A badge proves a vendor paid for an audit. A report proves what the auditor actually found.
When a NZ or AU buyer evaluates an AI voice agent, the security question is rarely "are you certified". It is "show me the evidence". The SOC 2 ISO 27001 voice AI question matters because your customers' phone calls carry names, addresses, card details, and health notes. Procurement wants proof those controls hold under load, not a logo on a slide.
We have sat in those reviews. The buyer's security lead asks to read the SOC 2 report, not see the badge. Here is what these certifications actually buy you, framed as outcomes for a New Zealand or Australian deployment.
For the wider picture on how every account is protected, start with our AI voice agent security overview.
A badge says an audit started; the report says what the auditor found inside scope.
What do SOC 2 and ISO 27001 actually buy you?
They buy you a shortcut through procurement. A SOC 2 Type II report and an ISO 27001 certificate let a buyer's security team tick boxes in hours instead of weeks. Both reduce the back-and-forth questionnaire grind to a single document review.
Think of it from the buyer's side. Without a report, a security team sends a 200-question spreadsheet and waits two weeks for answers. With one, they read 40 pages and move on.
That speed has a price tag. A stalled procurement review pushes a deployment back by a month. For an agency running 200 dials a day at roughly $100 NZD per campaign, a month of delay is real pipeline lost.
These certifications also buy trust at the executive level. A board signing off on an AI voice deployment wants assurance the vendor will not become tomorrow's breach headline. A clean report is that assurance in writing.
Why does procurement ask for the report, not the badge?
Because a badge only proves the audit started, while the report proves what the audit found. Procurement teams have learned that a logo on a website tells them nothing about scope, exceptions, or whether controls actually operated. The report carries the detail that matters.
A SOC 2 badge says "we engaged an auditor". It does not say the audit covered the systems handling your callers' data. It does not list the exceptions the auditor noted.
We have watched a deal slow down precisely here. The buyer asked one question. "Send the report under NDA." A vendor with only a badge had nothing to send.
The report is where scope lives. It names which systems were tested, over what period, and what the auditor concluded. A serious buyer reads the scope section first.
Evaluating a voice platform for a regulated buyer?
See the outcomes every account gets, from encryption on every call to deletion in 10 minutes, on our voice agent security page.
What does SOC 2 Type II prove about how your data is handled?
It proves the controls worked over a period of months, not on a single day. SOC 2 Type II tests whether security controls operated continuously across a window, usually six to twelve months. Type I only checks they existed at one moment. The difference is everything.
A Type I report is a photo. A Type II report is the security camera footage. For a voice platform handling thousands of calls a week, you want the footage.
Type II covers the outcomes a buyer cares about. Is caller data encrypted on every connection and at rest. Who can access recordings and transcripts. How fast a problem gets caught and contained.
It also proves discipline over time. Anyone can lock down a system for one audit day. Type II proves the locks stayed on for a year while real calls flowed through.
For a NZ or AU buyer, that continuity maps directly to local accountability. Under the NZ Privacy Act 2020 and the Australian Privacy Act 1988, you stay responsible for data your vendor handles. A Type II report is evidence your vendor held the line. The same thinking sits behind our zero-retention data handling.
Type I is a single-day snapshot; Type II is months of continuous proof while real calls flow.
What does ISO 27001 add on top?
It adds proof the vendor runs a system for managing security, not just a list of controls. ISO 27001 certifies an Information Security Management System, which is the process for finding risks, fixing them, and reviewing the whole thing on a cycle. SOC 2 tests controls. ISO 27001 tests the machine that maintains them.
The two overlap, but they answer different questions. SOC 2 asks "did the controls work". ISO 27001 asks "is there a living process that keeps them working as the platform changes".
That matters for AI voice, where the platform ships changes weekly. A new agent capability, a new integration, a new caller flow. ISO 27001 proves each change runs through a risk review before it touches live calls. That discipline is what keeps protections like jailbreak protection on every agent from drifting over time.
For an international buyer, ISO 27001 also travels. If you expand across markets, a vendor certified once can satisfy security teams in Auckland, Sydney, and London with the same certificate.
Do you need both for a NZ or AU deployment?
For most NZ and AU deployments you need at least one, and the bigger the buyer the more they want both. A small business booking a part-time receptionist replacement rarely asks for either. A bank, an insurer, or a government supplier usually wants both on the table.
The buyer sets the bar. Match the certification to the buyer, not the brochure. A clinic handling health calls cares about access control and deletion timing. A telco cares about continuity and incident response.
Here is the honest split on where data sits. Your portal records, call transcripts, and structured call data live on our Sydney servers. The live audio stream is processed offshore by our voice infrastructure partner.
We meet cross-border accountability requirements through documented arrangements with that partner. Under the NZ Privacy Act 2020, data leaving New Zealand needs handling to the same standard as if it stayed. Under the Australian Privacy Principles, if your vendor leaks data overseas, you are still on the hook for it.
Recordings and transcripts can be deleted in 10 minutes on request. Every call discloses to the caller that they are speaking with an AI. Those two facts answer more procurement questions than any certificate. For the regulator detail, the New Zealand Office of the Privacy Commissioner and the Australian OAIC publish the rules in plain terms.
The honest split: portal records and transcripts in Sydney, live audio processed offshore under documented arrangements.
What should you ask a vendor about certifications?
Ask to read the SOC 2 report under NDA, then check three things in it. Scope, period, and exceptions. A vendor who hands over the report fast and points you to those sections is operating in good faith. One who stalls is hiding something.
Start with scope. Confirm the systems handling your callers' data are inside the audit boundary. A report that only covers the marketing website is useless to you.
Check the period next. A Type II report should cover six to twelve months of continuous operation. A gap between report periods is a flag worth a follow-up question.
Then read the exceptions. Every honest report has a few. What you want to see is the exception listed alongside the fix and the date it was closed.
Finally, ask the operator questions. How fast can a recording be deleted. Who at the vendor can access a transcript. Is AI disclosure played on every call. The same lens applies to prompt-injection defences and toll-fraud controls that protect your spend.
What if a vendor only has a badge and no report?
Treat a badge with no report as an unanswered question, not a disqualification. Some vendors are mid-audit and genuinely cannot share a report yet. Others use the badge as theatre. Your job is to tell which.
Ask one direct question. "Can you send the report under NDA today, and if not, when". A real answer with a date is fine. A vague answer is the tell.
While you wait, weigh the operator facts you can verify now. Where the data sits, how fast it deletes, whether AI disclosure runs on every call, who can reach a recording. These are checkable without a certificate.
We would rather a buyer pressure-test us on those facts than wave through a badge. A badge is a starting point. The evidence is the conversation, and you can see where ours starts on the AI voice agents overview.
Ready to put a voice platform through your security review?
Bring your procurement checklist and pressure-test the outcomes on our voice agent security page.
Frequently Asked Questions
What is the difference between a SOC 2 badge and a SOC 2 report?
A badge signals a vendor engaged an auditor. A report signals what the auditor found, including which systems were tested, over what period, and what exceptions came up. Procurement teams ask for the report because the badge proves nothing about scope or whether controls actually operated under real call load.
Is SOC 2 Type II better than Type I?
For an AI voice platform, yes. Type I confirms controls existed on a single day. Type II confirms they operated continuously across six to twelve months of real calls. Type II is the security camera footage rather than a single photo, which is what a serious buyer wants to see before signing.
Do I need both SOC 2 and ISO 27001 for an Australian deployment?
It comes down to the buyer. A small business replacing a receptionist usually asks for neither. A bank, insurer, or government supplier often wants both, because one proves the controls worked and the other proves a living process keeps them working as the platform ships changes.
Where is my call data stored with Waboom AI?
Your portal records, call transcripts, and structured call data sit on our Sydney servers. The live audio stream is processed offshore by our voice infrastructure partner, under documented cross-border arrangements. Recordings and transcripts can be deleted in 10 minutes on request, and every call discloses to the caller they are speaking with an AI.
Does HIPAA apply to my New Zealand or Australian voice agent?
No. HIPAA is a United States health-data law and does not apply in New Zealand or Australia. Your obligations run under the NZ Privacy Act 2020 and the Australian Privacy Act 1988, including the Australian Privacy Principles. New Zealand also applies special health-data rules, which we follow.
What should a SOC 2 report scope section tell me?
It should name the exact systems and services that were audited. Confirm the systems handling your callers' data are inside that boundary. A report scoped only to a marketing website tells you nothing about how the voice platform protects live call data, so always read scope first.
Leonardo Garcia-Curtis
Founder & CEO at Waboom AI. Building voice AI agents that convert.
Ready to Build Your AI Voice Agent?
Let's discuss how Waboom AI can help automate your customer conversations.
Book a Free Demo


