Security & Compliance
Botphonic is built for regulated industries that require the highest standards of data security, privacy, and compliance. Here is a comprehensive overview of our security posture.
Compliance Certifications
| Standard | Status | Applicable To |
|---|---|---|
| HIPAA | Compliant | Healthcare customers (Enterprise, with BAA) |
| GDPR | Compliant | EU/EEA customers |
| PCI DSS | Compliant | Credit card data handling |
| SOC-2 Type II | Ready / In Progress | All enterprise customers |
| TCPA | Controls provided | US outbound calling |
| STIR/SHAKEN | Implemented | All outbound calls (US) |
Infrastructure Security
Hosting
Botphonic's infrastructure is hosted on enterprise-grade cloud providers with:
- Multi-region redundancy Data replicated across geographic regions for resilience
- 99.99% uptime SLA Guaranteed for Enterprise plans
- DDoS protection Network-level mitigation active at all times
- Auto-scaling Capacity scales automatically during peak call volume
Encryption
| Data State | Standard |
|---|---|
| In transit | TLS 1.2 / 1.3 (all connections) |
| At rest | AES-256 (recordings, transcripts, contact data) |
| Database | Encrypted at rest with managed key rotation |
| Backups | Encrypted and stored in geographically separate regions |
Network Security
- Web Application Firewall (WAF) on all public endpoints
- Private network isolation between services
- Rate limiting on all API endpoints
- Intrusion detection and anomaly alerting
Application Security
Authentication
- Password requirements enforced (min length, complexity)
- Multi-factor authentication (MFA) available for all users; enforceable by admins
- SAML 2.0 SSO for Enterprise (Okta, Azure AD, Google Workspace, OneLogin)
- Session tokens expire after inactivity (configurable)
- IP allowlisting available on Enterprise plans
Access Controls
- Role-based access control (RBAC) with least-privilege principle
- No Botphonic employee accesses customer call data or recordings without explicit customer request
- All internal access to customer data is logged and audited
Penetration Testing
- Third-party penetration tests conducted regularly
- Internal security reviews after every major release
- Vulnerability disclosure program for responsible external reporting
Vulnerability Management
- Dependency scanning on every build
- CVE monitoring for all third-party libraries
- Critical patches deployed within 24 hours of disclosure
Data Handling
Call Recordings and Transcripts
- Stored in encrypted object storage
- Access controlled by account permissions
- Deleted automatically per your plan's retention policy
- Can be deleted on demand from Call Logs
Contact Data
- Contact lists uploaded for campaigns are never shared with other customers
- Deleted when a campaign is closed and contact data is removed by the account owner
- DNC scrubbing runs against contact lists before every outbound campaign
HIPAA-Protected Health Information (PHI)
For healthcare customers on Enterprise plans:
- Data segregated in HIPAA-compliant storage environments
- Business Associate Agreement (BAA) signed
- Workforce access to PHI restricted and audited
- Breach notification procedures in place per HIPAA requirements
TCPA Compliance Controls
Botphonic provides technical controls to support TCPA compliance for US outbound campaigns:
| Control | Description |
|---|---|
| DNC Scrubbing | Contact lists are scrubbed against the National DNC Registry before every campaign |
| Calling Hours Enforcement | Calls blocked outside 8 AM–9 PM in the recipient's local time zone |
| Opt-Out Handling | Callers who request removal are added to your account DNC list immediately |
| Consent Storage | Upload and store consent records linked to contact records |
| Campaign Audit Logs | Full log of every call made, timestamp, and outcome for legal record-keeping |
Note: Botphonic's controls are tools to assist compliance legal responsibility for TCPA compliance remains with the account holder.
Business Continuity
- Recovery Time Objective (RTO): < 1 hour (Enterprise SLA)
- Recovery Point Objective (RPO): < 15 minutes
- Backups: Automated daily backups with point-in-time restore capability
- Disaster Recovery: Documented DR plan tested annually
Reporting a Security Issue
If you discover a security vulnerability, please report it responsibly:
Email: security@botphonic.ai
Include: description of the vulnerability, steps to reproduce, potential impact, and your contact information. We will acknowledge within 24 hours and aim to remediate critical issues within 72 hours.
Please do not publicly disclose vulnerabilities before we have had the opportunity to remediate them.
Security Documentation
Enterprise customers can request:
- SOC-2 Type II report
- Penetration test summary report
- Data Processing Agreement (DPA) for GDPR
- Business Associate Agreement (BAA) for HIPAA
- Security questionnaire responses
Contact sales@botphonic.ai or your dedicated Customer Success Manager.