Trust Center
Honest disclosure. No theatre.
Procurement, legal, and security teams need facts they can verify. This page shows our actual posture — what is in place today, what is in progress, and what is planned. We do not claim certifications we do not hold.
Compliance Status
SOC 2 Type I
In ProgressIn progress
Controls being implemented and audit-prepped during 2026. Target Type I report: Q3 2026. Once issued, the Type I report will be available under NDA on request.
SOC 2 Type II
PlannedPlanned (post-Type I)
Type II requires a 6-12 month operating-effectiveness window over the same controls validated by Type I. We will commence the observation window once Type I is issued.
GDPR
AlignedAligned
Data subject rights (access, rectification, erasure, portability) supported via tenant admin tools and the support@getwhistle.app channel. Data residency: primary processing in North America; EU data residency available on Enterprise plans by contract.
HIPAA
AlignedAligned, BAA available on request
Encryption-in-transit and encryption-at-rest in place. Tenant data isolation via per-tenant encryption keys for call recordings. Business Associate Agreement available on Enterprise contracts. Not a HIPAA-certified entity — alignment with the technical and administrative safeguards in 45 CFR §164.
CCPA / CPRA
AlignedAligned
California consumer rights honoured: right to know, right to delete, right to opt-out of sale (we do not sell personal information).
PIPEDA (Canada)
AlignedAligned
Canadian privacy law alignment for tenants operating in Canada. Data residency in Canada available on Enterprise plans by contract.
STIR/SHAKEN
AlignedImplemented
Outbound calls signed at the carrier; inbound verstat surfaced on call records. A-level attestation through our Tier-1 trunk providers.
Security Architecture
Encryption in transit
TLS 1.2+ on every public endpoint. SIP signalling defaults to SIPS (TLS, port 20062). Voice media uses SRTP. WebRTC traffic encrypted end-to-end via DTLS.
Encryption at rest
All persisted call recordings, transcripts, and provider credentials are encrypted with per-tenant keys (Fernet via cryptography 42+). Database storage on encrypted volumes.
Authentication
JWT-based session tokens with strict expiry (30 min access, 7 day refresh). MFA via TOTP enforced for admin roles. SSO (SAML 2.0 / OIDC) on Enterprise plans. Magic-link and OAuth (Google) available for end users.
Authorization
13-role RBAC (9 platform + 4 tenant) with 49 distinct permissions. Tenant boundary enforced on every API call — call records, messages, contacts, recordings are scoped by tenant_id from JWT claims, never from the request body.
Audit logging
Every write action across every service emits an immutable audit log entry with actor, action, resource, before/after state, IP, and user agent. Tenant admins can query their own tenant's audit log via the dashboard. Audit logs are retained per the table below.
Rate limiting + abuse prevention
Login (per-IP, per-account), MFA verification, magic-link issuance, and OAuth flows are rate-limited at the auth service. Cloud Armor + fail2ban defence-in-depth on the edge.
Audit Log Access
Tenant admins can query their own tenant's audit log directly. We do not paywall audit log access — every plan tier includes it.
- Who has access
- Any tenant admin or compliance role within the tenant.
- Where to find it
- Dashboard → Account → Audit Log (within the in-app navigation).
- What you can query
- Filter by date range, actor, action type, resource type, outcome (success/failure/denied). Export to CSV for SOC2 evidence collection.
- API access
- Programmatic access via GET /api/tenant/audit-log (tenant-scoped JWT required). See API documentation for query parameters.
Data Retention Policy
Retention windows are enforced by an automated retention worker that scans and deletes expired rows. Customer data is deleted within 30 days of contract termination unless a longer hold is contractually required.
| Data Class | Retention | Why |
|---|---|---|
| Authentication events (login, MFA, password change, SSO) | 1 year | SOC2 CC6.1 access-control evidence window. |
| Tenant admin actions (user create/disable, settings change, billing) | 1 year | SOC2 CC6.6 change-management evidence. |
| DID purchases + financial records | 7 years | Financial records required for SOC2 + tax/accounting compliance. |
| Call records + transcripts + recordings (data plane) | Tenant-controlled, default 90 days | Tenant admin sets retention per-tenant; deletion on contract termination is enforced by an automated worker. |
| Message threads (SMS/MMS) | Tenant-controlled, default 90 days | Same model as call records. |
| System / infrastructure logs (uvicorn, sip, kamailio) | 30 days | Operational debugging window. PII scrubbed. |
Subprocessors
We share data only with the subprocessors listed below, only for the stated purpose. We will give 30-day notice of any material change to this list. Customers may subscribe to the subprocessor change feed at security@getwhistle.app.
Twilio
United StatesPSTN voice + SMS termination (Tier-1 trunk provider).
Data shared: Phone numbers (DIDs), call signalling metadata, SMS message bodies.
VoIP.ms
CanadaPSTN voice + SMS termination (Tier-1 trunk provider, Canada-first).
Data shared: Phone numbers (DIDs), call signalling metadata, SMS message bodies.
Stripe
United StatesPayment processing for plan subscriptions, DID add-ons, and international call credits.
Data shared: Billing email, plan tier, payment method tokens (we never see the PAN).
Anthropic
United StatesAI-powered call summary, post-call signals, and intent classification when the customer enables AI features. Anthropic processes call transcripts under their data-processing terms.
Data shared: Call transcripts (only when AI features are enabled by the tenant).
Google Cloud Platform
Global; primary region us-east1.Hosting infrastructure (compute, networking, object storage). Cloudflare fronts our edge.
Data shared: All platform data lives in GCP.
Cloudflare
Global edge network.DNS, CDN, WAF for the dashboard and marketing sites. Voice traffic bypasses Cloudflare (sip.getwhistle.app is DNS-only).
Data shared: HTTP request metadata for dashboard.getwhistle.app.
Postmark
United StatesTransactional email (signup confirmation, password reset, invoices).
Data shared: Email addresses, message templates.
Security Advisories
Material security incidents and CVE responses are disclosed here within 5 business days, with severity, status, and remediation summary. Subscribe to updates at security-advisories@getwhistle.app.
No active advisories.
Last reviewed 2026-04-27.
Responsible Disclosure
Believe you have found a vulnerability? Email security@getwhistle.app with reproduction steps. We acknowledge within 2 business days, triage within 5, and do not pursue legal action against good-faith researchers.
Documents available on request
Standard procurement docs (under NDA where applicable):
- · SIG Lite questionnaire
- · Data Processing Addendum (DPA)
- · Business Associate Agreement (BAA) — Enterprise plans
- · Penetration test summary (when available)
- · SOC 2 Type I report (when issued)
- · Architecture overview and data flow diagram
Page last reviewed 2026-04-27 by the GetWhistle security team. Material changes are logged with the change date. If a claim on this page is inaccurate, email security@getwhistle.app — we correct quickly.