Security
Phoneless handles real conversations between you and your customers. We design and operate the platform with that responsibility in mind. This page summarizes our practices; for our full security documentation or a SIG/CAIQ response, email security@phoneless.us.
Encryption
- TLS 1.2+ for all data in transit, including telephony media (SRTP).
- AES-256 for data at rest, including call recordings, transcripts, and database storage.
- Secrets and API keys stored in a managed secrets vault with envelope encryption.
Access control
- Role-based access control for all customer-facing accounts.
- Single sign-on (SSO via SAML / OIDC) available on Multi-location plans.
- Mandatory two-factor authentication for all Phoneless employees.
- Production access restricted to a small on-call group; every action logged.
Compliance
- SOC 2 Type II audit in progress (target completion: Q4 2026).
- HIPAA-eligible plans available for healthcare customers, with a Business Associate Agreement.
- GDPR and CCPA aligned; see our Privacy Policy and DPA.
- Annual third-party penetration testing.
Infrastructure
- Hosted on AWS in the United States, with multi-region failover for the booking layer.
- 99.95% uptime SLA on Studio and Multi-location plans.
- Daily encrypted backups with 90-day retention; backups purged afterward.
Subprocessors
We use a small number of vetted subprocessors to deliver the Service:
- Twilio — telephony, SMS routing
- Anthropic, OpenAI — AI model inference
- AWS — compute, storage, database
- Vercel — web hosting
- Stripe — payments
- Sentry — error monitoring
We notify customers at least 30 days before adding new subprocessors that handle customer data; you may object before the change takes effect.
Incident response
- 24/7 on-call rotation for security and availability.
- Customer notification within 72 hours of confirmed breaches affecting your data.
- Public postmortems for major incidents.
Data retention and deletion
- Call recordings auto-delete after 90 days (configurable down to 24 hours).
- Transcripts persist until you delete them or close your account.
- All customer data is deleted within 30 days of account closure.
Vulnerability disclosure
We welcome security research. Email security@phoneless.us with details. Please give us reasonable time to remediate before public disclosure. We acknowledge valid reports and recognize researchers in our security hall of fame.