SECURITY

How we protect
call data.

TCPA compliance by default, encrypted at rest and in transit, no training on your data, SOC 2 on the roadmap. The short version is on this page — the DPA and security white paper are available under NDA for Pro and Scale customers.

Looking for TCPA, DNC, call-hour, the FCC 1:1 consent rule, or state AI disclosure laws? See /compliance →

Encryption

All traffic terminates TLS 1.2+. Customer data at rest is encrypted with AES-256 using tenant-scoped credential encryption with rotation support. Recordings (when opted in) are stored in isolated object storage and encrypted per-object.

API keys are hashed with Argon2id (time_cost 3, memory_cost 64 MiB, parallelism 4) before storage — the plaintext is shown once at creation time and never again.

Data retention

  • Transcripts: 90 days default, configurable on Scale down to 7 days.
  • Recordings (opt-in): Starter 30d · Pro 90d · Scale configurable.
  • Webhook delivery logs: 30 days.
  • API keys: retained while active; revocation is immediate and audited.

You can issue a delete request via the dashboard or privacy@openphn.com for targeted erasure (GDPR/CCPA right-to-delete).

We don't train on your data

OpenPhn does not train any model on customer call content. Our voice provider (Google Gemini) and our extraction layer are used inference-only for your workload.

We do log prompts/responses for a rolling 14-day debug window, with phone numbers redacted in Sentry — used exclusively for engineering diagnostics.

Certifications & attestations

  • SOC 2 Type II: on the roadmap. We'll publish a target date when the program kicks off rather than commit to a deadline we haven't resourced.
  • HIPAA BAA: available on the Scale tier.
  • PCI-DSS: we do not touch card data. Billing is processed by Stripe.
  • GDPR: DPA available at /legal/dpa. EU data can be regioned to Frankfurt on Scale.
  • SAML SSO: Single sign-on via WorkOS, supporting Okta, Azure AD, Google Workspace, and any SAML 2.0 IdP. Available on Pro and Scale; configure under Settings → SSO. JIT user provisioning, optional require-SSO enforcement with Owner break-glass, full audit-chain coverage.

Sub-processors

VENDORPURPOSEREGION
Google (Gemini)Voice model inferenceUS / EU
HetznerApplication + database hostingEU (Falkenstein)
CloudflareDNS + edge + DDoSGlobal
VercelMarketing + docs hostingGlobal
StripeBilling + paymentsUS / EU
PostHogProduct analytics (marketing site only, cookieless)US

We notify Pro+ customers of sub-processor changes 30 days before taking effect. Subscribe via your dashboard or email security@openphn.com.

Responsible disclosure

Found a vulnerability? Email security@openphn.com — we acknowledge within 24 hours and commit to a 90-day disclosure window. We don't currently run a paid bounty program, but we do credit researchers publicly on this page (unless they prefer anonymity).

Security questions? security@openphn.com

DPAPrivacy policyAcceptable use