Security & Trust

Compliance & Certifications

We maintain rigorous security standards and are committed to achieving and maintaining industry-recognized certifications.

Data Encryption

Encryption at Rest

All data stored in our systems is encrypted using AES-256 encryption. This includes:

• Call recordings and transcripts
• Customer and lead information
• Account credentials and API keys
• Database backups

Encryption in Transit

All data transmitted between your browser, our servers, and third-party services is encrypted using TLS 1.3, the latest and most secure transport layer security protocol.

• HTTPS for all web traffic (HSTS enforced)
• TLS 1.3 for API communications
• Encrypted VoIP connections for voice data
• Secure WebSocket connections for real-time features

Infrastructure Security

Cloud Infrastructure

Our application is hosted on enterprise-grade cloud infrastructure that provides:

• SOC 2 Type II certified data centers
• Geographic redundancy for high availability
• Automatic scaling to handle traffic spikes
• 99.9% uptime SLA
• DDoS protection and mitigation

Network Security

• Web Application Firewall (WAF) protection
• Intrusion detection and prevention systems
• Regular vulnerability scanning
• Network segmentation and isolation

Access Controls

Authentication

• Secure password requirements with hashing (bcrypt)
• Multi-factor authentication (MFA) support
• OAuth 2.0 social login options
• Session management with automatic timeout
• API key authentication with rotation support

Authorization

• Role-based access control (RBAC)
• Principle of least privilege
• Row-level security in database
• Audit trails for administrative actions

Data Protection

Data Retention

We follow data minimization principles and retain data only as long as necessary:

• Call recordings: 90 days by default (configurable)
• Transcripts: 90 days by default (configurable)
• Lead data: Duration of account
• Audit logs: 1 year for security purposes

Data Deletion

We provide tools for data deletion in compliance with privacy regulations:

• Self-service data export and deletion
• Account deletion with complete data removal
• Automated retention policy enforcement
• Certificate of deletion available upon request

Incident Response

We maintain a comprehensive incident response program that includes:

• 24/7 security monitoring and alerting
• Documented incident response procedures
• Defined escalation paths and responsibilities
• Post-incident review and improvement process

Breach Notification

In the event of a data breach affecting customer data, we will notify affected customers within 72 hours in accordance with GDPR requirements and our Data Processing Agreement.

Vendor Security

We carefully evaluate and monitor all third-party vendors that process data:

• Security assessment before onboarding
• Data Processing Agreements in place
• Regular security review of vendor practices
• Subprocessor list available in our Data Processing Agreement

Security Practices

Development Security

• Secure coding practices and code review
• Dependency vulnerability scanning
• Static and dynamic application security testing
• Separation of development, staging, and production environments

Operational Security

• Change management procedures
• Regular security patching
• Backup and disaster recovery testing
• Business continuity planning

Report a Vulnerability

We appreciate the security research community's efforts in helping us maintain the security of our platform. If you discover a security vulnerability, please report it responsibly.

Questions?

For security-related questions or to request additional information about our security practices, please contact us at security@callsorbit.com or support@callsorbit.com.