How we protect
call data.

All traffic terminates TLS 1.2+. Customer data at rest is encrypted with AES-256 using envelope-encrypted per-tenant keys. Recordings (when opted in) are stored in isolated object storage and encrypted per-object.

API keys are hashed (Argon2id) before storage — the plaintext is shown once at creation time and never again.

The TCPA (Telephone Consumer Protection Act) governs US consumer calling. OpenPhn enforces compliance server-side, not as a customer-configurable option.

• Call-hour enforcement:outbound calls are blocked 9pm–8am in the callee's local time unless a verified "emergency" consent is attached.
• Suppression scrubbing: every dispatch is checked against your internal DNC list and the FTC DNC registry before dialing.
• Consent tracking: every call is tagged with consent_type (prior_express, existing_business_relationship, or emergency) and persisted for audit.
• Rate limits: per-number frequency caps prevent accidental harassment patterns.

• Transcripts: 90 days default, configurable on Scale down to 7 days.
• Recordings (opt-in): Starter 30d · Pro 90d · Scale configurable.
• Webhook delivery logs: 30 days.
• API keys: retained while active; revocation is immediate and audited.

You can issue a delete request via the dashboard or privacy@openphn.com for targeted erasure (GDPR/CCPA right-to-delete).

OpenPhn does not train any model on customer call content. Our voice provider (Google Gemini) and our extraction layer are used inference-only for your workload.

We do log prompts/responses for a rolling 14-day debug window, scrubbed of the to phone number and any obvious PII — used exclusively for engineering diagnostics.

• SOC 2 Type II: audit in progress (ETA Q3 2026). Report available on request under NDA for Pro+ customers.
• HIPAA BAA: available on the Scale tier.
• PCI-DSS: we do not touch card data. Billing is processed by Stripe.
• GDPR: DPA available at /legal/dpa. EU data can be regioned to Frankfurt on Scale.

We notify Pro+ customers of sub-processor changes 30 days before taking effect. Subscribe via your dashboard or email security@openphn.com.

Found a vulnerability? Email security@openphn.com — we acknowledge within 24 hours and commit to a 90-day disclosure window. We don't currently run a paid bounty program, but we do credit researchers publicly on this page (unless they prefer anonymity).