Skip to content
DialPhone

Trust Center

Security is
the product.

DialPhone carries customer conversations, calls, messages, recordings, AI summaries, across US & Canada countries. Security, privacy, and reliability are not features. They are the floor.

Eight independently-verified certifications form the floor. SOC 2 Type II audits the operating model, ISO 27001 audits the information-security management system, HIPAA BAA covers protected health information, GDPR with EU data residency covers European personal data, PCI-DSS Level 1 covers payment-card-over-phone, FINRA and SEC 17a-4 cover broker-dealer recording retention, CCPA / CPRA covers California consumer rights, and STIR/SHAKEN A-level attests outbound caller ID against carrier robocall mitigation.

Four operational pillars carry that floor day-to-day: security (seven-layer defense, 24/7 SOC), privacy (no sale of data, no model training without opt-in), reliability (99.999% contractual uptime with service credits), and responsible AI (human-in-the-loop, audit logs per AI decision, complete opt-out).

0.000%
Uptime SLA
0-layer
Defense model
0/7
NOC response
View certifications Status: All systems operational
SOC 2 HIPAA GDPR PCI-DSS FINRA ISO 27001

+ StateRAMP Moderate · FedRAMP Moderate (Q4 2026)

Report a vulnerability

Four pillars of trust

Security

Seven-layer defense: end-to-end encryption, private cloud hardening, real-time threat detection, penetration testing, bug bounty, SIEM, 24/7 NOC.

  • TLS 1.3 in transit · AES-256 at rest
  • Hardware-backed key management
  • SSO + SAML + MDM enforcement
  • Annual third-party pen tests
Read the full security brief →

Privacy

Customer data is processed for service delivery only. No secondary use, no training AI models on customer calls without explicit opt-in.

  • Full DPA and subprocessor list
  • Data residency options (US, EU)
  • Right-to-delete within 30 days
  • Zero-knowledge encryption for sensitive fields
Read the full privacy brief →

Reliability

99.999% uptime SLA across voice, meetings, and CCaaS. Four redundant data centers, active-active failover, geo-diverse carrier routes.

  • 99.999% contractual uptime
  • Geo-redundant active-active
  • Public status page
  • RTO under 15 minutes · RPO under 5 minutes
Read the full reliability brief →

Responsible AI

Human-in-the-loop by default, transparent model disclosures, bias testing, customer data never used to train shared models.

  • Model cards per AI feature
  • Customer opt-in for fine-tuning
  • PII redaction before storage
  • Audit logs for every AI decision
Read the full responsible ai brief →

Certifications & attestations

Every control below is audited by an accredited third party on a repeating cycle. Reports and letters are available to customers and qualified prospects under NDA.

Audit

SOC 2 Type II

Audited annually by an independent CPA firm
Healthcare

HIPAA

BAA available on Advanced and Ultra plans
Privacy

GDPR

EU data residency, full DPA, subprocessor registry
Payments

PCI-DSS

Level 1 for payment IVR and card-capture flows
Financial

FINRA / SEC 17a-4

Immutable recording archive for broker-dealers
Privacy

CCPA / CPRA

California consumer data rights honored globally
Security

ISO 27001

Information security management certification
Voice

STIR/SHAKEN A-level

Caller-ID attestation for US outbound

Coordinated disclosure

If you believe you’ve found a security issue, we want to hear from you. Researchers acting in good faith are protected under a safe-harbor policy.

  • Email: support@dialphone.com
  • Response: 24-hour acknowledgement · 3-business-day triage · status updates weekly
  • Scope: dialphone.com, web apps, mobile apps, public APIs. Out-of-scope: third-party subprocessors, social engineering, DoS.
  • Bounty: rewards from $150 (low) to $15,000 (critical). Private program on request.

Trust & compliance FAQ

Is DialPhone SOC 2 Type II compliant?

Yes. DialPhone is audited annually to SOC 2 Type II across Security, Availability, Confidentiality, and Processing Integrity. The full report is available under NDA, request a copy.

How do I get a HIPAA Business Associate Agreement (BAA)?

Customers on Advanced, Ultra, and all Contact Center tiers receive a BAA at no additional cost. Email support@dialphone.ai with subject "BAA request" to e-sign. See the HIPAA page for covered features and technical safeguards.

Where is customer data stored?

US customers in US regions (Virginia, Oregon). EU customers in EU regions (Frankfurt, Dublin) with EU-only data residency. Data never crosses region boundaries unless the customer explicitly enables cross-region replication.

What is DialPhone's uptime SLA?

99.999% monthly uptime, contractual, with service credits for breach. The public status page reports real-time and historical incidents.

Do you train AI models on my calls and messages?

No, not without explicit opt-in. Shared foundation models are pretrained before customer data exists. Optional fine-tuning uses only data that the customer opts in per workspace, and that data never blends with other customers' data.

How do I report a security vulnerability?

Email support@dialphone.com (PGP key on this page) or submit via our coordinated disclosure portal. Acknowledgement within 24 hours, triage within 3 business days, rewards for in-scope findings.

Can I get a list of subprocessors?

Yes, the full subprocessor registry is public and updated whenever we add or remove a vendor. Existing customers are notified 30 days in advance of any change.

Is DialPhone FedRAMP authorized?

A FedRAMP Moderate package is in active sponsorship (target authorization Q4 2026). StateRAMP Moderate was awarded in 2025. Read the roadmap.

What happens to my data if I cancel?

Export tools let you download recordings, messages, and call history anytime. After cancellation, data is retained for 30 days (in case you reinstate), then permanently deleted from primary storage and within 90 days from backups. Certificates of destruction available on request.

Call sales Start free trial