Skip to content

Security + compliance

How we protect your data — and what we’re still working on.

Encryption at rest + in transit. SOC 2 Type II mid-audit. GDPR + CCPA-aligned data handling. Honest about where we are and where we are going.

Security pillars

  • SOC 2 Type II — in progress

    We are mid-audit with a Big 4 firm. The Type I report is targeted for the next fiscal half; Type II observation window has started. Updates are posted here as milestones land. Until the report ships, every Enterprise contract includes contractual security commitments.

  • Encryption at rest + in transit

    All customer data is encrypted at rest with AES-256 (managed via our cloud provider’s KMS). Transit uses TLS 1.3. Voice + SMS payloads encrypted end-to-end between rep softphone and tenant DB; recordings encrypted at rest with per-tenant keys.

  • GDPR + CCPA stance

    We are a US-based data controller for marketing data and a data processor for tenant data. Standard contractual clauses are in our DPA on request. Right-to-access, right-to-deletion, and right-to-portability requests are honored within 30 days; tenants can self-serve export from the admin dashboard.

  • Data residency + redundancy

    Primary infrastructure is in US-East with hot standby in US-West. Hourly Postgres backups retained 30 days; weekly long-term retention up to one year. EU tenants can request EU residency for Enterprise contracts.

  • Access controls

    Internal access to production data is role-gated and audit-logged. SSO + SCIM provisioning ship in the Enterprise tier. Customer admins control rep-level role assignments + can revoke sessions globally.

  • Audit log + data export

    Every write action is logged with actor, IP, and timestamp. Owners can export the full audit log + a snapshot of all tenant data as CSV / JSON from the admin dashboard at any time.

Compliance roadmap

  1. Now
    • Type I audit fieldwork in progress
    • TLS 1.3 + AES-256 KMS encryption everywhere
  2. Next 90 days
    • Penetration test by independent third party
    • Publish DPA + SCC templates publicly
  3. Following 6 months
    • SOC 2 Type II report
    • EU data residency option (Enterprise)
  4. Year 1
    • HIPAA-aligned BAAs (sales/scheduling use cases)
    • ISO 27001 scoping

Reporting a vulnerability

If you believe you have found a security issue, please email [email protected] with the details. We respond within one business day and acknowledge responsible disclosure publicly on this page when the issue is resolved.

Want our DPA or a copy of the SOC 2 progress letter?

We send both on request to prospective customers under NDA.

Talk to salesSee pricing