Security & Compliance
Enterprise-grade protection for every call, every contact, every conversation.
Infrastructure Security
Encryption in Transit
TLS 1.3 on all connections. HSTS with preload. No unencrypted endpoints.
Encryption at Rest
AES-256 encryption on Google Cloud Platform. All data — contacts, recordings, transcripts — encrypted at rest.
Hosting
Web application on Vercel (SOC 2 Type II). Call engine on Fly.io. Database on Google Cloud Firestore with automatic multi-region replication.
Network Security
Content Security Policy, rate limiting, HMAC-signed webhooks, DDoS protection via Vercel and Cloudflare.
Data Protection
Multi-tenant Isolation
Every organization's data is strictly scoped. Firestore security rules enforce org-level access on every read and write.
Automatic Data Retention
Call recordings automatically deleted after 90 days (configurable). Metadata and transcripts retained per your settings.
Data Export & Deletion
Export all your data on demand. Request full account deletion at any time. We comply within 30 days.
PII Handling
Server-side log redaction. No sensitive data in client-side analytics. API keys stored as SHA-256 hashes.
Access Controls
Authentication
Email + password or Google OAuth. Optional TOTP multi-factor authentication via authenticator app.
Role-Based Access
Owner and Member roles with scoped permissions. Invite-based team management.
Session Management
Automatic session timeout after 15 minutes of inactivity. 8-hour maximum session duration.
API Security
API keys with ps_live_ / ps_test_ prefixes. Rate limiting (100 req/min standard). HMAC-SHA256 signed webhook payloads.
Compliance
HIPAA Ready
Phone Stack implements the technical, administrative, and physical safeguards required under the HIPAA Security Rule.
- Encryption at rest and in transit
- Access controls and audit logging
- Automatic session timeout
- Business Associate Agreement available
SOC 2 Ready
Phone Stack's controls are designed to meet SOC 2 Type II Trust Service Criteria across security, availability, and confidentiality.
- Comprehensive audit trail
- Change management via version control
- Incident response procedures
- Vendor risk assessments
Vendor Security
Our sub-processors and their security certifications.
| Vendor | Purpose | Certifications |
|---|---|---|
| Google Cloud / Firebase | Database, auth, storage | SOC 2, ISO 27001, HIPAA BAA |
| Twilio | Telephony | SOC 2, ISO 27001, HIPAA eligible |
| Stripe | Payments | PCI DSS Level 1, SOC 2 |
| Anthropic (Claude) | AI analysis | SOC 2 Type II |
| Google (Gemini) | Voice AI | SOC 2, ISO 27001 |
| Vercel | Web hosting | SOC 2 Type II |
| Fly.io | Call engine hosting | SOC 2 Type II |
| Resend | Email delivery | SOC 2 |
Vulnerability Disclosure
We take security seriously. If you discover a vulnerability, please report it responsibly.
Email: security@phonestack.com
Response time: Acknowledge within 48 hours
We will not take legal action against good-faith security researchers.
Security FAQ
Is Phone Stack HIPAA compliant?
Phone Stack is HIPAA Ready. We implement all required technical safeguards. Enterprise customers can execute a BAA. Contact sales@phonestack.com.
Where is my data stored?
All data is stored on Google Cloud Platform in the United States. Firestore provides automatic replication across multiple availability zones.
Can I export or delete my data?
Yes. You can export all your data at any time from Settings. Account deletion is available on request and completes within 30 days.
Do you sell customer data?
No. We never sell personal information. See our Privacy Policy for details.