Security at CALLSATHI
How we protect your customers’ data, your account, and the conversations that flow through our platform. Read this top-to-bottom — or ask us anything missing.
Encryption everywhere
All customer data is encrypted in transit (TLS 1.3) and at rest (AES-256 via Supabase / managed Postgres). Audio streams ride over WSS — never plain WS.
Tenant isolation
Row-level security on every Postgres table. Each company is scoped by company_id; the service role key never touches the client. No customer can ever see another customer’s data.
Secrets management
API keys + webhook secrets live in environment variables, never in code. Razorpay + Meta webhooks are verified with constant-time HMAC signatures.
PII minimisation
Public analytics endpoints expose only aggregated counts. The live activity feed uses opaque per-request tokens — raw row IDs, phone numbers, and transcripts never leave the server.
Audit logging
Every privileged action (price change, company create/update/delete, role change, deletion request) is written to an immutable audit_log with admin id, IP, user agent, and a structured details payload.
Regional data residency
Production data is stored in the customer’s home region by default (India for INR customers). Edge regions cache only ephemeral state.
Compliance posture
Honest status of each regime we operate against. “Aligned” means the controls are in place today; “On roadmap” means planned, not yet in force.
| Standard | Status | Detail |
|---|---|---|
| PCI DSS SAQ-A | Documented (v4.0.1) | We never store or transmit raw cardholder data — Razorpay handles all payment fields. All 22 v4.0.1 SAQ-A controls answered. |
| India DPDP Act | Aligned | Our primary bar. India’s 2023 Digital Personal Data Protection Act — consent + purpose-limitation built into our onboarding flow, deletion requests honoured. |
| GDPR (EU) | Aligned | Not an EU-first product yet. We honour deletion requests within 30 days and can provide a DPA on request; formal SCCs are being prepared ahead of EU launch. |
| UK DPA 2018 | Aligned | Same controls as our GDPR alignment, for the UK’s post-Brexit regime. |
| SOC 2 Type I | On roadmap | Formal audit planned for 2026. Trust-services criteria covered architecturally today. |
| HIPAA | Available on Enterprise | BAAs can be signed with Enterprise customers. Default plans are not HIPAA-targeted. |
Responsible disclosure
If you believe you’ve found a security issue with CALLSATHI, please report it privately to security@callsathi.com. We acknowledge every report within 48 hours and aim to resolve high-severity issues within 7 days.