Security

Your Data Is Safe With Us

Call recordings, transcripts, lead data, and CRM credentials are handled with enterprise-grade security practices. Here's exactly how we protect you.

TLS 1.2+ Encrypted
AES-256 At Rest
GDPR Compliant
HIPAA-Ready
Zero Data Sharing
Account Isolation
TLS 1.2+
Encryption in Transit
All data between your browser, our server, and external APIs is encrypted using TLS 1.2 or higher.
AES-256
Encryption at Rest
Sensitive credentials (CRM keys, phone system tokens) are stored using AES-256 encryption.
GDPR
Compliant Practices
We follow GDPR principles: data minimization, user rights, consent, and clear retention policies.
HIPAA
Ready Architecture
Our architecture follows HIPAA-ready principles for medical and healthcare customers who require it.

Data Encryption

  • All traffic between users and Callably is encrypted with TLS 1.2+ via HTTPS.
  • CRM API keys, phone system tokens, and webhook secrets are stored encrypted with AES-256 and never logged in plaintext.
  • Call recordings are stored in encrypted storage and are only accessible through authenticated sessions.
  • Database connections use SSL and all production database credentials are environment-isolated.

Account Isolation

  • Every account's data (leads, calls, recordings, sequences) is isolated by user ID. No cross-account data access is possible.
  • Webhook and CRM credentials are per-user and never shared or visible to other accounts.
  • Admin access to customer accounts (for support) requires explicit impersonation logs and is tracked.

Data Retention & Deletion

  • You can export all your data at any time from account settings as a CSV or JSON export.
  • Account deletion removes all associated records: leads, calls, recordings, sequences, and CRM credentials.
  • Call recordings stored on Callably servers follow your provider's retention and can be deleted on request.

AI Processing & OpenAI

  • Callably uses OpenAI's Whisper and GPT APIs for transcription and AI analysis. Call audio and transcripts are sent to OpenAI only for processing — not stored by OpenAI per their API data usage policy.
  • Data sent to OpenAI via the API is not used to train OpenAI's models.
  • AI processing is quota-gated — calls are only transcribed within your plan's monthly limit, giving you control over how much data is processed.

Infrastructure & Uptime

  • Hosted on dedicated VPS infrastructure with daily backups and automated monitoring.
  • Automatic retries and circuit breakers for all webhook deliveries ensure data is never silently lost.
  • HSTS headers enforced, X-Frame-Options set to DENY, Content-Security-Policy applied to all pages.
  • CSRF tokens required on all state-changing POST requests. Session cookies use HttpOnly and SameSite=Lax flags.

Have a Security Question?

If you've found a security issue or have specific compliance questions, reach out directly.

Contact Security Team

Read our Privacy Policy and Terms of Service for full legal details.