C
Callilio

Security & Compliance

Security Overview

Last updated April 2026

Callilio is committed to protecting the confidentiality, integrity and availability of our platform and the data entrusted to us. This page outlines our security philosophy, technical measures and operational practices. It complements our Privacy Policy and Terms of Service by providing transparency into our security controls.

1. Security Philosophy

Security is integral to our product design and operations. We follow a defence-in-depth approach that layers technical and organisational controls across infrastructure, application and personnel. We strive for industry best practices and maintain compliance with relevant standards (such as GDPR, CCPA/CPRA and HIPAA). Our internal controls are designed in alignment with the SOC 2 Type II Trust Service Criteria; formal certification will be evaluated as we onboard enterprise customers requiring it. We continually assess and improve our posture.

2. Infrastructure Security

  • Cloud hosting: Our web front-end is hosted on Vercel, a leading edge-delivery platform with strong security track records and EU region options. Our application backend, database and storage run on Supabase (built on PostgreSQL). Both providers employ robust physical and network security controls including perimeter defences, intrusion detection and DDoS mitigation. Servers are located in the EU by default, with U.S. regions available for customers who opt in.
  • Isolation and least privilege: Customer data is logically separated. Our infrastructure follows least-privilege access controls at the network and service layers. Database credentials and API keys are stored in encrypted secrets management tools and are rotated regularly.
  • Backups and redundancy: Supabase provides automated daily backups and point-in-time recovery for the PostgreSQL database. Backups are encrypted and stored in geographically separate regions. Vercel's distributed content delivery network ensures availability through redundancy.

3. Data Encryption

  • In transit: All data transmitted between clients and our servers is encrypted using TLS 1.2 or higher. Telephony traffic uses secure protocols such as TLS for SIP signalling and Secure Real-Time Transport Protocol (SRTP) for media streams.
  • At rest: Data stored in Supabase (PostgreSQL), object storage and backups is encrypted at rest with AES-256. Encryption keys are managed using provider-side key management services with strict access controls. Payment information processed by Stripe complies with PCI DSS requirements and is tokenised; we never store full card numbers.

4. Authentication and Access Control

  • Supabase Auth: Our platform uses Supabase Auth to manage user authentication. Authentication options include email/password, passwordless magic links and OAuth via Google or Microsoft. Passwords are hashed using strong algorithms (bcrypt) and never stored in plain text.
  • Role-based access control (RBAC): We implement RBAC to ensure users have access only to the resources necessary for their role. Administrative privileges are restricted to authorised personnel and require multi-factor authentication.
  • Session management: User sessions are tracked securely. Access tokens are short-lived and refresh tokens are rotated. Session metadata (IP address, device) is recorded to detect anomalies.
  • API key management: API keys are tied to specific projects and have granular scopes. Customers can rotate and revoke keys via the dashboard. Rate limiting protects against abuse.

5. Network Security

  • Perimeter defences: Firewalls and security groups restrict incoming traffic to only required ports and services. Denial-of-service protection at Vercel and Supabase mitigates common volumetric and application-layer attacks.
  • Segmentation: We segregate production, staging and development environments. Internal services communicate over private networks; sensitive services (databases, message brokers) are not exposed publicly.
  • Monitoring: Continuous network monitoring detects anomalous traffic patterns and potential intrusion attempts. Alerts are triggered for suspicious activity.

6. Application Security

  • Secure development lifecycle: Security is embedded throughout our software development lifecycle. Developers follow coding standards that emphasise input validation, output encoding and least privilege. Code changes undergo peer review and automated tests.
  • Static and dynamic analysis: We use automated tools to perform static application security testing (SAST) and dependency scanning to identify vulnerabilities in code and third-party libraries. Critical dependencies are monitored for known vulnerabilities (CVE) and updated promptly.
  • Penetration testing: Penetration testing is planned ahead of significant enterprise customer onboarding. Today, we follow secure coding practices, peer code review, and automated dependency scanning (npm audit, Dependabot) to mitigate known vulnerabilities.
  • Secure configuration: Default security configurations (e.g., Content Security Policy, HTTPS only, secure cookies, CSRF protection) are enforced. Access to administrative interfaces is restricted.
  • Responsible disclosure: We welcome security researchers to report vulnerabilities responsibly. See the Vulnerability Disclosure section below.

7. AI / LLM Security

The AI components powering our voice agents introduce unique security considerations:

  • Isolation of AI workloads: Calls to LLM providers (OpenAI, Anthropic) are made through secure APIs. Pseudonymisation techniques remove direct identifiers from prompts. Providers are contractually prohibited from retaining or using our data to train their models.
  • Prompt injection and content safety: We implement prompt filtering and context sanitation to mitigate prompt injection attacks. Content moderation services detect and block abusive or malicious user inputs. Safety guardrails prevent the AI from producing harmful or inappropriate outputs.
  • Human oversight: AI responses are monitored and may be subject to human review, especially during onboarding or training phases. Customers can flag inaccurate responses for review.

8. Telephony Security

  • Telephony providers: Our primary telephony provider Twilio is ISO 27001 certified and offers robust security features including encrypted media, secure SIP interfaces and fraud detection. Telnyx serves as a redundant provider and implements similar safeguards.
  • Call routing: All call flows, IVR menus and transfers are configured through secure, authenticated APIs. Calls are logged and stored in encrypted form. Customers can enable or disable call recording on a per-line basis to comply with jurisdictional consent requirements.
  • Number provisioning: We provision phone numbers through vetted carriers. Numbers are assigned to specific customers and are not reused immediately after release.

9. Data Residency Options

By default, customer data is stored in Supabase's EU region. Customers with regulatory or contractual requirements may request data storage in specific regions (e.g., U.S.). Data residency preferences apply to databases, file storage and backups. We disclose the locations of our sub-processors in our Privacy Policy and Data Processing Agreement.

10. Audit Logging and Monitoring

  • Comprehensive logs: We maintain detailed logs of administrative actions, user activities (e.g., log-ins, bookings, messages) and system events. Logs include timestamps, user identifiers and metadata and are tamper-evident.
  • Centralized logging: Logs from Supabase, Vercel, and edge functions are aggregated for review. Anomaly detection on authentication and admin actions is monitored manually. A dedicated SIEM solution will be evaluated as the platform scales.
  • Access audits: Regular audits ensure that permissions remain appropriate. Sensitive actions (e.g., exporting data, changing settings) require additional confirmation and are recorded.

11. Incident Response

We follow industry-standard incident response procedures based on NIST SP 800-61. A formal, documented incident response plan with named roles and escalation paths is being prepared ahead of our first enterprise customer onboarding. Key elements include:

  • Detection and analysis: Automated monitoring and human review detect anomalies. We assess the severity, scope and impact of any incident.
  • Containment and eradication: We isolate affected systems, remove malicious code, and apply necessary patches or configuration changes.
  • Notification: When required by law or contract, we will notify affected customers and regulatory authorities without undue delay. Notifications include a description of the incident, its likely consequences and the measures taken or proposed to address it.
  • Lessons learned: Post-incident reviews identify root causes and opportunities for improvement. Remediation actions are tracked to completion.

12. Vulnerability Disclosure / Responsible Disclosure Program

We appreciate contributions from the security community. If you believe you have discovered a vulnerability, please report it responsibly:

  1. Email a detailed description of the vulnerability to security@callilio.com. Please include steps to reproduce and any relevant evidence.
  2. Do not publicly disclose the vulnerability until we have had an opportunity to investigate and resolve the issue.
  3. We will acknowledge receipt within 72 hours and provide updates on remediation progress. Where appropriate, we may offer credit or rewards.

13. Compliance and Certifications

  • GDPR and FADP: We operate in compliance with the GDPR and FADP, including the use of Standard Contractual Clauses for international transfers and the implementation of data minimisation principles.
  • CCPA/CPRA and other U.S. state laws: Our privacy practices align with California and other state privacy requirements. We do not sell personal information or use customer data for behavioural advertising.
  • HIPAA readiness: For U.S. healthcare customers, we sign Business Associate Agreements and implement safeguards required under HIPAA and the HITECH Act. PHI is stored and transmitted securely and used solely for providing the Services.
  • SOC 2: Our internal controls are designed in alignment with SOC 2 Type II Trust Service Criteria. Formal certification will be evaluated as we onboard enterprise customers requiring it. Upon request and subject to a nondisclosure agreement, we may provide documentation regarding our compliance status.
  • PCI DSS: Payment processing is handled by Stripe, which is PCI DSS Level 1 compliant. We do not store full payment card details on our systems.

14. Data Retention and Deletion

Retention periods are defined in our Privacy Policy. Customers can configure how long call recordings, transcripts and messages are stored. When data is deleted via the dashboard or upon account termination, we purge it from active systems and, within a reasonable period, from backups. Deleted data is not recoverable. Aggregated, anonymised metrics may be retained for analytics.

15. Employee and Contractor Security

Callilio is currently operated as a solo founder practice. The founder follows documented security procedures and uses multi-factor authentication, encrypted password management, and least-privilege access principles for all production system access.

As we expand the team, all new personnel will undergo background checks (where permitted by local law), receive security and privacy training during onboarding, and complete annual refresher training. Access to production systems will be based on least privilege and segregated by role.

16. Sub-Processor Security Requirements

We require all sub-processors to implement security measures commensurate with the sensitivity of the data they handle. Sub-processors must agree to confidentiality obligations, encryption standards, breach notification procedures and compliance with relevant data protection laws. See our Privacy Policy for the current list of sub-processors.

17. Penetration Testing Cadence

We are establishing a penetration testing cadence ahead of our first enterprise customer onboarding. Today, we perform internal security review when introducing major new features or infrastructure changes, and rely on automated tools for static application security testing (SAST) and dependency scanning.

18. Business Continuity and Disaster Recovery

  • Redundant infrastructure: Our architecture includes redundancy across multiple availability zones to minimise the impact of hardware or network failures.
  • Regular backups: Databases are backed up daily and can be restored to any point within a 7-day retention window. We test backup restoration procedures periodically.
  • Recovery procedures: Database point-in-time recovery is available through Supabase (7-day window). A formal disaster recovery plan with documented RTO and RPO targets, including periodic recovery drills, is in preparation ahead of enterprise customer onboarding.

19. Contact for Security Inquiries

If you have questions about Callilio's security practices or need to report a security incident, please contact our security team:

Email: security@callilio.com

For privacy-related questions, see our Privacy Policy.