The AI vendor is never a security boundary
Tenancy, encryption, payment isolation, and audit are enforced in CallsAround's own systems — the voice model receives answers, never your credentials or customer data stores.
Security controls
Tenant isolation via RLS
Postgres Row-Level Security is the authoritative tenant boundary on every read and write. The AI voice vendor is never a security boundary — it receives answers, never credentials.
Encrypted OAuth tokens
Customer Google/Microsoft OAuth tokens are AES-256-GCM encrypted at rest and never leave CallsAround servers.
Payments stay with Stripe
Card data is held by Stripe, never by CallsAround. Billing state changes only from verified Stripe webhooks.
Signed webhooks & scoped API keys
Inbound webhooks are signature-verified (Ed25519 for telephony, HMAC for Stripe). API keys are SHA-256-hashed at rest with scopes, rate limiting, and full request logging.
Call-recording consent
A per-line disclosure toggle supports two-party-consent states. We do not sell personal data, and we do not use your calls to train AI models.
Automatic data retention
Recordings and transcripts are kept 365 days, operational events 90 days, and API logs 30 days — then removed automatically.
Audit log & session control
Every mutation is written to an audit log (who changed what). Session management includes "sign out of all devices," with Google/Microsoft SSO.
Telephony compliance
E911 address support on every number, plus 10DLC and toll-free SMS compliance workflows.
Related CallsAround pages
- CallsAround overview — AI receptionist and emergency dispatch.
- Product tour — the receptionist, dispatch engine, and failover.
- Reliability & failover — how dead air is made structurally impossible.
- Pricing — per-line plans with security on every tier.
- Privacy policy — what data we process and how.
- Book a security-focused demo — review controls against your requirements.
