LAST UPDATED · JULY 5, 2026
Tenant isolation
- Every tenant's data is scoped by organization ID at the query layer — application code cannot touch tenant tables without an org binding. This isn't a convention; it's enforced by a dedicated database helper.
- Every list and detail API endpoint carries an automated tenant-isolation test: org B's users cannot read org A's data, verified on every build.
- Four fixed roles per organization (owner, admin, member, viewer) enforced server-side on every request; role changes are audit-logged.
Encryption & credentials
- All traffic is TLS-encrypted in transit (Cloudflare edge). Data at rest lives in Neon Postgres with storage-level encryption.
- Your provider credentials — Retell/ElevenLabs keys, telephony keys, DNC provider logins — are encrypted with AES-256-GCM before storage and are never returned to any client after you save them. They are decrypted only at the moment of an outbound provider call.
- Platform secrets are held as Cloudflare Worker secrets — never in code, git, or configuration files.
- Payment cards never touch our systems; billing runs entirely on Stripe.
Authentication & access
- Passwordless magic-link sign-in: single-use tokens, 15-minute expiry, stored hashed. Sessions are HttpOnly cookies backed by hashed tokens in the database.
- Optional TOTP two-factor authentication for owner and admin accounts is on the near-term roadmap.
- Internal production access is limited to the platform operator, with 2FA on every cloud account and no shared logins. Access is reviewed quarterly. Any platform-administrator action inside a tenant is written to that tenant's audit log.
TCPA & calling compliance tooling
Compliance is enforced by the machine, not the manual:
- Consent gate: leads arriving without consent evidence are marked ineligible at intake and can never enter a dial queue.
- DNC scrubbing: connect your own DNC data provider and every lead is scrubbed at intake and re-scrubbed before dialing if aged past 31 days. Running without a provider requires an explicit, audit-logged acknowledgment and triggers persistent in-app warnings.
- Calling hours: dials only occur 8am–9pm in the lead's local time (derived from their state), intersected with your campaign windows. Unknown timezone → no dial. The gate fails closed.
- Suppression: "stop calling" adds the number to your suppression list immediately and permanently; checks run at intake and before every dial.
- Audit trail: configuration changes, compliance acknowledgments, sign-ins, and admin actions are written to an append-only audit log.
SOC 2 program (in progress)
We operate the following controls today, accreted from day one rather than bolted on before an audit:
- Documented access policy with quarterly access reviews and same-day offboarding.
- Vendor inventory covering every subprocessor, the data each touches, and its authentication method.
- Written incident-response runbook with severity levels; compliance-feature failures (for example, DNC scrubbing down) are treated as SEV2 and pause affected dialing first, investigate second.
- Append-only audit logging, role-based access control, and encrypted credential storage as described above.
- Error tracking with PII scrubbing enabled; product analytics carry no lead personal data by policy.
The formal SOC 2 Type II audit engagement is planned as the customer base grows. Enterprise buyers who need our control documentation earlier can request it through the contact form.
Data handling & privacy
- Lead data belongs to the tenant that imported it. We never sell, share, or cross-pollinate lead data between tenants.
- Call recordings and transcripts are stored for your compliance and QA use, governed by your retention choices.
- Per-person data export and deletion workflows (including recordings) are part of the launch-window roadmap; deletion requests are honored manually until the self-serve tooling ships.
- Subprocessors: Cloudflare (hosting/TLS), Neon (database), Stripe (billing), Resend (transactional email), Sentry (error tracking), PostHog (product analytics). Full details in the privacy policy.
Incident response
Data incidents are contained first (affected dialing paused, exposed secrets rotated immediately), assessed against the evidence trail, and affected tenants are notified by email within 72 hours — sooner where law or contract requires. Post-mortems are written within five business days.
Reporting a vulnerability
Found something? Please tell us before you tell the internet — use the contact form with "SECURITY" in the message and we'll respond within one business day. We're grateful to researchers who disclose responsibly.