Security posture

A plain-language summary of how the service handles encryption, credentials, and your data.

In transit

Every web surface โ€” the consoles, the trunk portal, and the API โ€” is served over HTTPS with a valid TLS certificate. Plain http:// requests are redirected to https://.

Credentials

  • Account passwords are stored hashed, never in plain text.
  • Passwords must meet a minimum strength rule (see Account and security), enforced identically wherever a password is set.
  • SIP and provider secrets are write-only in the admin interface: you can set them, but they are never sent back and displayed. The API does not return them.
  • Changing your password immediately ends every other session signed in with the old one.

Access and isolation

  • Signing in is rate-limited to slow brute-force attempts.
  • Non-administrator accounts can see only their own data โ€” their calls, balance, and numbers.
  • Internal services (the switch, the database, the media bridges) listen only on the server's loopback interface. They are not reachable from the internet; only the published web addresses are.

What is stored and for how long

  • Call records (CDRs) are retained so you can review and export your usage and billing.
  • Where calls are recorded, recordings are rotated automatically after 30 days.
  • Message and event logs are kept for operational troubleshooting.

Reporting a concern

If you believe you have found a security issue, contact your provider directly. Please do not post details publicly before it is resolved.

Last updated 2026-07-10.