Security

We treat security as a customer-facing feature, not a back-office process. This page is a plain-language summary of the controls in place today.

Data in transit

• TLS 1.2+ enforced everywhere customer traffic terminates. HSTS preload, 1-year max-age, includeSubDomains. No mixed-content allowed.
• Origin certificates issued and rotated by Cloudflare. No long-lived self-signed certs on production hosts.
• SIP signalling between Kamailio and FreeSWITCH is on a private LAN; no SIP listens on a public socket.

Data at rest

• Customer call recordings stored on Cloudflare R2 with at-rest encryption. Each recording is signed-URL gated — operators access via the dashboard, never direct R2 links.
• Database is PostgreSQL 17 with full-volume encryption at the disk level. Replication and backups encrypted in transit and at rest.
• Per-account data residency: US or EU at signup. Locks the moment the first call is placed.

Authentication

• Password hashes use Argon2id with sensible defaults.
• TOTP-based 2FA available for every user; required for platform-admin actions in our internal tools.
• Single sign-on via Google + Microsoft Entra. SSO providers must return a verified email before we'll auto-link an account.
• Session cookies are RS256-signed JWTs, httpOnly, secure, sameSite=lax. "Sign out everywhere" is one click and invalidates every device in <60 seconds.

Network

• No direct SSH on production VMs — operations access goes through Cloudflare Tunnel.
• WAF + DDoS protection at the Cloudflare edge. Rate limits on every public endpoint.
• Cloudflare Turnstile gates signup so bots can't farm trial credits.

Compliance

• GDPR Article 20 (data export) and Article 17 (right to erasure) are self-service from your Settings → Privacy page.
• TCPA calling hours enforced per lead timezone (not account timezone). Two-party consent announcement auto-injected for CA, FL, IL, PA, WA, MD, MA, NH, OR, NV, CT.
• HIPAA mode (no recording, 30-day retention) available on Enterprise plans — contact sales.
• SOC 2 Type I audit is on the 2026 roadmap.

Reporting a vulnerability

We don't run a paid bug bounty yet, but we respond to good-faith reports within 1 business day and credit reporters in our security.txt once a fix ships. [email protected] — PGP available on request.