Security at SmartCall

We take the security of your business data seriously — at every layer of our platform.

End-to-End Encryption

All data in transit is encrypted via TLS. Data at rest is encrypted via AES-256 on AWS S3.

Row-Level Security

Every database table enforces Row-Level Security (RLS) — your data is completely isolated from other businesses on the platform.

Immutable Audit Log

Every action in the system is logged with timestamp, actor, and reason — and can never be edited or deleted.

Infrastructure & Architecture

  • Hosted on AWS with multi-region redundancy.
  • PostgreSQL with Row-Level Security enabled on every tenant table.
  • Full database backups every 6 hours, incremental every 15 minutes.
  • Recovery Point Objective (RPO): 15 minutes.
  • Recovery Time Objective (RTO): 4 hours.
  • All call recordings, photos, waivers, and documents stored on AWS S3 with server-side encryption (SSE) and versioning enabled.

Access Control & Authentication

  • JWT-based authentication with refresh token rotation.
  • Role-based access control (RBAC) — Owner, Manager, Dispatcher, and Technician each have defined permissions.
  • Account lockout after 5 consecutive failed login attempts.
  • Optional two-factor authentication (2FA) via SMS or email.
  • No cross-business data visibility — ever.

Multi-Tenant Data Isolation

  • Every record in the system is tagged with a business_id.
  • No query can execute without a business_id filter.
  • Database-level composite foreign keys prevent any cross-tenant data linkage.
  • System Admin access requires explicit audit documentation and trace ID.

Calls, SMS & GPS

  • All customer-to-technician calls route through Twilio — real phone numbers are never exposed.
  • Call recordings are saved to AWS S3 immediately upon call disconnection — no buffer, no delay.
  • GPS location updates are rate-limited to 3 per minute per technician, enforced server-side.
  • SMS opt-out (STOP) is honored immediately — zero marketing SMS to opted-out customers.

Payment Security

  • All payments processed via Stripe — SmartCall never stores raw card data.
  • Credit card payments require a signed customer waiver before the transaction — no exceptions.
  • Payment webhooks are verified via Stripe signature and processed idempotently.

Data Retention & Deletion

  • Call recordings and GPS telemetry retained for 180 days by default (configurable per business).
  • Auto-deletion runs with a full audit record.
  • Customers may request data deletion at any time by contacting support@smartcallsync.ai.

Questions about our security practices?

Contact Us