Trust posture that matches reality. Before the enterprise claims.
Harbor’s trust posture should match reality. The goal is to show what is protected now, what is still manual, and what has not been earned yet.
What is true today
The Harbor console is now gated behind a shared access password instead of pretending auth already exists.
Agent editing, call browsing, and manual outbound calling are restricted to authenticated console users.
Live callback demos are limited and constrained to reduce abuse and avoid accidental telephony spend.
Harbor should not claim SOC 2, HIPAA, PCI, or global compliance until those controls exist in reality.
Security pillars
Encryption everywhere
Use the real transport guarantees from the current stack, and avoid inventing enterprise security language that is not backed by controls yet.
Zero audio retention by default
Harbor currently stores only the metadata and transcript paths that are implemented. Recording and retention should be sold carefully, not implied everywhere.
Multi-region, multi-provider failover
Do not market fictional multi-region active-active infrastructure. Current reliability comes from a narrower, inspectable stack and manual oversight.
Data residency by region
Region and residency claims should be added only after the storage, hosting, and processor chain actually support them.
Every call is audit-logged
Today Harbor has practical call logs, agent edits, and transcripts where configured. That is useful for pilots, but it is not the same as a finished audit program.
Responsible AI safeguards
The best safeguard right now is selling narrow workflows, reviewing real calls, and keeping a human in the loop instead of automating recklessly.
Need a security fit review?
If a buyer needs a DPA, retention controls, or provider review, scope that during pilot planning instead of implying every framework is already covered.