The Voice Pal
Start free trial
Security

How we protect your calls and your data.

The Voice Pal handles real conversations between your business and your customers. We take that responsibility seriously — and we want to be specific about what that means.

Encryption

  • In transit: TLS 1.2+ for all inbound API and dashboard traffic. WSS (TLS) for the Twilio Media Stream and the OpenAI Realtime connection. No plaintext audio crosses the public internet.
  • At rest: Call recordings, transcripts, and business configuration are stored encrypted at rest with AES-256, managed via AWS KMS in us-east-1.
  • Secrets: All third-party API keys (Twilio, OpenAI, Google) live in AWS Secrets Manager. They are never written to logs or source code.

Access controls

  • The Voice Pal employees access customer data only when necessary to support you or investigate an incident. All access is logged.
  • Production systems require MFA for all human access. CI/CD deploys via short-lived OIDC credentials, not long-lived keys.
  • Customer dashboards require email-verified accounts and support SSO for Growth+ tiers.

Sub-processors

The third-party services The Voice Pal relies on:

  • Amazon Web Services — hosting and storage (us-east-1). SOC 2, ISO 27001, HIPAA-eligible.
  • OpenAI — voice AI (Realtime API). The Voice Pal operates under OpenAI's enterprise terms; audio is not used for model training.
  • Twilio — telephony and SMS. SOC 2, ISO 27001.
  • Google — only if you choose to connect a Google Calendar; access is read/write to that calendar only.
  • Stripe — billing. PCI DSS Level 1.

Data retention

  • Call recordings + transcripts: 90 days by default, configurable per customer.
  • Appointment data: while you have an active account.
  • On account closure: full deletion within 30 days, except billing records retained for tax compliance.

Compliance roadmap

  • SOC 2 Type II — in progress. Type I report available on request to customers under NDA.
  • HIPAA — The Voice Pal is not currently HIPAA-attested. Medspas, dental, and other covered entities should not use The Voice Pal for PHI until we publish a BAA.
  • GDPR / CCPA — we honor data subject access and deletion requests; see Privacy.

Reporting a vulnerability

If you believe you've found a security vulnerability in The Voice Pal, please email security@thevoicepal.com with details. We acknowledge reports within 1 business day. We do not yet operate a paid bug bounty program but recognize researchers publicly in our security disclosures page (with consent).

Please do not test against live customer numbers; use the demo number listed on the homepage.

Incident disclosure

If a security incident impacts your data, we will notify affected customers by email within 72 hours of confirmed impact, regardless of jurisdictional requirements.