1. Our commitment
Your call recordings contain your customers' voices, your pricing, and your pipeline. We treat that data with the same care we would demand for our own. Security is not a feature we bolted on — it shapes how we build, deploy, and operate the CallVelocity platform every day.
2. Encryption
- In transit: All traffic between your browser, your phone system, and our platform is encrypted with TLS 1.2 or higher. Plaintext connections are refused.
- At rest: Call recordings, transcripts, and account data are encrypted at rest using AES-256.
- Key management: Encryption keys are managed through our cloud provider's key management service, rotated automatically, and never stored alongside the data they protect.
3. Infrastructure
CallVelocity runs on leading cloud infrastructure providers in data centers located in the United States. Our infrastructure includes:
- Network isolation between production, staging, and development environments
- Firewalls and private networking for all internal services — databases are never exposed to the public internet
- Automated, encrypted backups with regular restore testing
- Redundancy across multiple availability zones for high availability
4. Access controls
- Least privilege: Employees are granted the minimum access required for their role, and access is reviewed quarterly.
- Customer data access: Production access to customer call data is restricted to a small on-call engineering group, logged, and audited. Support staff never access your recordings without your permission.
- Authentication: All internal systems require single sign-on with multi-factor authentication.
- For your team: CallVelocity supports role-based permissions, so reps, managers, and owners each see only what they need.
5. Call data handling
Call recordings are ingested over encrypted connections from your phone system, transcribed and scored by our AI pipeline, and stored encrypted in your account. A few commitments we make about that pipeline:
- Your recordings and transcripts are never shared with other customers
- We do not use your call data to train our AI models without your explicit consent
- We do not sell your data — see our Privacy Policy
- Sensitive payment card numbers detected in transcripts are automatically redacted
6. Data retention and deletion
You control how long your call recordings are retained; the default retention period is 12 months, configurable per account. When you delete a recording — or close your account — the data is removed from production systems within 30 days and from backups within 90 days.
7. Compliance
- SOC 2 Type II: Our SOC 2 Type II audit is currently in progress with an independent auditing firm. Contact us for our latest report status.
- GDPR & CCPA: We support data subject access, export, and deletion requests, and offer a Data Processing Addendum (DPA) for customers who require one.
- Call recording laws: Consent requirements vary by state and country. See our Terms of Service for your responsibilities when recording calls.
8. Security operations
- Monitoring: Production systems are continuously monitored, with alerting for anomalous access patterns and availability issues.
- Patching: Dependencies and operating systems are scanned for known vulnerabilities and patched on a defined schedule; critical vulnerabilities are patched within 72 hours.
- Testing: We commission annual third-party penetration tests and run automated security scanning in our deployment pipeline.
- Incident response: We maintain a documented incident response plan. If a breach affects your data, we will notify you without undue delay and no later than 72 hours after confirmation.
9. Your role in security
Security is shared. To keep your account safe:
- Use a strong, unique password and enable multi-factor authentication
- Remove team members promptly when they leave your company
- Assign the least-privileged role that lets each person do their job
- Never share login credentials between team members
10. Reporting a vulnerability
If you believe you have found a security vulnerability in CallVelocity, we want to hear from you. Email security@callvelocity.ai with a description and steps to reproduce. We commit to acknowledging reports within 2 business days, and we will not pursue legal action against good-faith security research conducted within reasonable bounds.