Why Call Recording Is More Than a Feature Toggle
Call recording in Webex Calling is not a single switch. It’s a stack of decisions — recording provider, recording mode, storage location, retention policy, compliance announcements, and access controls — that interact with each other and with the regulatory environment the organization operates in. Get the stack right and recording is a reliable operational and compliance tool. Treat it as a checkbox item and you end up with recordings that don’t meet regulatory requirements, storage that fills up unexpectedly, or a legal hold situation with no way to retrieve the right recordings.
This article covers how call recording works in Webex Calling, what the provider options are, how to configure recording correctly for compliance use cases, and what the storage and retention decisions actually involve.
Before configuring call recording, your users should already be provisioned and your Control Hub setup should be complete. The foundation is covered in Control Hub Deep Dive — Configuring Users, Locations, and Calling Features and Webex Calling Cloud Deployment — Full Setup Walkthrough (Part 1).
How Webex Calling Recording Works
Webex Calling recording operates at the platform level — recordings are captured by the Webex Calling cloud or by a third-party provider integrated via SIPREC, not by software on the endpoint. This means recording behavior is consistent regardless of what device the user is on: desk phone, Webex App on desktop, Webex App on mobile. The recording follows the call, not the device.
Recording is configured per user, per workspace, or per virtual line in Control Hub. An administrator enables recording for specific users — it is not on by default for all users in the organization. The recording provider and mode are also configured at the admin level, though users with the appropriate permissions can control on-demand recording from the Webex App.
Recording Providers
Webex Calling supports two categories of recording provider: the built-in Webex provider and Cisco-certified third-party providers. The right choice depends on the organization’s recording requirements.
Built-In Webex Recording
The native Webex recording provider is included with Webex Calling at no additional cost for basic use. All Webex Calling customers have access to Webex Call Recording. Webex recordings are currently configured with a retention period of one year, and the storage per organization is 100GB.
The built-in provider is appropriate for organizations that need call recording for quality assurance, training, and general reference — not for regulated industries with mandatory compliance recording requirements. Recordings are stored in the Webex cloud, accessible through Control Hub and User Hub, and can be downloaded or played back by administrators and users with appropriate permissions.
Webex Calling administrators can manage the retention settings for call recordings. Customers can purchase a paid add-on for additional storage beyond the default allocation if Webex is the call recording provider. Administrators can track and monitor storage usage directly from Control Hub.
For organizations that need more than the default 100GB or the one-year retention period, the paid storage add-on extends both. This is sufficient for many SMB and mid-market deployments with general recording needs.
Dubber Go
Dubber Go is available to all users at no cost and provides unlimited recordings with a 30-day retention window. Recordings are user-managed rather than admin-managed — they are not centrally accessible by compliance officers or administrators. This makes Dubber Go unsuitable for compliance use cases but useful as a personal call reference tool for individual users.
Cisco-Certified Third-Party Compliance Recording Providers
For organizations in regulated industries — financial services, healthcare, legal, government — the built-in Webex provider and Dubber Go are not sufficient. Compliance recording in these environments requires immutable storage, extended retention, legal hold capabilities, eDiscovery access, and audit trails that the built-in provider doesn’t provide.
Webex Calling supports selected Cisco-certified third-party compliance recording solutions. These integrate with Webex Calling via SIPREC — Session Recording Protocol — a standardized SIP-based protocol for recording media streams. The SIPREC integration captures the call media at the platform level and delivers it to the recording provider’s platform for storage, indexing, and compliance management.
Cisco-certified compliance recording providers currently available through CCW include:
Dubber (paid tiers beyond Dubber Go) — cloud-native recording with compliance tiers, unlimited retention options, AI-powered voice analytics, and native Webex Calling integration. Available for regulated industries with FINRA, MiFID II, GDPR, and HIPAA compliance capabilities.
CallCabinet — offers unlimited cloud storage space or the option to move recordings to the customer’s on-premises local storage. Orderable through Cisco Commerce Workspace (CCW). Positioned for organizations that need compliance recording with flexible storage options.
Calabrio — extends compliance recording from Webex Contact Center to Webex Calling. Appropriate for organizations running both a contact center and a broader Webex Calling deployment who want unified recording management across both platforms.
Eleveo — a cloud-based solution for compliance, automated quality management, screen recording, transcription, and speech analytics. Provides a single platform integrating Webex Calling and other Cisco collaboration and contact center solutions.
Imagicle — configured directly in Control Hub with a compliance recording focus, unlimited cloud storage, and Webex App integration for playback and management.
The right third-party provider depends on the regulatory framework in scope, the organization’s existing vendor relationships, storage requirements, and whether AI analytics or transcription capabilities are part of the requirement. Evaluate providers against the specific regulations that apply — a financial services firm with MiFID II obligations has different requirements than a healthcare organization with HIPAA obligations.
Recording Modes
Webex Calling supports three recording modes. The mode is configured per user or workspace in Control Hub.
Always — every call is recorded automatically from the moment it connects. The user cannot stop or pause the recording. This is the correct mode for mandatory compliance recording environments where regulatory requirements prohibit gaps in the recording.
Always with Pause/Resume — every call is recorded automatically, but the user can pause and resume the recording during the call. This mode accommodates scenarios where specific portions of a call must not be recorded — for example, when a caller provides a credit card number. PCI DSS compliance often requires that payment card data not be captured in recordings; pause/resume allows agents to pause during the payment capture and resume afterward. The pause and resume actions are logged in the recording metadata.
On-demand — recording is not automatic. The user initiates recording manually during an active call from the Webex App or a physical phone button. This mode is appropriate for quality assurance and training use cases where selective recording is acceptable. It is not appropriate for mandatory compliance recording environments — on-demand recording creates gaps that regulators do not accept as a compliant recording posture.
The mode selection is a compliance decision, not an operational preference. Regulated industries with mandatory recording requirements must use Always or Always with Pause/Resume. Using on-demand recording in a mandatory recording environment exposes the organization to regulatory risk regardless of how diligently users initiate recordings.
Compliance Announcements
Most jurisdictions require that parties to a recorded call be notified that the call is being recorded. Webex Calling handles this through configurable compliance announcements — a recorded message played at the start of the call informing the caller that recording is in progress.
Navigate to Calling > Compliance > Call Recording in Control Hub to configure the compliance announcement at the organization level. The announcement can be overridden at the location level for organizations where different locations operate under different regulatory requirements.
The compliance announcement audio is not captured in the recording itself. If the call was recorded, the metadata sent to the recording provider includes information about whether the compliance announcement was played. User and workspace level announcement settings take precedence only if the compliance announcement isn’t played, and this applies only for inbound calls.
A few operational points on compliance announcements:
One-party vs two-party consent. Recording consent requirements vary by jurisdiction. In the United States, federal law requires one-party consent, but many states require all-party consent. California, Illinois, and a number of other states require that all parties be notified. The compliance announcement satisfies the notification requirement in all-party consent jurisdictions when properly configured.
International calls. For organizations that regularly call internationally, research the recording consent requirements in the countries being called. EU member states under GDPR have specific requirements around recording consent that differ from US federal law. Recording a call with a party in a country that requires explicit consent without obtaining it is a compliance failure regardless of what your domestic regulations say.
The announcement is not a substitute for legal advice. Recording consent requirements are jurisdiction-specific and change. The compliance announcement in Webex Calling satisfies the technical notification requirement — whether that notification satisfies the legal requirement in your specific regulatory environment is a legal question, not a configuration question.
Storage and Retention
Default Storage — Built-In Webex Provider
The built-in Webex recording provider stores recordings in Cisco’s cloud with a default retention period of one year and 100GB of storage per organization. For most SMB deployments with moderate call volume, 100GB is sufficient. Organizations with high call volume — large contact centers, financial services teams with mandatory recording across hundreds of users — will exhaust 100GB quickly.
Monitor storage usage proactively through Control Hub. A storage cap that fills unexpectedly stops new recordings from being captured — a compliance failure in mandatory recording environments. Purchase the storage add-on before you approach the limit, not after.
Third-Party Provider Storage
Third-party compliance recording providers handle storage independently of Webex’s built-in 100GB allocation. CallCabinet offers both cloud and on-premises storage options. Dubber’s paid tiers provide unlimited cloud storage. Calabrio and Eleveo have their own storage architectures.
For organizations with data residency requirements — regulations that require recorded call data to be stored within a specific geographic region — verify that your chosen provider can meet those requirements before selecting them. Not all providers offer storage in all regions. Webex Calling supports configurable data storage regions for user-generated content, which is relevant for organizations operating under EU data protection regulations or similar regional data residency requirements.
Retention Policy
Retention policy defines how long recordings are kept before automatic deletion. The right retention period is determined by the regulatory framework in scope, not by storage cost.
Common regulatory retention requirements:
FINRA (financial services — US) — requires retention of voice communications for a minimum of three years, with the first two years in an easily accessible location.
MiFID II (financial services — EU) — requires retention of relevant telephone conversations for a minimum of five years, or up to seven years if requested by a regulatory authority.
HIPAA (healthcare — US) — does not specify a retention period for call recordings specifically, but recordings that contain protected health information are subject to HIPAA’s broader documentation retention requirements — generally six years from creation or last effective date.
PCI DSS (payment card industry) — prohibits storage of sensitive authentication data post-authorization. Recordings captured during payment card transactions must either have the sensitive data paused out using Always with Pause/Resume mode, or be handled under a documented PCI-compliant storage architecture.
General business — organizations without specific regulatory recording requirements typically retain recordings for 30 to 90 days for quality assurance purposes. Longer retention increases storage costs without corresponding business value in non-regulated environments.
Configure retention policy in Control Hub under Calling > Compliance for the built-in Webex provider. For third-party providers, retention policy is configured in the provider’s management platform.
Legal Hold
In litigation or regulatory investigation scenarios, recordings that would otherwise be subject to automatic deletion must be placed on legal hold — preserved beyond the standard retention period until the hold is lifted. The built-in Webex compliance tools support legal hold through the compliance officer role in Control Hub.
Webex Calling supports searching through content subject to data retention periods or legal hold, including content from users who have left the organization. Data is stored from September 2023 onward and is subject to the organization’s data retention periods.
Third-party compliance recording providers typically have more robust legal hold capabilities than the built-in Webex provider — dedicated legal hold workflows, custodian management, and integration with eDiscovery platforms. For organizations in industries where litigation involving call records is a realistic scenario, a third-party provider with dedicated legal hold capabilities is worth the investment.
Configuring Recording in Control Hub
Enabling Recording for Users
Navigate to Management > Users > select user > Calling > Call Recording. Toggle recording on and select the recording mode — Always, Always with Pause/Resume, or On-demand. Select the recording provider if your organization has multiple providers configured.
For bulk enabling across many users, the CSV user import process supports recording configuration as part of the user attributes. For large deployments where all users in a specific group or location need recording enabled, bulk configuration through CSV is significantly faster than per-user configuration.
Selecting the Recording Provider
Navigate to Calling > Features > Call Recording at the organization level in Control Hub to configure which recording provider is active. If a third-party provider has been provisioned for your organization, it appears here alongside the built-in Webex provider.
The provider selection at the organization level sets the default. Individual users can be configured to use a different provider if the organization has multiple providers — for example, using a compliance provider for regulated users and the built-in Webex provider for non-regulated staff.
Compliance Officer Access
The compliance officer role in Control Hub provides access to recording search, playback, download, and legal hold management without granting full admin access. Assign the compliance officer role to the appropriate personnel under Management > Administrators in Control Hub.
All searches carried out by compliance officers are logged for audit. This audit trail of compliance officer activity is itself a compliance requirement in many regulated industries — regulators expect to see that access to recordings is controlled and that access events are logged.
Regulatory Frameworks Overview
Call recording compliance in regulated industries is driven by the regulatory framework in scope. This is not an exhaustive legal guide — regulations change and jurisdiction-specific requirements require legal counsel — but the frameworks that most commonly drive mandatory recording in Webex Calling deployments are:
Financial services (US) — FINRA / SEC Rule 17a-4: Requires broker-dealers to supervise communications, which includes recording and retention of telephone communications for registered representatives. Three-year minimum retention with the first two years in an easily accessible location. Organizations subject to these rules need a compliance recording solution with immutable storage, defined retention periods, and audit trail capabilities.
Financial services (EU) — MiFID II: Requires investment firms to record telephone conversations and electronic communications related to client orders and transactions. Five-year minimum retention with the possibility of seven years on regulatory request. Immutable storage and tamper-evidence are explicit requirements.
Healthcare (US) — HIPAA: The Privacy and Security Rules apply to any recording that captures Protected Health Information. This includes telehealth calls, any call where a patient’s health information is discussed, and administrative calls that reference patient records. HIPAA-compliant recording requires an appropriate Business Associate Agreement with the recording provider, encryption at rest and in transit, and access controls that limit who can retrieve recordings.
PCI DSS: Applies to any organization that captures, transmits, or stores payment card data. Recordings that include spoken card numbers, CVV codes, or PINs must either prevent capture of that data through pause/resume, or be processed under a PCI-compliant storage architecture. Most compliance recording providers offer PCI-compliant modes — confirm the specific controls before deploying in a cardholder data environment.
The common thread across all of these frameworks: mandatory recording, defined retention periods, immutable storage that prevents tampering, access controls with audit trails, and legal hold capability for investigations. The built-in Webex provider meets some of these requirements for basic use cases. A purpose-built third-party compliance recording provider meets all of them for regulated environments.
Common Recording Configuration Mistakes
Using on-demand recording in a mandatory compliance environment. On-demand recording creates gaps. Regulators interpret gaps as missing records, not as calls that didn’t warrant recording. If recording is mandatory, use Always or Always with Pause/Resume.
Not configuring the compliance announcement. Calling recorded parties without notification violates consent laws in all-party consent jurisdictions. Configure and test the compliance announcement before enabling recording at scale.
Ignoring storage limits on the built-in provider. The 100GB default fills up in high-volume environments. Set up storage usage alerts in Control Hub and purchase the add-on before you hit the limit. A storage cap that stops recording is a compliance failure, not an inconvenience.
Choosing a provider without verifying regulatory alignment. Not all recording providers are certified or configured for every regulatory framework. Verify that your chosen provider has been assessed against the specific regulations in scope — FINRA, MiFID II, HIPAA — before going live.
No legal hold process defined. Organizations in regulated industries that don’t have a documented legal hold process for recordings will scramble when litigation or a regulatory inquiry arrives. Define the process, configure the compliance officer role, and test the legal hold workflow before you need it.
Recording retention set shorter than the regulatory requirement. Configuring a 90-day retention period in a FINRA-regulated environment that requires three-year retention is a compliance failure that may not surface until an examination. Set retention policy against the regulatory requirement, not against storage cost optimization.
Final Thoughts
Call recording in Webex Calling is straightforward for general quality assurance and training use cases — the built-in provider, configured in Control Hub, handles it without additional infrastructure. For regulated industries, the picture is more involved: provider selection, recording mode, consent announcements, immutable storage, retention policy, and legal hold capability all need to be addressed before the first recorded call goes live.
The decision point is simple: if recording is a compliance requirement under a regulatory framework, use a Cisco-certified third-party compliance recording provider. The built-in Webex provider is not designed for that use case. If recording is for operational quality purposes with no regulatory mandate, the built-in provider is sufficient for most deployments.
Get legal counsel involved in the compliance recording design for regulated industries. The configuration decisions in Control Hub are the technical implementation of a compliance posture — that posture needs to be defined by someone who understands the regulatory obligations, not reverse-engineered from what the platform makes easy.