Security

The Service runs on reputable cloud infrastructure providers using managed, regularly patched services. Network access to our systems is restricted, and production environments are separated from development and testing.

• In transit — all traffic between you and the Service, and between the Service and its providers, is encrypted using TLS. Call media is carried over encrypted transport.
• At rest — sensitive credentials and integration tokens (such as connected-calendar refresh tokens) are encrypted, and passwords are stored only as salted hashes — never in plain text.

• Accounts are protected by modern, token-based authentication with asymmetric request signing and email verification.
• Internal access to production data is limited to what is necessary to operate the Service, on a least-privilege basis.
• Administrative functions are gated behind dedicated, role-restricted access.

The Service is multi-tenant. Each organization’s data is logically isolated and protected by row-level security policies so that one customer cannot access another customer’s data.

Payments are processed by PayPal. Card details are entered directly with the payment processor and are never transmitted to or stored on our servers, keeping sensitive card data out of scope of our systems.

To keep the platform clean and fraud-free, we verify identities and apply checks before provisioning regulated telecommunications resources, and we monitor for misuse. We may investigate, suspend, or terminate accounts and cooperate with carriers and authorities where we suspect fraud, abuse, or unlawful use, as described in our Terms of Service and Privacy Policy.

Application secrets and API keys are stored in protected secret stores, kept out of source control, scoped to the systems that need them, and rotated when appropriate.

We log and monitor system activity to detect errors and abuse, and rely on managed infrastructure with redundancy and backups to support availability and recovery. No service can guarantee uninterrupted operation, but we work continuously to improve resilience.

• Use a strong, unique password and keep your credentials confidential.
• Limit and review who in your organization has access to your account.
• Obtain all consents required to record and to contact recipients, and use the Service lawfully, as set out in our Terms of Service.
• Notify us promptly if you suspect any unauthorized access.

If you believe you have found a security vulnerability or have a security concern, please contact us at hello@sunovoice.com so we can investigate. We appreciate responsible disclosure and ask that you give us a reasonable opportunity to address an issue before publicizing it.