The Most Secure AI Voice Agents for Australia and New Zealand Businesses

What protections does every Waboom AI account get by default?

Every account ships with the same security floor. No bolt-ons, no premium tier for compliance basics. The list:

• Portal, transcripts, structured call data, and audit logs on Sydney servers
• Encrypted on every connection and at rest
• Recording disclosure on inbound by default, configurable per outbound campaign, with on-request confirmation if a caller asks
• Jailbreak protection on by default
• Default 30-day call data retention (configurable 1 to 730 days)
• PII redaction across names, contact details, dates of birth, government IDs, financial data, and credentials, available on any agent
• 9-category content filter available on any agent
• Signed temporary URLs on recordings (default 24-hour expiry)
• Automatic detection of 24 do-not-call phrases on every conversation
• CSV uploader checks every new contact list against your existing DNC list at upload time
• Agents trained to answer source-of-data questions live during the call
• AU and NZ regulatory verification before unverified accounts can exceed 25 calls per day
• NZD 1,000,000 business insurance covering professional indemnity, cyber liability, and public liability. Certificate of currency on request.

PII redaction on transcripts and recordings

PII redaction works on call transcripts and on the recording itself. It catches names, contact details (addresses, emails, phone numbers), dates of birth, government identifiers (passport, driver's licence, IRD/SSN-style numbers), financial information (credit card, bank account), and credentials (passwords, PINs). The sensitive moment in the recording gets a placeholder beep. The sensitive text in the transcript gets a placeholder token. Admin users can re-reveal originals for audit; standard users can't.

Per-agent toggle. Per-category checkboxes. Your compliance team can lock the agent to "Everything except PII" or "Basic Attributes Only" storage tiers, which minimises PII storage from the start.

Recording disclosure on every call

On inbound calls, our agents open with a recording disclosure by default. The line: "This call may be recorded for quality and training purposes." On outbound campaigns, the same disclosure runs when your jurisdiction or your policy needs it; either way, every agent is prompted to confirm recording on the spot if a caller asks. Either configuration covers your collection-notice obligation in Australia and New Zealand.

Full state-by-state coverage at AU and NZ AI voice recording consent.

Signed temporary recording URLs

Default 24-hour expiry. Configurable from one to 168 hours. Prevents replay attacks via shared links. If someone forwards your recording URL after the expiry window, it's just a 404.

Automatic do-not-call detection on every conversation

Every Waboom AI conversation runs through 24 do-not-call trigger phrases in real time. "Stop calling", "do not call", "remove me", "take me off", "leave me alone", "unsubscribe", "opt out", and 17 variants. Any match auto-flags the number on your DNC list. No human intervention.

Your team doesn't have to read every transcript to catch the "stop calling me" moment. The agent catches it. The portal stores it. The next campaign respects it.

CSV re-upload safeguard against accidental DNC violations

The CSV uploader checks every new contact list against your existing DNC list at upload time. A prospect who asked to be removed last quarter can't get called again by mistake next quarter. Flagged matches surface before any call queues.

Agents that answer source-of-data questions live

Under New Zealand's IPP 3A (live 1 May 2026), you must tell prospects where their data came from. Waboom AI agents are configured to answer "how did you get my information?", "why are you calling?", and "who is this on behalf of?" live during the call, reading the source field from your CRM. The disclosure script is tunable per campaign without dropping the legal floor. Here's how the agent reads CRM data live mid-call.

Regulatory verification for new accounts

New AU and NZ accounts get 14 days to upload their verification documents (business registration, proof of address, government ID). During the 14-day window, we cap your account at 25 calls per day. Past the window without verification, we pause calling until your documents arrive.

The verification flow uses the standard carrier regulatory bundle process for NZ and AU phone numbers. The 25-calls-per-day cap stops a bad actor from weaponising a new account before due diligence completes.

What does Australian privacy law require, and how do we meet it?

Three things. Tell the caller you're collecting their data. Don't reuse it for something else. Keep it secure. Waboom AI is built to handle all three.

On inbound calls, the opening disclosure runs by default. On outbound campaigns it runs when your jurisdiction or your policy needs it, and every agent confirms recording on the spot if a caller asks. Storage is encrypted. Reuse is scoped to your account. Australia's Privacy Act catches most private-sector businesses with turnover above AUD 3 million, plus every healthcare business regardless of size. We've built Waboom AI to handle the harder of those two thresholds by default.

The 2024 amendments that raised the stakes

The Australian fine ceiling now hits AUD 50 million, or three times the benefit obtained, or 30 percent of adjusted turnover. The old ceiling was AUD 2.22 million before late 2022. That's the shift the 2024 amendments brought in.

Australia also has a separate civil tort now. Since 10 June 2025, an individual can sue for serious invasion of privacy without proving actual loss. Damages cap at AUD 478,550. That sits beside any regulator enforcement.

The collection-notice rule, handled on the opening line

Australia's federal collection-notice rule means you must tell callers when their information is being collected. On inbound calls, Waboom AI plays a recording disclosure by default. On outbound campaigns, the same disclosure runs when your jurisdiction or your policy needs it. Either way, every agent is prompted to confirm recording on the spot if a caller asks. Your team doesn't draft it, doesn't maintain it, doesn't forget it on a Friday afternoon campaign.

Offshore handling: you stay on the hook, we carry the evidence

Australian law makes you accountable for any offshore mishandling of your customer's data. It also demands the offshore handling matches the local standard: written arrangement, audit rights, breach notification, restrictions on who else touches the data. The SOC 2 Type II foundation already carries those controls in writing, audited annually by an independent third party. For enterprise procurement, we draft a written agreement together before contract. You carry the legal accountability with the evidence to defend it.

Data breaches: your 30-day clock

Australia gives you 30 days from suspecting a serious breach to notify the regulator and affected people. Waboom AI makes 30 days achievable, not aspirational. Every admin action, data change, webhook delivery, and login is logged on our Sydney audit log. If something goes wrong, you have the forensic trail to reconstruct in hours, not days. We work alongside your incident-response team to meet that window. The audit log is the evidence base the assessment runs from.

Optus, Medibank, and Australian Clinical Labs reset the bar

Three cases changed how Australian businesses think about data risk. The OAIC filed civil penalty proceedings against Optus in May 2025 over the breach affecting 9.5 million Australians. The OAIC filed Medibank's civil penalty action in June 2024 over the breach affecting 9.7 million.

In 2025 a medical testing company copped an AUD 5.8 million fine for a data breach. That was the first civil penalty under the Privacy Act, decided in the Federal Court ruling. The bar is real. Waboom AI clears it the same way every time: Sydney audit log on every admin action, a written data-handling agreement drafted with enterprise procurement before contract, SOC 2 Type II inheritance at the runtime layer. The combination is what your board reviews when the next breach hits the news.

For the operator-grade walkthrough of Australian telemarketing law, see our Australian telemarketing law for AI voice agents guide. It covers the DNC Register and the ACMA standards that bite alongside the Privacy Act.

Can you delete a customer's call recording on demand?

Yes. Inside 10 minutes, on request. When you ask us to delete a customer's data, a single action in the portal completes across every layer. Transcript, structured fields, knowledge-base traces, dynamic variables, metadata, the recording, all gone.

Permanent. Audit-logged. Built for the regulator question your compliance team will eventually field. New Zealand and Australia both expect data destroyed or de-identified when it's no longer needed; we treat that as a hard product requirement.

What gets removed

Recording file, transcript, structured outputs. Knowledge-base retrieval traces, dynamic variables, metadata. Every layer, in one action.

Two things stay: the audit log of the deletion itself, for your compliance evidence. And any data that's already left our platform to your downstream systems (your CRM, your calendar). Those are yours to manage on your side.

Default 30-day retention and why we set it there

Most platforms in this space default to indefinite retention. We default to 30 days. Configurable per agent from one day to two years if you need to extend for medical record statutes or ACC matters. Indefinite default retention is a problem looking for a court case, and we don't carry it.

What about healthcare, government, and financial services?

Three sectors carry stricter rules than the general Privacy Act baseline. Waboom AI is built to handle all three.

Healthcare in Australia and New Zealand

Waboom AI is the privacy-safe voice receptionist for medical practices in both markets. Patient data sits in Sydney. Deletion is a single action. When your auditor asks for a written agreement, we put the obligations on paper before contract: recording disclosure, retention windows, deletion rights, breach notification, sub-processor visibility. HIPAA is a US law that doesn't apply, so we don't pretend it does. What does apply: the Privacy Act in Australia, state health acts in Victoria, New South Wales, and the ACT, and the Health Information Privacy Code 2020 in New Zealand. We follow all of them.

Full operator walkthrough at Healthcare voice AI privacy: AU + NZ guide. Covers dentists, GPs, allied health, aged care, and vets, plus practice management system integrations: Halaxy, Cliniko, MedTech32, BestPractice, Genie, OpenDental, ezyVet.

Australian Government departments, agencies, and councils

For the departments drowning in citizen calls. Services Australia, the ATO, NDIA, state housing portfolios like NSW DCJ and Victorian DFFH, and metro councils running thousands of rate-payer, waste, and DA enquiries a week. The volume problem, not the classified-data problem.

Voice agents handle inbound overflow at peak, after-hours fallback for urgent housing and hardship calls, outbound notification campaigns, recall and appointment booking, satisfaction surveys, and disaster-response surge when volumes 10x overnight. Sydney portal. SOC 2 inheritance. AU telco regulatory bundle on every number, so the identity passport on the line says your department, not a generic vendor.

OFFICIAL or OFFICIAL: Sensitive workloads can deploy today. If your scope ever pushes into IRAP at OFFICIAL: Sensitive or PROTECTED, the assessment rolls into the engagement fee as a pass-through. Full department walkthrough at AI voice agents for Australian Government departments.

Financial services

APRA CPS 234 drives onshore data residency for banks and insurers. Voice AI in finance also needs to handle card payments without storing card data. The standard pattern is DTMF pause-and-resume during the payment step. Card digits route directly to a PCI-tokenising payment processor and never enter your agent's context.

Detailed financial-services pillar coming. For now, contact us for the financial-services compliance walkthrough.