Security

Your Data Is Safe With Us

Q: What encryption does Callably use?

All data in transit uses TLS 1.2+ encryption. CRM API keys, phone system tokens, and webhook secrets are stored using AES-256 encryption and are never logged in plaintext.

Q: Is Callably HIPAA compliant?

Callably follows HIPAA-ready architectural principles — encrypted storage, access controls, and audit logging. If your organization requires a formal BAA (Business Associate Agreement), contact us to discuss your specific compliance requirements.

Call recordings, transcripts, lead data, and CRM credentials are handled with enterprise-grade security practices. Here's exactly how we protect you.

Enterprise-Grade Security

Your call data, transcripts, and lead records are protected by multiple layers of security at rest and in transit.

TLS 1.2+ · AES-256 · GDPR principles · Zero cross-account sharing

TLS 1.2+

In-Transit Encryption

AES-256

At-Rest Encryption

GDPR

Compliant Practices

Zero

Cross-Account Sharing

TLS 1.2+ Encrypted

AES-256 At Rest

GDPR Compliant

HIPAA-Ready

Zero Data Sharing

Account Isolation

TLS 1.2+

Encryption in Transit

All data between your browser, our server, and external APIs is encrypted using TLS 1.2 or higher.

AES-256

Encryption at Rest

Sensitive credentials (CRM keys, phone system tokens) are stored using AES-256 encryption.

GDPR

Compliant Practices

We follow GDPR principles: data minimization, user rights, consent, and clear retention policies.

HIPAA

Ready Architecture

Our architecture follows HIPAA-ready principles for medical and healthcare customers who require it.

Data Encryption

All traffic between users and Callably is encrypted with TLS 1.2+ via HTTPS.
CRM API keys, phone system tokens, and webhook secrets are stored encrypted with AES-256 and never logged in plaintext.
Call recordings are stored in encrypted storage and are only accessible through authenticated sessions.
Database connections use SSL and all production database credentials are environment-isolated.

Account Isolation

Every account's data (leads, calls, recordings, sequences) is isolated by user ID. No cross-account data access is possible.
Webhook and CRM credentials are per-user and never shared or visible to other accounts.
Admin access to customer accounts (for support) requires explicit impersonation logs and is tracked.

Data Retention & Deletion

You can export all your data at any time from account settings as a CSV or JSON export.
Account deletion removes all associated records: leads, calls, recordings, sequences, and CRM credentials.
Call recordings stored on Callably servers follow your provider's retention and can be deleted on request.

AI Processing & OpenAI

Callably uses OpenAI's Whisper and GPT APIs for transcription and AI analysis. Call audio and transcripts are sent to OpenAI only for processing — not stored by OpenAI per their API data usage policy.
Data sent to OpenAI via the API is not used to train OpenAI's models.
AI processing is quota-gated — calls are only transcribed within your plan's monthly limit, giving you control over how much data is processed.

Infrastructure & Uptime

Hosted on dedicated VPS infrastructure with daily backups and automated monitoring.
Automatic retries and circuit breakers for all webhook deliveries ensure data is never silently lost.
HSTS headers enforced, X-Frame-Options set to DENY, Content-Security-Policy applied to all pages.
CSRF tokens required on all state-changing POST requests. Session cookies use HttpOnly and SameSite=Lax flags.

Security FAQ

Is Callably GDPR compliant?

Yes. Callably follows GDPR principles including data minimization, user rights, consent management, and clear data retention policies. You can export or delete all your data at any time from account settings.

How are call recordings and transcripts protected?

Call recordings are stored in encrypted storage and accessible only through authenticated sessions. Transcripts and summaries are stored in an encrypted PostgreSQL database with per-user isolation — no cross-account access is possible.

Does Callably share my data with third parties?

No. Your call data, leads, and CRM credentials are never shared with other accounts or sold to third parties. Data sent to OpenAI for AI processing is not used to train their models per OpenAI's API data usage policy.

Is Callably HIPAA compliant?

Callably follows HIPAA-ready architectural principles including encrypted storage, strict access controls, and audit logging. If your organization requires a formal BAA (Business Associate Agreement), contact us to discuss your compliance requirements.

What happens to my data if I cancel?

You can export all your data before cancelling. Upon account deletion, all associated records — leads, calls, recordings, sequences, and CRM credentials — are permanently removed from our servers.

How do you secure webhook and CRM API keys?

All CRM API keys, phone system tokens, and webhook secrets are stored using AES-256 encryption in our database and never logged in plaintext. Each user's credentials are strictly isolated and never visible to other accounts or shared across tenants.

Have a Security Question?

If you've found a security issue or have specific compliance requirements, reach out directly. We take every report seriously.

Contact Security Team Read Privacy Policy

Read our Privacy Policy and Terms of Service for full legal details.