Waboom AI
AI Training

AI Training

AI Team TrainingPopular

Hands-on workshops for marketing, sales, operations, and customer service teams.

AI Strategy Workshop

Executive workshops for leadership teams. Identify opportunities. Calculate ROI. Walk out with a roadmap.

Claude Code Workshop

Build apps in hours not months. Ship websites, automations, and tools with AI.

AI Training for Teams

AI Training for Teams

Hands-on workshops for marketing, sales, operations, and customer service teams. Not theory. Real tools. Real tasks. Real outcomes.

1,000+ people trained across NZ

Learn more
AI Automation

AI Automation

AI Agents & AutomationPopular

Your AI workforce: outbound, proposals, knowledge and support agents. Find buyers, write SOWs, answer every call.

AI Retainer Support

Already built with us? Stay on retainer and we keep shipping new agents and features for your business.

Microsoft Copilot Agents

Build custom Copilot agents in Power Automate & Copilot Studio. Automate workflows across your entire Microsoft 365 ecosystem.

Waboom Concierge

Personalised inbound for premium brands. An AI concierge greets every visitor, builds an on-the-spot quote, and books a real conversation.

AI Automation & Integration

AI Automation & Integration

We build faster and more cost effectively than traditional development teams. You tell us the problem. We deliver the solution.

30+ projects live in 24 months

Learn more
AI Voice Agents

AI Voice Agents

AI Voice Agents

24/7 AI-powered phone agents for inbound & outbound calls. Never miss a lead, handle enquiries, book appointments automatically.

AI Receptionist

Pay-as-you-go inbound receptionist. Answers, transfers calls, takes messages inside your VoIP. $1/min with auto top-up.

Voice Agent Pricing

Transparent pricing for AI voice agents. See costs per minute and platform fees.

AI Voice Agent Demo

Talk to Michelle on three voice AI engines side by side. Hear the latency, find the model that fits.

Listen to Our Voices

Preview all 32 AI voice agents across NZ, AU, UK and US. Find the perfect voice for your brand.

Case Studies

Real customer results. Vendor leads, viewings booked, relationships scaled. Every story has the math.

AI Voice Agents

AI Voice Agents

Never miss a lead. AI agents that answer calls 24/7, qualify prospects, and book appointments automatically.

30+ voice agents deployed

Learn more
Case Studies

Case Studies

Melbourne: 5 listings from one 14-year dormant contactPopular

$2.9M of CBD apartments relisted by the same agent who sold them in 2012. AI dialled the dormant number.

Home builder: AU$374.4M in lost sales uncovered

5,200 cold calls into a 70,000-prospect CRM. 234 confirmed lost deals at AU$1.6M each. A very leaky bucket.

Sydney agent: 141 vendor leads in 90 days

9,856 dials, 1,997 conversations, 141 warm-transferred sellers at $32.74 each.

Christchurch developer: 49 viewings in 14 days

931 Meta leads called same-day. 49 viewings booked at $7.12 each.

City Sales Auckland: 100,000+ relationships

How a leading Auckland firm strengthened over 100,000 client relationships with AI.

See all case studies

Browse every Waboom customer case study in one place.

Real numbers from real Waboom customers

Real numbers from real Waboom customers

Vendor leads. Viewings booked. Relationships scaled. Every story has the math.

5,000+ AI-handled conversations

Learn more
Resources

Resources

AI Resources & Guides

Free templates, frameworks, and implementation guides to help you adopt AI effectively in your organisation.

Blog

Expert insights on AI voice agents, automation strategies, and industry best practices from the Waboom team.

Workshop Tutorial Videos

Paid-attendee video library. Cowork 101 and Claude Code 101, on demand with clickable chapter navigation.

AI Resources Hub

AI Resources Hub

Free tools and guides to help you implement AI effectively. From policy templates to ROI calculators.

New resources added monthly

Learn more
Contact

Contact

Contact Us

Get in touch with our team. We'd love to hear about your AI goals.

About Waboom AI

Learn about our mission, team, and why we're passionate about AI adoption in NZ.

Let's Talk AI

Let's Talk AI

Whether you need training, automation, or strategy - we're here to help you adopt AI effectively.

Response within 24 hours

Learn more
09 888 0402
Back to BlogSecurity

Procurement Reads the SOC 2 Report, Not the Badge. Here Is What SOC 2 and ISO 27001 Actually Buy You.

Leonardo Garcia-Curtis09/07/2026
TL;DR

We sit in security reviews where the buyer's lead asks to read the SOC 2 report, not see the badge, so here is what these certs actually buy you. SOC 2 Type II proves controls held over six to twelve months of real calls, while ISO 27001 proves a living process keeps them working as the platform ships changes weekly. Most NZ and AU deployments need at least one, and banks or government suppliers want both. The right move is to read the report's scope, period, and exceptions before you sign.

Procurement Reads the SOC 2 Report, Not the Badge. Here Is What SOC 2 and ISO 27001 Actually Buy You.

A badge proves a vendor paid for an audit. A report proves what the auditor actually found.

When a NZ or AU buyer evaluates an AI voice agent, the security question is rarely "are you certified". It is "show me the evidence". The SOC 2 ISO 27001 voice AI question matters because your customers' phone calls carry names, addresses, card details, and health notes. Procurement wants proof those controls hold under load, not a logo on a slide.

We have sat in those reviews. The buyer's security lead asks to read the SOC 2 report, not see the badge. Here is what these certifications actually buy you, framed as outcomes for a New Zealand or Australian deployment.

For the wider picture on how every account is protected, start with our AI voice agent security overview.

Comparison of an empty SOC 2 badge against an open SOC 2 report showing scope, period and exceptions sections

A badge says an audit started; the report says what the auditor found inside scope.

What do SOC 2 and ISO 27001 actually buy you?

They buy you a shortcut through procurement. A SOC 2 Type II report and an ISO 27001 certificate let a buyer's security team tick boxes in hours instead of weeks. Both reduce the back-and-forth questionnaire grind to a single document review.

Think of it from the buyer's side. Without a report, a security team sends a 200-question spreadsheet and waits two weeks for answers. With one, they read 40 pages and move on.

That speed has a price tag. A stalled procurement review pushes a deployment back by a month. For an agency running 200 dials a day at roughly $100 NZD per campaign, a month of delay is real pipeline lost.

These certifications also buy trust at the executive level. A board signing off on an AI voice deployment wants assurance the vendor will not become tomorrow's breach headline. A clean report is that assurance in writing.

Why does procurement ask for the report, not the badge?

Because a badge only proves the audit started, while the report proves what the audit found. Procurement teams have learned that a logo on a website tells them nothing about scope, exceptions, or whether controls actually operated. The report carries the detail that matters.

A SOC 2 badge says "we engaged an auditor". It does not say the audit covered the systems handling your callers' data. It does not list the exceptions the auditor noted.

We have watched a deal slow down precisely here. The buyer asked one question. "Send the report under NDA." A vendor with only a badge had nothing to send.

The report is where scope lives. It names which systems were tested, over what period, and what the auditor concluded. A serious buyer reads the scope section first.

Evaluating a voice platform for a regulated buyer?

See the outcomes every account gets, from encryption on every call to deletion in 10 minutes, on our voice agent security page.

What does SOC 2 Type II prove about how your data is handled?

It proves the controls worked over a period of months, not on a single day. SOC 2 Type II tests whether security controls operated continuously across a window, usually six to twelve months. Type I only checks they existed at one moment. The difference is everything.

A Type I report is a photo. A Type II report is the security camera footage. For a voice platform handling thousands of calls a week, you want the footage.

Type II covers the outcomes a buyer cares about. Is caller data encrypted on every connection and at rest. Who can access recordings and transcripts. How fast a problem gets caught and contained.

It also proves discipline over time. Anyone can lock down a system for one audit day. Type II proves the locks stayed on for a year while real calls flowed through.

For a NZ or AU buyer, that continuity maps directly to local accountability. Under the NZ Privacy Act 2020 and the Australian Privacy Act 1988, you stay responsible for data your vendor handles. A Type II report is evidence your vendor held the line. The same thinking sits behind our zero-retention data handling.

Diagram contrasting a SOC 2 Type I single-day photo with a Type II six-to-twelve month continuous monitoring window

Type I is a single-day snapshot; Type II is months of continuous proof while real calls flow.

What does ISO 27001 add on top?

It adds proof the vendor runs a system for managing security, not just a list of controls. ISO 27001 certifies an Information Security Management System, which is the process for finding risks, fixing them, and reviewing the whole thing on a cycle. SOC 2 tests controls. ISO 27001 tests the machine that maintains them.

The two overlap, but they answer different questions. SOC 2 asks "did the controls work". ISO 27001 asks "is there a living process that keeps them working as the platform changes".

That matters for AI voice, where the platform ships changes weekly. A new agent capability, a new integration, a new caller flow. ISO 27001 proves each change runs through a risk review before it touches live calls. That discipline is what keeps protections like jailbreak protection on every agent from drifting over time.

For an international buyer, ISO 27001 also travels. If you expand across markets, a vendor certified once can satisfy security teams in Auckland, Sydney, and London with the same certificate.

Do you need both for a NZ or AU deployment?

For most NZ and AU deployments you need at least one, and the bigger the buyer the more they want both. A small business booking a part-time receptionist replacement rarely asks for either. A bank, an insurer, or a government supplier usually wants both on the table.

The buyer sets the bar. Match the certification to the buyer, not the brochure. A clinic handling health calls cares about access control and deletion timing. A telco cares about continuity and incident response.

Here is the honest split on where data sits. Your portal records, call transcripts, and structured call data live on our Sydney servers. The live audio stream is processed offshore by our voice infrastructure partner.

We meet cross-border accountability requirements through documented arrangements with that partner. Under the NZ Privacy Act 2020, data leaving New Zealand needs handling to the same standard as if it stayed. Under the Australian Privacy Principles, if your vendor leaks data overseas, you are still on the hook for it.

Recordings and transcripts can be deleted in 10 minutes on request. Every call discloses to the caller that they are speaking with an AI. Those two facts answer more procurement questions than any certificate. For the regulator detail, the New Zealand Office of the Privacy Commissioner and the Australian OAIC publish the rules in plain terms.

Data residency split showing portal records and transcripts on Sydney servers and live audio processed offshore

The honest split: portal records and transcripts in Sydney, live audio processed offshore under documented arrangements.

What should you ask a vendor about certifications?

Ask to read the SOC 2 report under NDA, then check three things in it. Scope, period, and exceptions. A vendor who hands over the report fast and points you to those sections is operating in good faith. One who stalls is hiding something.

Start with scope. Confirm the systems handling your callers' data are inside the audit boundary. A report that only covers the marketing website is useless to you.

Check the period next. A Type II report should cover six to twelve months of continuous operation. A gap between report periods is a flag worth a follow-up question.

Then read the exceptions. Every honest report has a few. What you want to see is the exception listed alongside the fix and the date it was closed.

Finally, ask the operator questions. How fast can a recording be deleted. Who at the vendor can access a transcript. Is AI disclosure played on every call. The same lens applies to prompt-injection defences and toll-fraud controls that protect your spend.

What if a vendor only has a badge and no report?

Treat a badge with no report as an unanswered question, not a disqualification. Some vendors are mid-audit and genuinely cannot share a report yet. Others use the badge as theatre. Your job is to tell which.

Ask one direct question. "Can you send the report under NDA today, and if not, when". A real answer with a date is fine. A vague answer is the tell.

While you wait, weigh the operator facts you can verify now. Where the data sits, how fast it deletes, whether AI disclosure runs on every call, who can reach a recording. These are checkable without a certificate.

We would rather a buyer pressure-test us on those facts than wave through a badge. A badge is a starting point. The evidence is the conversation, and you can see where ours starts on the AI voice agents overview.

Ready to put a voice platform through your security review?

Bring your procurement checklist and pressure-test the outcomes on our voice agent security page.

Frequently Asked Questions

What is the difference between a SOC 2 badge and a SOC 2 report?

A badge signals a vendor engaged an auditor. A report signals what the auditor found, including which systems were tested, over what period, and what exceptions came up. Procurement teams ask for the report because the badge proves nothing about scope or whether controls actually operated under real call load.

Is SOC 2 Type II better than Type I?

For an AI voice platform, yes. Type I confirms controls existed on a single day. Type II confirms they operated continuously across six to twelve months of real calls. Type II is the security camera footage rather than a single photo, which is what a serious buyer wants to see before signing.

Do I need both SOC 2 and ISO 27001 for an Australian deployment?

It comes down to the buyer. A small business replacing a receptionist usually asks for neither. A bank, insurer, or government supplier often wants both, because one proves the controls worked and the other proves a living process keeps them working as the platform ships changes.

Where is my call data stored with Waboom AI?

Your portal records, call transcripts, and structured call data sit on our Sydney servers. The live audio stream is processed offshore by our voice infrastructure partner, under documented cross-border arrangements. Recordings and transcripts can be deleted in 10 minutes on request, and every call discloses to the caller they are speaking with an AI.

Does HIPAA apply to my New Zealand or Australian voice agent?

No. HIPAA is a United States health-data law and does not apply in New Zealand or Australia. Your obligations run under the NZ Privacy Act 2020 and the Australian Privacy Act 1988, including the Australian Privacy Principles. New Zealand also applies special health-data rules, which we follow.

What should a SOC 2 report scope section tell me?

It should name the exact systems and services that were audited. Confirm the systems handling your callers' data are inside that boundary. A report scoped only to a marketing website tells you nothing about how the voice platform protects live call data, so always read scope first.

LG

Leonardo Garcia-Curtis

Founder & CEO at Waboom AI. Building voice AI agents that convert.

Ready to Build Your AI Voice Agent?

Let's discuss how Waboom AI can help automate your customer conversations.

Book a Free Demo

Related Pages

AI Voice Agents

The complete guide to AI voice agents for New Zealand and Australian businesses.

AI Receptionist NZ

24/7 inbound call answering with native Kiwi accent.

AI Receptionist Australia

24/7 inbound call answering with Australian accent.

Related Articles

A Caller Reads Her Card Number Aloud. AI Voice Agent PII Redaction Keeps It Off Your Transcript.

A Caller Reads Her Card Number Aloud. AI Voice Agent PII Redaction Keeps It Off Your Transcript.

A Caller Just Read Out Their Card Number. Where Does It Go?

A Caller Just Read Out Their Card Number. Where Does It Go?

Your Voice AI Bill Jumped to $15,000 Overnight. That Is Toll Fraud.

Your Voice AI Bill Jumped to $15,000 Overnight. That Is Toll Fraud.

Waboom AI

Empowering New Zealand and Australian businesses with AI voice agents and automation that deliver real, measurable value.

info@waboom.ai+64 9 888 0402
Level 8, 139 Quay Street
Auckland CBD, New Zealand

Voice Agents

  • AI Voice Agents
  • AI Receptionist NZ
  • AI Receptionist Australia
  • AI Phone Answering
  • AI Virtual Receptionist
  • AI Receptionist Pay As You Go
  • Waboom Concierge
  • Medical Answering Service
  • Answering Service Australia
  • AI Sales Agent
  • Voice Agent Pricing
  • Listen to Voices
  • Real Estate Guide

By Industry

  • Real Estate
  • Mortgage Brokers
  • Insurance Brokers
  • Property Managers
  • Medical Clinics
  • Dentists
  • Vets
  • Childcare + ECE
  • Car Dealerships
  • Construction + Builders
  • Electricians
  • Plumbers
  • HVAC
  • Accountants
  • Law Firms
  • All industries and regions

Workshops

  • AI Team Training
  • AI Strategy Workshop
  • AI Champion Workshop
  • Claude Team Training
  • Claude Code Workshop
  • Lovable Workshop
  • Free AI Workshop

Automation

  • AI Automation
  • Microsoft Copilot Agents
  • Integrations

Company

  • About Us
  • Contact
  • Partners
  • Pipedrive Partner
  • Resources
  • Blog
  • AI Agency NZ
  • AI Agency Australia

Powered by leading AI technologies

VAPIOpenAIZapierMakeStripe

© 2026 Waboom.ai. All rights reserved.

PrivacyTermsSecurity