Security & Data Protection
Last updated: March 2026
Total View AI — operated by Human in the Loop Limited (trading as HITL Ltd)
A company incorporated in the Isle of Man
Classification: Public — Client-Facing
1. Introduction
TotalView is an AI-powered call quality assurance platform built for organisations that handle sensitive customer conversations. We analyse call recordings using artificial intelligence to score agent performance, identify compliance risks, and drive coaching outcomes.
We understand that entrusting call recordings to any platform demands rigorous data protection. This document explains exactly how TotalView secures your data, where it is stored, which partners process it, and why we selected each one.
2. How Your Data Flows Through TotalView
Understanding the journey of a call recording through our platform is the foundation of understanding our security posture.
Step 1
Upload Call
Web / SFTP
Step 2
AWS S3
London (eu-west-2)
Step 3
Transcription
EU (Dublin)
Step 6
Results & Dashboard
HTTPS + RBAC
Step 5
AI Analysis
Bedrock UK (eu-west-2)
Step 4
Quality Checks
Transcript + Rules
Upload — Call recordings are uploaded via the web interface (HTTPS) or SFTP. Files are written directly to AWS S3 in the London (eu-west-2) region.
Queuing — An analysis job is placed on a message queue in London. No call data is stored in the queue — only a reference ID.
Transcription — The audio is sent to our transcription partner (processing in the EU) for speech-to-text conversion with speaker diarisation.
AI Analysis — The transcript is evaluated against your custom quality checks by Anthropic Claude, running on AWS Bedrock in the London (eu-west-2) region. Your call data never leaves the UK for AI processing.
Storage — Results are written to our PostgreSQL database, hosted in the London region. The original recording remains in S3.
Access — Authorised users view results through the TotalView dashboard, served over HTTPS with role-based access controls.
At every stage, data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
3. Data Residency & Sovereignty
All persistent data — call recordings, transcripts, analysis results, and user data — is stored within the United Kingdom.
| Data Type | Storage Location | Region |
|---|---|---|
| Call recordings (audio files) | AWS S3 | eu-west-2 (London, UK) |
| Transcripts & analysis results | PostgreSQL (SOC 2 + ISO 27001 certified) | eu-west-2 (London, UK) |
| Background job processing | AWS Lambda + SQS | eu-west-2 (London, UK) |
| AI model inference | AWS Bedrock (Claude) | eu-west-2 (London, UK) |
| Session & cache data | Managed Redis (EU-hosted) | EU region |
| SFTP file ingestion | AWS Transfer Family | eu-west-2 (London, UK) |
AI processing — TotalView uses Anthropic's Claude large language model exclusively via AWS Bedrock in the eu-west-2 (London) region. This ensures your call data is processed within the UK and never transmitted to US-based API endpoints for AI analysis.
Transcription — Our transcription partner, AssemblyAI, processes audio in Dublin, Ireland — within the UK GDPR adequacy zone. Audio data is processed in real-time and is not retained after transcription is complete.
Web application — The TotalView web application is served via a global edge network for performance. The edge layer serves application code only — no sensitive data (recordings, transcripts, or analysis results) is stored at the edge. All sensitive data is fetched at request time from our UK-based database and storage.
4. Infrastructure & Hosting Partners
4.1 Amazon Web Services (AWS) — Primary Infrastructure
Role: File storage, job queuing, background processing, AI inference, email delivery, SFTP ingestion
Region: eu-west-2 (London, United Kingdom)
Why AWS:
- The most comprehensively certified cloud provider globally, with 140+ compliance programmes
- UK-specific certifications: UK Cyber Essentials Plus, UK G-Cloud, NHS Data Security and Protection Toolkit (DSPT)
- Full suite of services in the London region, eliminating the need for cross-border data transfer
- AWS Bedrock enables UK-resident AI processing — a capability not available from most AI providers directly
Key certifications: SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, ISO 27701, ISO 42001 (AI Management), PCI DSS, HITRUST CSF, UK Cyber Essentials Plus, UK G-Cloud, NHS DSPT
Encryption: AES-256 at rest via AWS KMS (customer-managed keys available). TLS 1.2+ in transit across all services.
DPA: Included in AWS Service Terms with Standard Contractual Clauses.
4.2 Database Provider — PostgreSQL
Role: All application data (user accounts, organisations, call metadata, transcripts, analysis results)
Region: eu-west-2 (London, United Kingdom)
Key certifications: SOC 2 Type II, SOC 3, ISO 27001, ISO 27701, HIPAA
Encryption: AES-256 on storage volumes via AWS KMS with key rotation. Mandatory SSL/TLS on all database connections (TLS 1.2/1.3).
Additional security: IP allowlisting, private networking, VPC isolation, bi-annual penetration testing.
4.3 Web Application Hosting
Role: Hosting and serving the TotalView web application (frontend and API routes)
Key certifications: SOC 2 Type II, ISO 27001, PCI DSS v4.0
Security features: Automatic HTTPS, DDoS protection, edge caching, instant rollback capability. No sensitive data is stored on this platform.
4.4 Anthropic (via AWS Bedrock) — AI Analysis
Role: Large language model (Claude) for call quality analysis and scoring
Data handling:
- All inference requests are processed via AWS Bedrock in eu-west-2 (London)
- Call transcripts are submitted for analysis and results returned in real-time
- No data is retained by Anthropic or AWS Bedrock after inference completes
- Your data is never used to train, improve, or fine-tune AI models
Key certifications: SOC 2 Type II
GDPR: Anthropic Ireland, Limited acts as the data controller for EU/UK operations. Standard Contractual Clauses are in place for any international data transfers.
4.5 AssemblyAI — Speech-to-Text Transcription
Role: Transcription service — converts call audio to text with speaker diarisation
Processing region: Dublin, Ireland (EU)
Key certifications: SOC 2 Type II, PCI DSS Level 1
Encryption: AES-256 at rest, TLS 1.3 in transit.
Data handling: Audio is processed in real-time. AssemblyAI does not retain audio files or transcripts after processing is complete. DPA available with DPIAs and TIAs documented.
4.6 Caching Layer
Role: Managed Redis caching for session validation, rate limiting, and performance optimisation
Data stored: Ephemeral, non-sensitive data only — session validation hashes (not tokens), rate limit counters, and temporary processing state. All data has automatic expiry and is non-recoverable by design. No call recordings, transcripts, or PII are stored in the cache layer.
4.7 Transactional Email
Role: Sending transactional emails (magic link authentication, invitation emails, notifications)
Key certifications: SOC 2 Type II. TLS 1.3+ encryption in transit, all stored data encrypted at rest. Used for authentication emails only; no call data is transmitted via email.
5. Authentication & Access Control
5.1 Passwordless Authentication
TotalView uses passwordless magic-link authentication. Users receive a secure, time-limited link via email to sign in. This eliminates the risks associated with password storage:
- No password database to breach
- No credential stuffing or brute-force attacks possible
- No password reuse vulnerabilities
How magic links work:
- User enters their email address
- A cryptographically random token is generated
- The token is cryptographically signed to prevent forgery
- A time-limited link is emailed to the user (expires after 30 minutes)
- On click, the signature is verified and a secure session is created
- The magic link token is invalidated immediately after use
5.2 Session Security
- Session tokens are generated using cryptographic randomness
- Tokens are never stored in plaintext — only cryptographic hashes are persisted in the database
- Sessions are database-backed, enabling server-side revocation at any time
- Each session records the IP address and user agent for anomaly detection
- Sessions expire after 30 days with automatic extension when actively used
- Session cookies are set with
httpOnly,secure, andsameSiteflags
5.3 Rate Limiting & Enumeration Prevention
All authentication endpoints are protected by rate limiting per-email and per-IP address. Authentication endpoints return identical success responses regardless of whether an email exists in the system, preventing account enumeration.
5.4 Role-Based Access Control (RBAC)
TotalView implements a role hierarchy with a permission engine covering 36 discrete permissions across 9 domains.
| Role | Access Scope | Key Capabilities |
|---|---|---|
| Owner | Full organisation | User management, billing, settings, data export/deletion |
| Senior Manager | Full organisation | Manage users, escalations, campaign settings, teams |
| Compliance Officer | All campaigns (read) | View all campaigns and calls for compliance oversight |
| Manager | Assigned campaigns | Upload calls, review results, coaching bundles |
| Agent | Own calls only | View own calls, respond to coaching, personal scorecards |
| Client | Read-only | Reporting access only |
Managers and Agents are explicitly assigned to specific campaigns. They cannot see calls, results, or data from campaigns they are not assigned to — even within their own organisation.
6. Data Security
6.1 Encryption
| Layer | Standard | Details |
|---|---|---|
| Data in transit | TLS 1.2+ | All connections encrypted. HTTPS enforced on all endpoints. |
| Data at rest — files | AES-256 (AWS SSE-KMS) | Call recordings encrypted with AWS KMS. Customer-managed keys available. |
| Data at rest — database | AES-256 | All database storage encrypted via AWS KMS with automatic key rotation. |
| Session tokens | Cryptographic hashing | Tokens hashed before storage. Plaintext exists only in browser cookie. |
| Magic link tokens | Cryptographic signing | Signed to prevent forgery. Single-use and time-limited. |
6.2 Multi-Tenant Data Isolation
TotalView serves multiple organisations on shared infrastructure. Data isolation is enforced at four independent layers — a defence-in-depth approach where each layer operates as a standalone security boundary.
Layer 1: PostgreSQL Row-Level Security
13 tables protected by RLS policies. Forced for all database roles. Queries without valid organisation context return zero rows — a fail-closed design.
Layer 2: Application-Level Organisation Context
Every request validates user session, confirms organisation membership, and establishes database security context before any data is accessed.
Layer 3: Campaign-Level Access Control
36 discrete permissions across 9 domains. Managers and Agents require explicit assignment to campaigns.
Layer 4: File Storage Isolation
S3 objects keyed by organisation. File access validated before generating time-limited pre-signed URLs. No direct S3 access exposed.
6.3 Input Validation & Secrets Management
- All user inputs validated against strict schemas at runtime
- Database queries use parameterised queries exclusively, eliminating SQL injection
- CSRF protection via cookie security attributes
- No secrets stored in source code or version control
- Production secrets stored in encrypted environment variable stores
- API keys and tokens rotated periodically
7. GDPR & Data Protection Compliance
TotalView is designed to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
7.1 Data Subject Rights
| Right | Implementation |
|---|---|
| Right to access | Owners and Senior Managers can export all organisation data via Data Privacy settings |
| Right to erasure | Full organisation data deletion available, permanently removing all recordings, transcripts, results, and user data |
| Right to data portability | Complete data export in a standard format |
| Right to rectification | User profile data can be updated at any time |
7.2 Data Minimisation
- Passwordless authentication means we do not store passwords
- Only essential user data is collected (email, name, role)
- Call recordings are processed and stored only for the purposes agreed with the client
- Cache data is ephemeral with automatic expiry
7.3 Data Processing Agreements
DPAs are in place or available from all vendors who process personal data on our behalf:
| Vendor | DPA Status | Subprocessor List |
|---|---|---|
| AWS | Included in Service Terms (with SCCs) | Published |
| Database provider | Available | Published |
| Web hosting provider | Data Processing Addendum available | Published |
| AssemblyAI | Available (DPIAs and TIAs documented) | Published |
| Email provider | Available | Published |
| Caching provider | Available | — |
7.4 International Data Transfers
Where data is processed outside the UK, Standard Contractual Clauses (SCCs) and/or adequacy decisions are relied upon. All sensitive data — call recordings, transcripts, and analysis results — remains within the UK (eu-west-2) or the EU (Dublin, within the adequacy zone).
8. Application Security Practices
Development
- Strict type safety with compile-time checking
- Automated linting and code quality
- Dependency auditing for known vulnerabilities
- Code review before deployment
Audit Logging
- Who performed the action
- What action was taken
- Which entity was affected
- Immutable timestamps
Deployment
- Immutable, versioned deployments
- Instant rollback capability
- Full environment isolation
- Automated build pipeline
Infrastructure
- Serverless — no persistent attack surface
- No SSH access to any servers
- Network isolation with SSL/TLS
- Dead letter queues for resilience
9. Business Continuity & Disaster Recovery
| System | Backup Strategy | Recovery |
|---|---|---|
| Database | Continuous write-ahead log archiving | Point-in-time recovery |
| File storage (S3) | 99.999999999% (11 nines) durability | Versioning for accidental deletion |
| Application | Every deployment preserved as snapshot | Instant rollback |
| Job queue | Messages retained up to 14 days | Dead letter queue captures failures |
Monitoring: Application-level error tracking with real-time alerting, infrastructure monitoring via AWS CloudWatch, failed analysis jobs captured with automatic alerting, and database performance monitoring via built-in observability tooling.
10. Vendor Certification Summary
| Vendor | Role | SOC 2 | ISO 27001 | GDPR | UK Data | DPA |
|---|---|---|---|---|---|---|
| AWS | Storage, compute, AI | Type II | Yes | Yes | eu-west-2 | Yes |
| Database | PostgreSQL | Type II | Yes | Yes | eu-west-2 | Yes |
| Web host | App hosting | Type II | Yes | Yes | Edge | Yes |
| Anthropic | AI (via Bedrock) | Type II | — | Yes | eu-west-2 | Yes |
| AssemblyAI | Transcription | Type II | — | Yes | Dublin | Yes |
| Transactional | Type II | — | Yes | — | Yes | |
| Cache | Redis | Available | — | — | EU | Available |
Full vendor details, including trust page links and subprocessor lists, are available on request.
11. SFTP Ingestion Security
For organisations that ingest call recordings via SFTP rather than the web interface:
- SFTP is provided via AWS Transfer Family, running in eu-west-2 (London)
- Connections authenticated via username/password or SSH key pairs
- Files transferred directly into AWS S3 — they never pass through the web application
- SFTP protocol only (not FTP or FTPS) for maximum security
- File processing is isolated — a failure in one file does not affect others in the same batch
- Batch processing includes metadata extraction, format validation, and automatic analysis queuing
12. What We Do Not Do
Transparency about what we do not do is as important as explaining what we do:
We do not sell your data.
Your call recordings, transcripts, and analysis results belong to you.
We do not use your data to train AI models.
Your data is never used to improve, fine-tune, or train any language model or transcription model. This is contractually guaranteed by our AI partners.
We do not store passwords.
Our passwordless authentication means there is no password database to breach.
We do not retain data after you delete it.
When you exercise your right to erasure, all data is permanently deleted.
We do not send sensitive data via email.
Authentication emails contain only time-limited magic links. No call data is ever sent via email.
We do not access your data without authorisation.
TotalView employees access client data only when required for support purposes, and only with explicit permission.
13. Certifications & Compliance Roadmap
TotalView is actively pursuing industry-recognised security certifications:
- UK Cyber Essentials — in progress
- ISO 27001 — planned
- ICO Registration — in progress
Today, TotalView's security posture is underpinned by the certifications held by every vendor in our infrastructure — including SOC 2 Type II, ISO 27001, ISO 27701, and UK-specific certifications such as Cyber Essentials Plus, G-Cloud, and NHS DSPT held by AWS.
14. Contact
For security-related enquiries, to request our Data Processing Agreement, or to report a security concern:
Email: security@total-view.co.uk
Website: total-view.co.uk
This document is reviewed and updated quarterly. The information contained herein is accurate as of the date shown at the top of this document.