Security & Trust
AlwaysRespond handles call recordings, customer contact data, and payment information. Here's how we keep it safe.
All data is encrypted in transit using TLS 1.3. Sensitive fields like OAuth tokens are additionally encrypted at rest with AES-256 using keys managed through our hosting provider's key management service. Call recordings and SMS message bodies are stored on encrypted volumes.
We never store credit card numbers on our servers. All payments flow through Stripe, which is PCI-DSS Level 1 certified. Card details are tokenized by Stripe before they reach us, and subscription management happens entirely inside Stripe's compliant environment.
Every request is scoped to the authenticated tenant — one business cannot see another's data at the database, API, or UI layer. Role-based access inside each tenant (owner, admin, technician, agent) limits who can see what. Two-factor authentication is available on every account.
We operate as a registered 10DLC message originator in the U.S., handle STOP and HELP keywords automatically, and maintain a full consent ledger for every contact. Messages never go out without explicit opt-in, and opt-outs are honored immediately across every channel.
Hosted on Vercel and Neon Postgres (both SOC 2 Type II certified). Voice and SMS pipelines use Telnyx (HIPAA-ready) and Twilio. Logs and metrics are retained for 90 days with access limited to on-call engineers.
If you believe you've found a security issue, please email security@alwaysrespond.com. We investigate every report and will get back to you within 48 hours.
What we don't claim
We are not currently SOC 2 or HIPAA certified. If you need a signed Business Associate Agreement (BAA) for healthcare use or a SOC 2 Type II report for enterprise procurement, please reach out and we'll work with you on a path forward.