Skip to content
DialPhone
Start free trial

Security · 7-layer defense

Security
at DialPhone.

100+ businesses trust DialPhone with their customer conversations. We operate a seven-layer defense model audited by third-party firms and tested continuously.

Last updated April 22, 2026

Phone systems sit at an awkward intersection of security threat models. They handle PSTN traffic, which still carries unauthenticated caller-ID flows and decades-old protocol assumptions, while also handling sensitive customer conversations that often include payment-card data, protected health information, and brokered financial communications. A defense-in-depth strategy that works for a web SaaS does not automatically work for a phone platform — voice paths, SMS gateways, and recording archives each have their own threat profile.

The seven layers below describe how DialPhone addresses each surface independently. Perimeter handles PSTN-level abuse: STIR/SHAKEN attestation outbound (so customer calls register as verified), carrier-grade filtering of inbound robocall floods, and DDoS protection on the HTTP and SIP control planes. Identity defaults to SAML SSO with enforced MFA for both staff and customer admins; no shared passwords, no on-by-default API keys. Data uses AES-256-GCM at rest with hardware-backed KMS, tenant-key isolation for enterprise customers, and PHI tokenization before any AI inference call. Detection and Response run 24/7 with a 72-hour breach notification commitment in the customer contract — not a marketing target.

For technical buyers running a security review, the documentation under the Trust Center covers SOC 2 Type II report request, penetration-test summaries, coordinated disclosure program, and the full subprocessor registry. For data-handling specifics, see the privacy commitments page. To report a security issue, email [email protected] — acknowledgement within 24 hours.

Defense in depth

Seven layers

  1. 1

    Perimeter

    DDoS protection, WAF, carrier-grade filtering for PSTN abuse, STIR/SHAKEN A-level attestation outbound.

  2. 2

    Network

    Private-cloud hardening, micro-segmentation, zero-trust internal access, VPN-gated admin surfaces.

  3. 3

    Identity

    SSO/SAML, MFA enforced for all staff, SCIM for customer provisioning, session-timeout enforcement.

  4. 4

    Application

    OWASP Top 10 coverage, SAST/DAST in CI, dependency scanning, auto-patching for known CVEs.

  5. 5

    Data

    AES-256-GCM at rest, TLS 1.3 in transit, hardware-backed KMS, tenant-key isolation, PHI tokenization.

  6. 6

    Detection

    24/7 SIEM, anomaly detection, insider-threat telemetry, third-party red teaming.

  7. 7

    Response

    On-call IR team, 24-hour detection SLA, 72-hour breach notification, post-mortem shared with affected customers.

Audits

Certifications & attestations

Full matrix and downloadable reports at the Trust Center.

Disclosure

Coordinated disclosure & bug bounty

Acknowledgement

24h

Triage

3 business days

Rewards

$150 – $15K

Report issues to [email protected]. Safe-harbor policy for good-faith research.

Security FAQ

Can I get a SOC 2 report?

Yes. DialPhone is SOC 2 Type II audited annually across Security, Availability, Confidentiality, and Processing Integrity. Report available under NDA via sales.

Do you do penetration testing?

Yes, annual third-party penetration tests by accredited firms. Executive summaries of remediation status shared with enterprise customers under NDA. We also run a coordinated disclosure program and private bug bounty.

How do you protect customer data from staff access?

Minimum-necessary access by default. Customer support cannot read PHI, recordings, or transcripts without explicit break-glass approval logged and visible to the customer. Production database access restricted to on-call engineers during active incidents.

Do you support SSO and SAML?

Yes. SAML 2.0 SSO with Okta, Azure AD / Entra ID, OneLogin, Ping, Duo, Google Workspace, and any SAML-compliant IdP. SCIM provisioning for automated user lifecycle. Enforced MFA available.

What encryption do you use?

TLS 1.3 in transit, AES-256-GCM at rest, SRTP with AES-256 for voice media, DTLS for WebRTC. Hardware-backed KMS (AWS KMS, Google Cloud KMS) with tenant-key isolation for enterprise customers.

How do you handle insider threat?

Background checks for all staff, role-based access controls, just-in-time elevation for production, session recording on sensitive admin panels, behavioral anomaly detection, periodic access reviews.

Trust center

Related pages

Call sales Start free trial