Trust & Security

Security at CALLSATHI

How we protect your customers’ data, your account, and the conversations that flow through our platform. Read this top-to-bottom — or ask us anything missing.

Encryption everywhere

All customer data is encrypted in transit (TLS 1.3) and at rest (AES-256 via Supabase / managed Postgres). Audio streams ride over WSS — never plain WS.

Tenant isolation

Row-level security on every Postgres table. Each company is scoped by company_id; the service role key never touches the client. No customer can ever see another customer’s data.

Secrets management

API keys + webhook secrets live in environment variables, never in code. Razorpay + Meta webhooks are verified with constant-time HMAC signatures.

PII minimisation

Public analytics endpoints expose only aggregated counts. The live activity feed uses opaque per-request tokens — raw row IDs, phone numbers, and transcripts never leave the server.

Audit logging

Every privileged action (price change, company create/update/delete, role change, deletion request) is written to an immutable audit_log with admin id, IP, user agent, and a structured details payload.

Regional data residency

Production data is stored in the customer’s home region by default (India for INR customers). Edge regions cache only ephemeral state.

Compliance posture

Honest status of each regime we operate against. “Aligned” means the controls are in place today; “On roadmap” means planned, not yet in force.

StandardStatusDetail
PCI DSS SAQ-ADocumented (v4.0.1)We never store or transmit raw cardholder data — Razorpay handles all payment fields. All 22 v4.0.1 SAQ-A controls answered.
India DPDP ActAlignedOur primary bar. India’s 2023 Digital Personal Data Protection Act — consent + purpose-limitation built into our onboarding flow, deletion requests honoured.
GDPR (EU)AlignedNot an EU-first product yet. We honour deletion requests within 30 days and can provide a DPA on request; formal SCCs are being prepared ahead of EU launch.
UK DPA 2018AlignedSame controls as our GDPR alignment, for the UK’s post-Brexit regime.
SOC 2 Type IOn roadmapFormal audit planned for 2026. Trust-services criteria covered architecturally today.
HIPAAAvailable on EnterpriseBAAs can be signed with Enterprise customers. Default plans are not HIPAA-targeted.

Responsible disclosure

If you believe you’ve found a security issue with CALLSATHI, please report it privately to security@callsathi.com. We acknowledge every report within 48 hours and aim to resolve high-severity issues within 7 days.

Please don’trun automated scans against production. They generate noise that wakes the on-call engineer and won’t find anything we don’t already track. Email us first and we’ll happily coordinate a real test.

Have specific security requirements?

Our security team is available to complete vendor risk assessments and answer any technical questions about our infrastructure.

Ready to scale your voice?

Join hundreds of businesses automating their inbound and outbound calls with CALLSATHI AI.