500,000+ businesses trust DialPhone with their customer conversations. We operate a seven-layer defense model audited by third-party firms and tested continuously.
SSO/SAML, MFA enforced for all staff, SCIM for customer provisioning, session-timeout enforcement.
4
Application
OWASP Top 10 coverage, SAST/DAST in CI, dependency scanning, auto-patching for known CVEs.
5
Data
AES-256-GCM at rest, TLS 1.3 in transit, hardware-backed KMS, tenant-key isolation, PHI tokenization.
6
Detection
24/7 SIEM, anomaly detection, insider-threat telemetry, third-party red teaming.
7
Response
On-call IR team, 24-hour detection SLA, 72-hour breach notification, post-mortem shared with affected customers.
Certifications & attestations
SOC 2 Type II, HIPAA BAA, GDPR, PCI-DSS Level 1, FINRA/SEC 17a-4, ISO 27001, CCPA/CPRA, STIR/SHAKEN A-level. Full matrix and downloadable reports at the Trust Center.
Coordinated disclosure & bug bounty
Report security issues to security@dialphone.com. 24-hour acknowledgement, 3-business-day triage, rewards from $150 (low) to $15,000 (critical). Safe-harbor policy for good-faith research.
Security FAQ
Can I get a SOC 2 report?+
Yes. DialPhone is SOC 2 Type II audited annually across Security, Availability, Confidentiality, and Processing Integrity. Report available under NDA via sales.
Do you do penetration testing?+
Yes — annual third-party penetration tests by accredited firms. Executive summaries of remediation status shared with enterprise customers under NDA. We also run a coordinated disclosure program and private bug bounty.
How do you protect customer data from staff access?+
Minimum-necessary access by default. Customer support cannot read PHI, recordings, or transcripts without explicit break-glass approval logged and visible to the customer. Production database access restricted to on-call engineers during active incidents.
Do you support SSO and SAML?+
Yes. SAML 2.0 SSO with Okta, Azure AD / Entra ID, OneLogin, Ping, Duo, Google Workspace, and any SAML-compliant IdP. SCIM provisioning for automated user lifecycle. Enforced MFA available.
What encryption do you use?+
TLS 1.3 in transit, AES-256-GCM at rest, SRTP with AES-256 for voice media, DTLS for WebRTC. Hardware-backed KMS (AWS KMS, Google Cloud KMS) with tenant-key isolation for enterprise customers.
How do you handle insider threat?+
Background checks for all staff, role-based access controls, just-in-time elevation for production, session recording on sensitive admin panels, behavioral anomaly detection, periodic access reviews.