lives. The most important thing to understand: all conversation data syncs directly into your Salesforce instance, where it persists permanently regardless of your Weflow contract status.

Specifically, AI summaries are written to the Event object's Description field, and full transcripts are stored in a custom Salesforce object called Weflow Video Recording, installed via the managed package. Because this data lives in native Salesforce objects, it stays in your org even if you stop using Weflow. There is no data lock-in.

Weflow enforces a Zero Data Retention policy for AI processing. AI providers do not retain your data, and customer data is never used to train models. For compliance-sensitive teams, Weflow is SOC 2 Type II certified and HIPAA compliant, with a BAA available. Data residency options include the US and Frankfurt (EU). If your org has specific data deletion requirements, Weflow provides data deletion tools to support those workflows.

For teams evaluating Weflow against tools like Gong, the data architecture distinction matters: Gong stores recordings and transcripts in its own cloud (the Revenue Graph), meaning access to that data depends on maintaining your subscription. Weflow writes everything to native Salesforce objects, so your conversation history belongs to your org from day one.

If you have specific retention or compliance requirements, contact Weflow directly to discuss your org's configuration and what data deletion tools are available.

Does Weflow share customer data with any third parties or sub-processors?

Weflow shares customer data with a defined set of sub-processors and infrastructure providers, all governed by strict data protection standards. On the AI side, Weflow operates under a Zero Data Retention policy: AI providers do not store or retain your data after processing, and customer data is never used to train models.

Weflow integrates with AI providers including Claude and OpenAI, and data can also be queried via Ask Weflow AI or through external tools like ChatGPT and Gemini. No customer data is permanently stored outside your Salesforce instance. Captured activity, conversation, and deal data is written directly to native Salesforce objects and persists there, not in an external data lake or separate database.

For data residency, Weflow offers hosting in two regions: EU (Frankfurt) and US. All sub-processor relationships are governed by formal data protection agreements aligned with applicable privacy regulations.

Weflow holds AICPA SOC 2 Type II certification and is GDPR and CCPA compliant. Weflow is also HIPAA compliant, with signed Business Associate Agreements available for healthcare customers. Data is encrypted at rest and in transit, and internal access is governed by role-based controls.

For a complete, current list of sub-processors and security documentation, visit Weflow's trust center at trust.getweflow.com, where certificates, tests, and controls are available. You can also contact your account team directly for DPA-related questions.

Can Weflow meet our enterprise security questionnaire requirements?

Yes. Weflow is built to pass enterprise security reviews. Most questionnaires map to categories where Weflow already holds certifications or has documented controls in place.

Weflow's current certifications and compliance standing: SOC 2 Type II certified (AICPA), HIPAA compliant with signed BAAs available, GDPR compliant, and CCPA compliant. ISO 27001 certification is in progress. All certifications, audit reports, and policy artifacts are available at the Weflow Trust Center.

Here's what maps to the most common questionnaire categories:

• Encryption: Data is encrypted at rest and in transit.

• Access controls: Role-based controls, SSO via SAML (Okta), and automated user provisioning. Weflow inherits your existing Salesforce permission sets and role hierarchy, so users only see data they already have access to in Salesforce.

• AI data handling: Zero data retention by AI providers. Customer data is never used to train models.

• Vulnerability management: Third-party penetration testing is conducted regularly.

• Data residency: Data residency options in Frankfurt (EU) and the US. European customers can use Frankfurt-based infrastructure. Weflow is GDPR and CCPA compliant.

For detailed documentation, audit reports, and policy artifacts, visit the Weflow Trust Center.

How does Weflow handle data retention, deletion, and portability if you terminate the contract?

When you terminate a Weflow contract, your data stays in Salesforce. All activity data Weflow captures is written to native Salesforce objects: EmailMessage, Task, Event, and Contact. That data persists in your Salesforce instance permanently after cancellation. You own it, you control it, and you can continue to report on it and use it in Salesforce reports, dashboards, Flows, and automations from day one.

Unlike providers that keep captured data in their own external cloud or database, Weflow writes activity data directly to native Salesforce objects so it lives in your CRM and avoids vendor lock-in.

AI summaries persist in Salesforce Event Description fields, field updates remain in the Salesforce fields where they were pushed, and transcripts are stored in the Weflow Video Recording custom object installed via managed package.

The Weflow managed package adds 1 custom object and 3 custom fields to your Salesforce instance, and conversation data flows to the Weflow Video Recording object. All of this lives inside your Salesforce org.

One exception applies to meeting recordings hosted on Weflow. Recordings are available for the duration of your active contract. Once your contract ends, recordings hosted on Weflow are no longer accessible through the platform, though any transcripts and AI summaries already synced to Salesforce remain intact in your org.

Weflow is GDPR and CCPA compliant and provides data deletion tools. You can contact [email protected] for assistance with data deletion requests. Weflow maintains a zero data retention policy for AI processing, meaning no AI provider retains your data, and Weflow does not use your data to train its models.

What documentation does Weflow provide that my IT/security team will want to see?

Start with the Weflow Trust Center, which serves as the central hub for all security and compliance documentation your IT team will need during vendor review. Certificates, test reports, and controls are all accessible there.

Weflow holds SOC 2 Type II certification, along with HIPAAcompliance. Weflow signs Business Associate Agreements (BAAs) with healthcare customers. GDPR and CCPA compliance documentation is also available. ISO 27001 certification is currently in progress.

Your security team can request documentation covering these areas:

• Third-party penetration testing reports

• Data encryption at rest and in transit

• Role-based controls in the admin console, with access governed by existing Salesforce permissions and role hierarchy

• AI data handling policy: zero data retention by AI providers, and no customer data is used for model training

• Data deletion tools and automated user provisioning

• SSO / SAML support (Okta)

On the AI side, Weflow's policy is explicit: AI providers retain zero customer data, and customer data is never used to train models. Ask Weflow AI also respects Salesforce permissions at the user level, so the AI only surfaces data a given user already has access to in Salesforce.

For specific documentation requests or custom security questionnaires, reach out via [email protected] or visit the Trust Center directly at trust.getweflow.com.

What's the best way to get my InfoSec team comfortable with Weflow?

Start with the Weflow Trust Center, which contains current certifications, audit reports, and security documentation your InfoSec team can review without waiting on anyone.

Weflow holds SOC 2 Type II certification and is HIPAA compliant with BAAs available. Weflow is also GDPR and CCPA compliant. ISO 27001 certification is currently in progress. For HIPAA BAAs and compliance documentation, refer to the Trust Center or contact Weflow support.

On the technical controls side, your InfoSec team will want to know these specifics:

• Data encryption in transit and at rest

• Role-based controls via the admin console

• SSO/SAML (Okta supported) available for all users

• Third-party penetration testing

• Data residency available in Frankfurt (EU) and US

For AI-specific concerns: Weflow maintains a zero data retention policy for AI processing, and your data is never used to train models. All captured activity data is stored in native Salesforce objects, not in a proprietary silo. Weflow's AI also respects Salesforce permissions, so users can only query data they already have access to in Salesforce.

For security questionnaires, BAA requests, or compliance documentation, visit the Trust Center at trust.getweflow.com or reach out to Weflow support at [email protected].