Security
Security at Clicktocall.ai
How we protect your data across infrastructure, encryption, access controls, and compliance.
Last updated: March 17, 2026
GDPR Compliant
EU data protection
256-bit Encryption
AES-256 at rest, TLS 1.3 in transit
Infrastructure Security
Clicktocall.ai is hosted on enterprise-grade cloud infrastructure provided by leading public cloud providers. Our production environment is deployed across multiple geographically distributed availability zones to ensure high availability and resilience against regional outages.
Network Architecture
All production services operate within isolated virtual private clouds (VPCs) with strict network segmentation. Ingress and egress traffic is controlled through layered firewall rules, and all internal service-to-service communication occurs over private networks that are not accessible from the public internet.
Hosting and Redundancy
- Multi-region deployment: Active-active configuration across at least two geographic regions to minimize latency and ensure failover capacity.
- Automated scaling: Infrastructure automatically scales in response to traffic demands, maintaining performance during peak usage.
- Daily backups: All databases are backed up daily with encrypted snapshots retained for 30 days. Point-in-time recovery is available for the most recent 7 days.
- DDoS mitigation: Edge-level protection absorbs volumetric attacks before they reach application servers.
Data Encryption
We treat encryption as a non-negotiable default. Every layer of the data lifecycle -- storage, transmission, and processing -- is protected with strong cryptographic controls.
Encryption in Transit
All data transmitted between clients and Clicktocall.ai servers is encrypted using TLS 1.3. We enforce HSTS headers and do not support any legacy protocol versions (TLS 1.0 and 1.1 are fully disabled). Real-time voice streams are encrypted end-to-end using SRTP (Secure Real-time Transport Protocol) with AES-128 counter mode.
Encryption at Rest
All data stored in our databases, object storage, and backups is encrypted using AES-256. Encryption keys are managed through a dedicated key management service (KMS) with automatic key rotation every 12 months. No unencrypted customer data exists at rest in any environment, including development and staging.
Access Controls
We follow the principle of least privilege across every system and process. Access to customer data and production infrastructure is tightly controlled and continuously audited.
- Role-based access control (RBAC): All employees and systems are granted permissions strictly necessary for their role. Access reviews are conducted quarterly.
- Multi-factor authentication (MFA): Required for all employees accessing internal systems, production environments, and administrative dashboards. Hardware security keys (FIDO2/WebAuthn) are required for infrastructure access.
- Single sign-on (SSO): Centralized identity management with SSO for all internal tools, reducing credential sprawl and enabling instant deprovisioning when team members change roles or leave.
- Audit logging: Every access event, configuration change, and data query is logged immutably. Logs are retained for a minimum of 12 months and are monitored in real time for anomalous patterns.
- Production access: Direct access to production systems requires approval through a just-in-time access request workflow. Sessions are time-limited and fully recorded.
Compliance
Clicktocall.ai maintains compliance with widely recognized security and privacy frameworks. Our compliance posture is validated through independent third-party audits and continuous monitoring.
GDPR
We are fully compliant with the General Data Protection Regulation (GDPR). We act as a data processor on behalf of our customers and provide a comprehensive Data Processing Agreement (DPA). We support data subject rights including access, rectification, erasure, and portability. For more details, see our GDPR compliance page.
Additional Frameworks
- ISO 27001: Our information security management system (ISMS) is aligned with ISO 27001 standards. Formal certification is in progress.
- CCPA / CPRA: We comply with the California Consumer Privacy Act and the California Privacy Rights Act for users in California.
- HIPAA: A BAA (Business Associate Agreement) is available for healthcare customers on our Enterprise plan who require HIPAA compliance.
- PCI DSS: Payment processing is handled entirely by PCI DSS Level 1 certified third-party providers. Clicktocall.ai does not store, process, or transmit cardholder data.
Incident Response
We maintain a documented incident response plan that is tested and updated regularly. Our response process follows industry best practices and is designed to minimize impact and restore normal operations quickly.
Response Process
- Detection: Automated monitoring and alerting systems detect anomalies in real time. Our security team is on call 24/7/365.
- Triage: Incidents are classified by severity (Critical, High, Medium, Low) and assigned to a dedicated incident commander within 15 minutes of detection.
- Containment: Immediate steps are taken to isolate affected systems and prevent further impact. Affected services may be temporarily suspended if necessary to protect customer data.
- Resolution: The root cause is identified and a fix is deployed. All changes are reviewed before production deployment, even during incident response.
- Notification: Affected customers are notified within 72 hours of a confirmed data breach, in compliance with GDPR and other applicable regulations. Critical incidents are communicated within 24 hours.
- Post-mortem: A blameless post-incident review is conducted and published internally. Lessons learned are used to improve our systems and processes.
Vulnerability Disclosure and Bug Bounty
We value the work of independent security researchers and welcome responsible disclosure of any vulnerabilities found in our products or infrastructure.
Responsible Disclosure Policy: If you believe you have discovered a security vulnerability in Clicktocall.ai, please report it to us privately. Do not disclose the issue publicly until we have had a reasonable opportunity to address it.
Send reports to: security@clicktocall.ai
What to Include
- A detailed description of the vulnerability, including the affected component and steps to reproduce.
- The potential impact or severity of the issue.
- Any proof-of-concept code, screenshots, or logs that demonstrate the vulnerability.
- Your preferred contact information for follow-up.
Our Commitment
- We will acknowledge receipt of your report within 2 business days.
- We will provide an initial assessment and expected timeline within 5 business days.
- We will not pursue legal action against researchers who comply with this policy and act in good faith.
- We offer monetary rewards for qualifying vulnerabilities in scope, determined by severity and impact. Typical ranges are $100 to $5,000.
Contact
If you have questions about our security practices or want to discuss security requirements for your organization, our team is here to help.
For enterprise customers, we are available to complete security questionnaires, provide detailed architecture documentation, and participate in vendor security reviews.