Security at CallSphere

Data Encryption

• In Transit: All data transmitted to and from our services is encrypted using TLS/HTTPS.
• At Rest: Customer data is encrypted at rest on our cloud infrastructure (AWS, Vercel) using industry-standard AES-256 encryption.

Access Controls

• Role-Based Access: Access to customer data is restricted to authorized personnel based on job function.
• Admin Logging: Administrative actions are logged for security monitoring and audit purposes.
• Principle of Least Privilege: Team members are granted the minimum access necessary to perform their duties.

Infrastructure Security

• Cloud Hosting: Our services are hosted on reputable cloud providers (AWS, Vercel) that maintain their own security certifications.
• Database Security: Production databases are isolated and access is restricted.
• Regular Updates: We regularly update dependencies and apply security patches.

Payment Security

Payments are processed by PCI-DSS compliant providers (e.g., Stripe). We do not store credit card numbers, CVVs, or other sensitive payment details on our servers. All payment data is handled directly by our payment processor.

AI and Data Handling

• Third-Party AI Providers: We use OpenAI and other AI providers to power our voice and chat agents. Data sent to these providers is subject to their respective privacy policies.
• Guardrails: We implement guardrails to help keep AI responses on-topic and within defined boundaries.
• Human-in-the-Loop: Options for human review and escalation are available for sensitive use cases.
• Response Verification: AI responses may require verification for critical actions. We do not guarantee error-free AI outputs.

Compliance and Certifications

• SOC 2: Our security program is aligned with SOC 2 principles, and a formal SOC 2 Type II audit is planned. We do not yet hold a SOC 2 report; we will update this page when the audit is complete.
• PCI DSS: Card payments are handled by PCI DSS compliant processors (e.g., Stripe); we do not store card data on our servers.
• HIPAA: HIPAA support is available for healthcare customers with a signed BAA and eligible infrastructure configuration. Contact us for details.
• GDPR & CPRA: Our practices are designed to align with GDPR and CPRA, and we support data-subject rights requests (access, delete, export). A Data Processing Addendum (DPA) is available for business customers.
• TCPA: Our platform is designed to support customers' TCPA compliance (e.g., consent and opt-out handling); customers remain responsible for their own calling practices.

For the third-party providers that process data on our behalf, see our Subprocessors page, and our Privacy Policy for data-handling details.

Incident Response

In the event of a security incident affecting customer data, we will notify affected customers in accordance with applicable laws and our contractual obligations.

Responsible Disclosure

If you discover a security vulnerability in our platform, please report it to us at support@callsphere.ai. We appreciate responsible disclosure and will work with you to address any valid security concerns.

Security Documentation

The following artifacts are available to prospective and current enterprise customers on request, under NDA where applicable:

• Completed security questionnaires (e.g., SIG Lite, CAIQ)
• Summary of our most recent third-party penetration test
• SOC 2 report — available once our planned audit is complete
• Data Processing Addendum (DPA) and subprocessor list

Live platform availability is published on our status page.

Contact Us