How we keep your
practice data safe.

Infrastructure security

• Cloud provider: Amazon Web Services (AWS) — SOC 2 Type II, ISO 27001, HIPAA-eligible services
• Encryption at rest: AES-256 on all stored data including call recordings, transcripts, and configuration
• Encryption in transit: TLS 1.3 enforced on all connections; older protocols disabled
• Network isolation: Production infrastructure in private VPC; no direct public access to databases or internal services
• Logging and monitoring: AWS CloudWatch with automated alerting on anomalous access patterns

Application security

• Authentication: Secure session management with automatic expiry on all sessions
• API security: All endpoints authenticated; rate limiting applied to prevent abuse
• Input validation: All user inputs validated and sanitised server-side before processing
• Webhook verification: All inbound webhooks from Vapi, Stripe, and Twilio verified using signature validation
• Dependency management: Dependencies reviewed regularly; known vulnerable packages patched promptly

Access control

• Principle of least privilege — staff access only what their role requires
• All production access logged with timestamp, user identity, and action type
• Client data is fully isolated — one practice cannot access another’s data
• Access removed immediately upon staff offboarding

Incident response

In the event of a security incident affecting customer data, affected practices are notified within 72 hours of confirmed breach discovery. For HIPAA-covered breaches, notification is provided within 60 days as required by law. We will provide full details of what data was affected, how, and what steps we have taken to remediate.

On the roadmap

• SOC 2 Type I — targeted for Month 15 of operations
• Quarterly penetration testing — from Month 6 onwards
• Bug bounty programme — planned following SOC 2 Type I completion

Contact

Security questions or vulnerability reports: hello@frontis.ai