Security posture
A plain-language summary of how the service handles encryption, credentials, and your data.
In transit
Every web surface โ the consoles, the trunk portal, and the API โ is served over HTTPS with a valid TLS certificate. Plain http:// requests are redirected to https://.
Credentials
- Account passwords are stored hashed, never in plain text.
- Passwords must meet a minimum strength rule (see Account and security), enforced identically wherever a password is set.
- SIP and provider secrets are write-only in the admin interface: you can set them, but they are never sent back and displayed. The API does not return them.
- Changing your password immediately ends every other session signed in with the old one.
Access and isolation
- Signing in is rate-limited to slow brute-force attempts.
- Non-administrator accounts can see only their own data โ their calls, balance, and numbers.
- Internal services (the switch, the database, the media bridges) listen only on the server's loopback interface. They are not reachable from the internet; only the published web addresses are.
What is stored and for how long
- Call records (CDRs) are retained so you can review and export your usage and billing.
- Where calls are recorded, recordings are rotated automatically after 30 days.
- Message and event logs are kept for operational troubleshooting.
Reporting a concern
If you believe you have found a security issue, contact your provider directly. Please do not post details publicly before it is resolved.