Skip to content

Security & Compliance

Built for the audit.

Built for HIPAA workloads, with controls engineered to SOC 2 Type II and ISO 27001 and a VAPT-ready posture — designed in from day one, not bolted on. Formal certification is in progress.

audit_log · append-onlywriting
REC-04recording.fetch signed-url issuedscope=org_8f3a
AUTHlogin.success totp_verified=truescope=org_8f3a
ENCRenvelope.seal aes-256-gcm key=envscope=org_8f3a
PHIlead.update phone masked +1•••••1234scope=org_8f3a
SCOPEaccess.denied cross_org → 404scope=org_11b2
AUDITdisposition.write category=salescope=org_8f3a
AES-256-GCM at rest

Compliance posture

Engineered against the standards that matter.

The frameworks your InfoSec and procurement teams will ask about — and the controls we built for each. We're pursuing formal SOC 2 Type II and ISO 27001 certification; HIPAA workloads are supported under BAA.

HIPAA

  • Append-only audit trail on every sensitive write
  • PHI annotation + redaction, encrypted at rest
  • Soft-delete retention & strict access controls

SOC 2 Type II

  • Session & login audit (CC7.2)
  • Single-use token rotation (CC6.1)
  • Change-management logging (CC1.2) + anomaly alerts

ISO 27001

  • A.12.4 structured security-event logging
  • IP + user-agent captured on every event

VAPT-ready

  • Input validation, parameterised queries
  • No stack-trace leakage, rate limiting
  • Hardened headers + SSRF controls

TCPA / FTC

  • DNC enforced at import and dial time
  • Configurable ring timeouts
  • The 3% abandon-rate governor

Security controls

Defense in depth, end to end.

Authentication

  • JWT access ≤15m + refresh ≤8h, single-use rotation
  • bcrypt cost-12 hashing · TOTP 2FA
  • Account lockout (10 fails → 30-min) · single session
  • Auth rate-limiting with IP ban

Encryption

  • AES-256-GCM envelope encryption at rest
  • Recordings, SIP, TOTP & integration secrets
  • TLS in transit · env-only key management
  • SSE-KMS on S3

Hardening

  • Helmet — CSP, HSTS, X-Frame-Options, nosniff
  • Locked CORS · request-size limits
  • Validation at every boundary · parameterised Prisma
  • HS256 algorithm pinning · Redis fail-closed checks

Data protection

  • PHI masking (configurable digit count)
  • PHI-blocked real-time socket payloads
  • Org-scoped isolation — cross-org returns 404
  • Audit redaction of phone / email / name / secrets

Need the paperwork?

Our security overview, the BAA and DPA, a subprocessor list and controls & data-flow documentation — available under NDA. SOC 2 Type II and ISO 27001 reports follow as certification completes.

Request documents

Questions

Security FAQ

Yes. AES-256-GCM envelope encryption protects call recordings and every stored secret (SIP passwords, TOTP secrets, integration/SMTP/WhatsApp credentials). S3 storage adds SSE-KMS, and all traffic is TLS in transit.

Every database query is org-scoped at the data layer. A request for another organisation's record returns “not found,” never a leak — isolation is enforced by default, not by convention.

Short-lived JWT access tokens (≤15m) with single-use refresh rotation, bcrypt cost-12 hashing, TOTP 2FA, account lockout after 10 failed attempts, single-session enforcement, and auth rate-limiting with IP banning.

PHI fields are annotated and masked with a configurable digit count, real-time socket payloads are PHI-blocked, and the audit log redacts phone numbers, emails, names and secrets automatically.

Yes. We'll sign a BAA — TelVox is built for HIPAA workloads — and a DPA, and we can share our security overview, controls summary and subprocessor list under NDA. SOC 2 Type II and ISO 27001 certification are in progress; we'll share those reports as they're completed.

Bring your toughest security questions.

We'll walk your team through the controls, the audit trail and the data-flow on a live call.