User’s Mobile Device (App)

Encrypted transmission (HTTPS) to Spring Boot backend on Kubernetes in Azure

Data stored securely in a MySQL database

If CRM integration is enabled, data is sent (over HTTPS) to the CRM or an API endpoint

MySQL databases and backups in Microsoft Azure are encrypted at rest.

Call recordings stored in Azure Blob Storage, also encrypted at rest.

API tokens (JWT) are signed and verified using a secure key.

All connections use HTTPS/SSL to encrypt data transfers.

We strive to align with industry standards

We have not pursued formal certifications due to our size but uphold best practices where possible.

Personal data remains the property of the Controller (our customers).

We process data only as directed by the Controller and comply with data subject requests.

No onward transfers outside the EEA without explicit permission.

We do not sell personal information.

Consumers have the right to request access, deletion, and to opt out of any sale of data.

Copy of personal information: Provided within 45 days upon request (via email or other channels).

Deletion of personal information: Performed free of charge upon verified request.

Only full-time staff with a legitimate business need (e.g., development, support) can access sensitive data.

Customer Support staff can see usernames and email addresses to assist with support requests.

Owner: Full access, can manage teams and see all data.

Manager: Can create teams and users but only sees data if assigned as a Team Admin.

User: Only sees own data; cannot add/remove others or create teams.

Team Admin: Monitors the call data of team members in specific teams.

MFA is required to access production systems.

Password Policy includes at least 9 characters, complexity rules, hashing with bcrypt.

Antivirus/anti-malware is installed on corporate devices.

Users log in via a One-Time Password (OTP) sent by email.

A key derived from the OTP is stored securely on the device and hashed with bcrypt in the cloud.

Future requests use JWT tokens with limited validity.

Clean Desk Policy

Email Policy

Password Construction Guidelines

Password Protection Policy

We maintain a Security Incident Response Plan (attached).

Data breaches are reported to impacted customers immediately (or within 72 hours).

Response steps: triage, containment, communication, eradication, recovery.

Regular security awareness training (annually).

All personnel sign confidentiality agreements.

There is no formal disciplinary policy documented, but any security policy breach is addressed as needed.

Conducted annually using tools such as automated URL injectors, static analysis, code dependency checks, etc.

No current independent third-party penetration testing or code reviews.

Historically, one external verification was done related to a Google Mail integration.

Regular scanning for vulnerabilities, with critical patches applied immediately.

Updates are performed at least annually, more frequently for urgent patches (e.g., Log4j).

Microsoft Azure, using Kubernetes to orchestrate containers.

Strict firewall policies, WAF enabled, unused ports blocked.

Database Backups automatically created in Azure, encrypted at rest.

Point-in-time recovery is available.

Corporate laptops include anti-malware; employees have admin privileges.

No VPN used; firewall allows IP-based access for remote work.

Network changes are administered by a main admin. Developers do not have direct access to production network configurations.