Overview
Quo maintains enterprise-grade security practices to protect your communications and data. Our comprehensive security framework includes infrastructure protection, data encryption, compliance certifications, and ongoing security improvements.Infrastructure security
Cloud platform
Amazon Web Services (AWS):- Enterprise-grade cloud infrastructure
- Multiple availability zones for redundancy
- Industry-leading physical security
- Continuous monitoring and threat detection
- DDoS protection and web application firewall
- Global content delivery network
- SSL/TLS encryption for all connections
- Real-time threat intelligence
Monitoring and availability
Service monitoring:- 24/7 system monitoring
- Automated alerting for issues
- Public status page: status.openphone.co
- Proactive incident response
View real-time service status and historical uptime data on our status page.
Data protection
Backup and recovery
Backup strategy:- Daily backups of all databases
- Hourly backups for high-priority systems
- Multi-location storage across geographically distributed data centers
- Automated recovery testing to ensure backup integrity
- Data retained as long as you maintain your account
- 30-day retention period after account cancellation
- Permanent deletion available upon request
Privacy compliance
Supported regulations:- GDPR (General Data Protection Regulation): European Union data protection
- CCPA (California Consumer Privacy Act): California privacy rights
- PIPEDA: Canadian personal information protection
- Self-service data export through workspace settings
- Account deletion through subscription cancellation
- Complete data removal available through support request
- Transparent data handling practices
Contact our Support Team for complete data removal from all systems.
Application security
Communication encryption
Text messaging:- End-to-end encryption in transit
- Secure transmission to carrier networks
- Message content protected during delivery
- Encrypted storage of message history
- WebRTC technology for secure real-time communication
- TLS encryption for call signaling and setup
- Encrypted media streams during active calls
- Complete privacy and data integrity
Data encryption
Encryption standards:- AES-256 encryption for data at rest
- TLS 1.3 for data in transit
- End-to-end encryption for communications
- Key management through AWS encryption services
- Contact information and conversation history
- Call recordings and voicemail files
- User account data and preferences
- Billing and payment information
Compliance certifications
SOC 2 Type II
Compliance overview:- SOC 2 Type II certified for security, availability, and confidentiality
- Annual audits by independent third-party assessors
- Continuous monitoring of security controls
- Comprehensive documentation of security procedures
- Security: Protection against unauthorized access
- Availability: System operational availability as committed
- Confidentiality: Information designated as confidential is protected
Learn more about our SOC 2 certification and security practices on our blog.
Payment security
PCI compliance
Stripe payment processing:- PCI Service Provider Level 1 certified
- Highest level of payment industry certification
- Secure tokenization of payment information
- Fraud detection and prevention systems
- Credit card information never stored on Quo servers
- Encrypted transmission of all payment data
- Regular security audits and compliance reviews
- Multi-factor authentication for billing changes
Learn more about Stripe’s security practices in their security documentation.
Industry-specific compliance
Healthcare (HIPAA/PHIPA)
Current status: Quo is not currently certified for:- HIPAA (Health Insurance Portability and Accountability Act)
- PHIPA (Personal Health Information Protection Act)
- ✅ Appointment scheduling and general business communication
- ✅ General practice management and patient outreach
- ❌ Protected health information (PHI) should not be shared
- ❌ Detailed medical discussions via text or voicemail
Do not share protected health information through Quo until HIPAA compliance is achieved.
Financial services
Current capabilities:- SOC 2 compliance supports financial industry security requirements
- Encryption standards meet banking industry expectations
- Data retention policies align with financial regulations
- Contact support for specific compliance requirements
Security best practices
For administrators
Account security:- Use strong, unique passwords for admin accounts
- Enable two-factor authentication where available
- Regularly review team member access and permissions
- Monitor workspace activity for unusual behavior
- Export data regularly for backup purposes
- Document access controls and permission changes
- Train team members on security best practices
- Establish clear data handling policies
For all users
Communication security:- Avoid sharing sensitive information in text messages
- Use voice calls for confidential discussions
- Verify recipient before sending sensitive information
- Report suspicious activity to administrators
- Keep Quo apps updated to latest versions
- Use device lock screens and authentication
- Log out of shared or public devices
- Report lost or stolen devices immediately
Incident response
Security monitoring
Continuous protection:- 24/7 security monitoring and threat detection
- Automated incident response procedures
- Regular penetration testing and vulnerability assessments
- Proactive security updates and patches
Incident reporting
If you suspect a security issue:- Contact support immediately through secure channels
- Document the incident with relevant details
- Avoid sharing details publicly until resolved
- Follow guidance from Quo security team
For security-related questions or concerns, contact our Support Team.
Privacy and transparency
Privacy policy
Comprehensive privacy protection:- Clear data collection and usage policies
- Transparent data sharing practices
- User control over personal information
- Regular policy updates to reflect best practices
- Minimal data collection: Only collect necessary information
- Purpose limitation: Use data only for stated purposes
- Data minimization: Retain data only as long as needed
- User control: Provide access and deletion options
Transparency reports
Regular reporting:- Annual security assessments and improvements
- Compliance audit results and certifications
- Privacy policy updates and changes
- Security incident summaries (when appropriate)