Security & Compliance
Built for the audit.
Built for HIPAA workloads, with controls engineered to SOC 2 Type II and ISO 27001 and a VAPT-ready posture — designed in from day one, not bolted on. Formal certification is in progress.
Compliance posture
Engineered against the standards that matter.
The frameworks your InfoSec and procurement teams will ask about — and the controls we built for each. We're pursuing formal SOC 2 Type II and ISO 27001 certification; HIPAA workloads are supported under BAA.
HIPAA
- Append-only audit trail on every sensitive write
- PHI annotation + redaction, encrypted at rest
- Soft-delete retention & strict access controls
SOC 2 Type II
- Session & login audit (CC7.2)
- Single-use token rotation (CC6.1)
- Change-management logging (CC1.2) + anomaly alerts
ISO 27001
- A.12.4 structured security-event logging
- IP + user-agent captured on every event
VAPT-ready
- Input validation, parameterised queries
- No stack-trace leakage, rate limiting
- Hardened headers + SSRF controls
TCPA / FTC
- DNC enforced at import and dial time
- Configurable ring timeouts
- The 3% abandon-rate governor
Security controls
Defense in depth, end to end.
Authentication
- JWT access ≤15m + refresh ≤8h, single-use rotation
- bcrypt cost-12 hashing · TOTP 2FA
- Account lockout (10 fails → 30-min) · single session
- Auth rate-limiting with IP ban
Encryption
- AES-256-GCM envelope encryption at rest
- Recordings, SIP, TOTP & integration secrets
- TLS in transit · env-only key management
- SSE-KMS on S3
Hardening
- Helmet — CSP, HSTS, X-Frame-Options, nosniff
- Locked CORS · request-size limits
- Validation at every boundary · parameterised Prisma
- HS256 algorithm pinning · Redis fail-closed checks
Data protection
- PHI masking (configurable digit count)
- PHI-blocked real-time socket payloads
- Org-scoped isolation — cross-org returns 404
- Audit redaction of phone / email / name / secrets
Need the paperwork?
Our security overview, the BAA and DPA, a subprocessor list and controls & data-flow documentation — available under NDA. SOC 2 Type II and ISO 27001 reports follow as certification completes.
Questions
Security FAQ
Yes. AES-256-GCM envelope encryption protects call recordings and every stored secret (SIP passwords, TOTP secrets, integration/SMTP/WhatsApp credentials). S3 storage adds SSE-KMS, and all traffic is TLS in transit.
Every database query is org-scoped at the data layer. A request for another organisation's record returns “not found,” never a leak — isolation is enforced by default, not by convention.
Short-lived JWT access tokens (≤15m) with single-use refresh rotation, bcrypt cost-12 hashing, TOTP 2FA, account lockout after 10 failed attempts, single-session enforcement, and auth rate-limiting with IP banning.
PHI fields are annotated and masked with a configurable digit count, real-time socket payloads are PHI-blocked, and the audit log redacts phone numbers, emails, names and secrets automatically.
Yes. We'll sign a BAA — TelVox is built for HIPAA workloads — and a DPA, and we can share our security overview, controls summary and subprocessor list under NDA. SOC 2 Type II and ISO 27001 certification are in progress; we'll share those reports as they're completed.
Bring your toughest security questions.
We'll walk your team through the controls, the audit trail and the data-flow on a live call.