Certifications and reports
Retell maintains the following certifications and attestations:- HIPAA — compliant for handling protected health information (PHI). A signed BAA is required before transmitting PHI through Retell.
- SOC 2 Type 1 and Type 2 — independently audited controls for security, availability, and confidentiality.
- GDPR — compliant via AWS infrastructure with a GDPR-compliant Data Processing Addendum.
Sign a BAA, DPA, or SCCs
Retell’s Business Associate Agreement (BAA) and Data Processing Addendum (DPA, including EU Standard Contractual Clauses) are available for self-signing at click-agreements.retellai.com.- BAA — required for HIPAA-covered workloads before sending PHI through Retell.
- DPA / SCCs — required for processing personal data of EU/UK residents under GDPR.
- Data Retention Policy — set per-agent retention from 1 day up to 2 years for transcripts, recordings, and logs.
- Privacy and PII controls — choose what data is stored per agent (everything, exclude PII, or basic attributes only).
- Signed and secure recording URLs — restrict access to call recordings.

