Security & compliance.
The trust posture a small practice needs to put their patient calls through Voipy. We cover this page with the same factual-first / sourced approach as our competitor comparisons — what we do, what we don't, and what's on the roadmap.
Last updated: April 25, 2026
Compliance posture at a glance
In progress SOC 2 Type II preparation PCI SAQ-A scope confirmation Penetration test scheduled Q3 2026
Not yet SOC 2 Type II report ISO 27001 HITRUST
If a buyer's procurement requires a framework on the "Not yet" list, contact security@voipy.app — we'll confirm timeline and whether your renewal cycle aligns with our roadmap.
HIPAA
Voipy executes a Business Associate Agreement with healthcare customers on Pro and Enterprise plans. Our standard BAA covers the customer-facing call data lifecycle (intake, transcript, recording, retention, deletion). For customers who require their own paper, we sign reasonable counter-templates within ~5 business days of receipt.
What's BAA-covered
- Call recordings + transcripts containing PHI.
- AI-extracted intake fields tied to a specific patient identifier.
- Tenant-uploaded knowledge-base content (FAQ articles, scripts, custom prompts).
- Patient-portal SMS confirmations + reminders sent via our SMS sub-processor (Telnyx).
What sits outside the BAA
- De-identified aggregate analytics (call volume, duration histograms, scenario distribution) — these never tie to a specific patient.
- Marketing and sales communication with the customer's authorized contacts (these are not PHI).
- Sub-processors who we ourselves do not give PHI to (e.g., Stripe; we share customer billing data, not patient data).
Request a BAA: support@voipy.app — include your tenant slug and signing party.
Encryption
In transit
All HTTP traffic to voipy.app and our internal API surfaces use TLS 1.2 or higher. Telephony media (RTP) is protected via SRTP between Voipy and Telnyx; SIP signaling uses TLS. Internal service-to-service calls inside our private VPC use mTLS where available.
At rest
PostgreSQL primary storage is encrypted with AES-256 at the volume layer. Recording audio files are encrypted at rest with per-tenant key derivation; retention policy applies before any backup snapshotting.
Authentication & access
- Customer admin portals require email + password with optional TOTP 2FA.
- Internal API endpoints require an internal API key + IP allowlist for write operations; read-only health endpoints are public.
- Gateway write endpoints require an admin shared token rotated quarterly.
- SSO via SAML / OIDC available on Enterprise tier (Okta / Microsoft Entra ID / Google Workspace tested).
Sub-processors
Sub-processors that handle customer or patient data on our behalf:
| Sub-processor | Service | Data category | Region |
|---|---|---|---|
| Telnyx | Telephony (SIP, SMS, recording) | Call audio, SMS bodies, caller numbers | US |
| Stripe | Payment processing | Customer billing only — no PHI | US |
| Anthropic | LLM inference (production failover) | Call transcript snippets, no patient identifiers | US |
| Google Cloud (Gemini) | LLM inference (production failover) | Call transcript snippets, no patient identifiers | US |
| Google Cloud (Speech-to-Text) | Backup transcription path | Call audio (transient), no retention | US |
| Self-hosted GPU (CT3) | Primary STT / LLM / TTS pipeline | Call audio, real-time only | US (private infrastructure) |
| Cloudflare | CDN + DDoS protection | Public-marketing only — no PHI surface | Global |
| Sentry (subscription pending) | Error tracking | De-identified stack traces, no PHI | US |
Sub-processor changes ship via a 30-day notice period to all paid customers. Material changes (new region, new data category) require BAA-customer re-execution if HIPAA scope changes.
Data retention & deletion
- Call recordings — default 180 days, configurable per-tenant down to 7 days or up to 2555 days (7 years, healthcare retention).
- Call transcripts + extracted fields — same retention as the recording. Tenant-deletable on demand.
- Account & billing data — retained for the life of the subscription plus 90 days post-termination, then purged from primary stores within 30 days. Backup-tape rotation may extend this by up to 90 days for disaster-recovery purposes.
- De-identified analytics — retained indefinitely for product-improvement purposes; never tied back to a specific patient.
- On-request deletion — privacy@voipy.app processes within 30 days; HIPAA-required logs of accesses to PHI persist for 6 years per federal rule even after a deletion request, but the underlying PHI is purged.
Incident response
If we discover a security incident affecting customer or patient data, we follow a documented response plan:
- Contain — disable the affected pathway within 1 hour of confirmation.
- Investigate — root-cause within 72 hours; preserve forensic artifacts.
- Notify — affected customers within 72 hours of confirmation; HIPAA-covered customers per the Breach Notification Rule (60 days of incident, with prompt good-faith effort to notify sooner).
- Remediate — patch + post-mortem; track durable controls in our quarterly SOC 2 prep tracker.
- Disclose — public post-mortem on /changelog within 14 days unless ongoing investigation requires delay.
Vulnerability disclosure
Report a vulnerability
Email security@voipy.app. We respond to confirmed reports within 48 hours and aim to patch critical issues within 7 days. Good-faith research is welcome — we will not pursue legal action for testing that meets these conditions:
- You don't access, modify, or destroy customer or patient data.
- You don't publish details until we've patched and notified affected customers.
- You don't degrade availability or run automated scans against production beyond what's needed to validate a single finding.
PGP key + responsible-disclosure SLA: ask via the email above. Bounty program is in scoping; expect details Q3 2026.
Service availability
Production targets:
- Marketing site (voipy.app) — 99.9% monthly uptime.
- Telephony gateway — 99.95% monthly uptime; LLM failover circuit-breaker engages within 5s of primary-pipeline degradation.
- Customer admin API — 99.9% monthly uptime.
- Status page (in scoping) — public dashboard expected Q3 2026.
Incidents that affect customer-facing availability beyond 30 minutes are posted to /changelog.
Other questions
Pre-purchase security questionnaires (SIG, CAIQ, CAIQ Lite, custom RFPs) are completed within ~5 business days for prospective Practice and Enterprise customers. Contact us.