Security at JagCall

We take the security of your data seriously. Our platform is built with security best practices at every layer — from encrypted voice traffic to isolated data storage and strict access controls.

Platform Security

How we protect your data across every part of the platform.

Encryption

All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Call recordings, transcripts, API keys, OAuth tokens, and calendar credentials are encrypted using industry-standard methods.

Access Controls

Role-based access control (RBAC) with three permission levels (owner, admin, member). Two-factor authentication via TOTP with recovery codes. SSO via SAML 2.0 available on Enterprise plans.

Infrastructure

Cloud-hosted infrastructure with redundant systems across multiple availability zones. Docker-based containerization with Nginx reverse proxy. 99.9% uptime target for core services.

Audit Logging

Every user action is logged with timestamps, IP addresses, resource types, and user identity. Audit logs are queryable with filters and retained for 12 months.

API Security

Scoped API keys shown only once at creation. Rate limiting (200/min reads, 30/min writes). Webhook payloads signed with HMAC for verification. OAuth 2.0 with authorization code flow.

Voice & Telephony

Voice traffic secured through Twilio's infrastructure with encrypted SIP and WebRTC (SRTP/DTLS). Browser-based calling uses time-limited access tokens with 1-hour expiration.

SMS Security

SMS delivered through Twilio's compliant messaging infrastructure. Automatic opt-out processing. Conversation data encrypted at rest. SMS subscriptions managed per phone number.

AI & Data Handling

LLM requests processed through provider APIs (OpenAI, Anthropic) without persistent data storage on their side. Knowledge base documents chunked and embedded locally. Your data is not used for AI model training.

Knowledge Base

Uploaded documents (PDF, text) processed server-side with size limits enforced (20 MB max). Content chunked and stored as embeddings within your organization's isolated data scope.

Payment Security

All payment processing handled by Stripe — we never store credit card numbers. Stripe is a PCI DSS Level 1 certified service provider, the highest level of payment security certification.

Incident Response

Security monitoring with formal incident response procedures. Breach notification within 72 hours as required by applicable regulations. Responsible disclosure program for security researchers.

Session Security

JWT-based authentication with token expiration. Redis-backed session management. CAPTCHA (Turnstile) verification on registration. Password reset via time-limited email tokens.

Compliance & Certifications

Our commitment to meeting industry standards for data protection and privacy.

SOC 2 Type IIIn Progress

Currently implementing controls and preparing for our first independent audit. Our security practices are designed to meet SOC 2 trust service criteria.

HIPAAPlanned

Building toward HIPAA compliance for healthcare customers. Business Associate Agreements (BAAs) will be available upon completion.

PCI DSSVia Stripe

We do not store, process, or transmit credit card data directly. All payment processing is handled by Stripe, a PCI DSS Level 1 certified service provider.

TCPACompliant

Platform includes consent management, opt-out handling, call time restrictions awareness, and disclosure tools to support your TCPA compliance obligations.

CCPACompliant

We support data access, deletion, and portability requests. Our privacy policy details data collection and sharing practices as required by the CCPA.

GDPRCompliant

Data processing with lawful basis, data subject rights support (access, deletion, portability), 72-hour breach notification. Data Processing Agreements (DPAs) available on request.

Data Practices

Transparency about how we handle your data.

Data Ownership

You retain full ownership of your data — call recordings, transcripts, agent configurations, knowledge base documents, and contacts. We process your data solely to provide the services.

Data Retention

Data is retained for the duration of your subscription. Upon account termination, data is retained for 30 days for recovery, then permanently deleted. Audit logs are retained for 12 months.

AI Model Training

Your data is never used to train AI models. LLM requests are processed via provider APIs without persistent storage. Knowledge base embeddings are stored within your organization's isolated scope.

Third-Party Providers

We integrate with trusted providers — Twilio (telephony), Stripe (payments), Deepgram & ElevenLabs (voice AI), OpenAI & Anthropic (LLM). Each maintains their own security certifications and compliance programs.

Responsible Disclosure

We welcome security researchers to report vulnerabilities responsibly. If you discover a security issue, please report it to our security team. We commit to acknowledging reports within 24 hours and providing fixes within 90 days.

Report a Vulnerability

Or email us directly at security@jagcall.com

For more information, see our Privacy Policy and Terms of Service.