Trust · Security

Security you can audit.

We host SMS conversations and customer data. We take that responsibility seriously — here's exactly how, with no claims we can't back up.

In transit
TLS 1.2 / 1.3
Passwords
bcrypt-hashed
Webhooks
Signature-verified
Region
US-only data

Encryption

In transit: all traffic to Call4Life is served over HTTPS using TLS 1.2 / 1.3 with a valid, publicly trusted certificate. Plain-HTTP requests are redirected to HTTPS. Application-level encryption: sensitive secrets and third-party API tokens are encrypted by the application before they are stored. User passwords are never stored in plaintext — they are hashed with bcrypt.

Application security

  • Strict tenant isolation — every record is scoped to its owning account, and queries are filtered by tenant so one customer can never read another customer's data.
  • Mandatory webhook signature verification — inbound provider webhooks (e.g. carrier delivery and inbound-message callbacks) are rejected unless their signature is verified.
  • Rate limiting on authentication and API endpoints to blunt brute-force and abuse.
  • bcrypt password hashing with per-password salts.

Infrastructure

Hosted on dedicated infrastructure in the United States; no customer data leaves the US. The host is firewalled so that only the ports required to run the service are reachable from the internet — SSH (22) and HTTPS/HTTP (443 / 80, with 80 redirecting to 443). The database is not exposed to the public internet. The application runs behind a reverse proxy that terminates TLS.

Access control

Production access is limited to the operator, over key-based SSH only (password SSH login is disabled). Application access is gated by authenticated sessions, and sensitive operations require re-authentication.

Backup & recovery

The database is backed up automatically on a regular schedule, and we keep a documented restore procedure so data can be recovered after a failure. We test restores when the backup process changes.

Compliance

  • A2P 10DLC registered with The Campaign Registry for US application-to-person SMS.
  • SMS sending follows CTIA messaging principles and carrier (10DLC) requirements — documented consent, STOP/HELP handling, and DNC suppression.
  • US-only data; we do not target or serve EU data subjects.

Security roadmap

To be transparent, the following are planned, not yet in place, and we will only advertise them here once they are live and verifiable: full-disk / at-rest encryption of the database volume, a formal third-party security audit (such as SOC 2), HIPAA Business Associate Agreements, and call-recording controls (which arrive with voice calling). We would rather under-promise here than claim a control we don't yet operate.

Incident response

If we become aware of a security incident affecting customer data, we will investigate, contain it, and notify affected customers with the scope, impact, and the steps we are taking.

Report a security issue

Email security@call4life.marketing with details. We respond within one business day and credit researchers who responsibly disclose. PGP key available on request.