Overview

OpenPhone maintains enterprise-grade security practices to protect your communications and data. Our comprehensive security framework includes infrastructure protection, data encryption, compliance certifications, and ongoing security improvements.

Infrastructure security

Cloud platform

Amazon Web Services (AWS):
  • Enterprise-grade cloud infrastructure
  • Multiple availability zones for redundancy
  • Industry-leading physical security
  • Continuous monitoring and threat detection
Cloudflare protection:
  • DDoS protection and web application firewall
  • Global content delivery network
  • SSL/TLS encryption for all connections
  • Real-time threat intelligence

Monitoring and availability

Service monitoring:
  • 24/7 system monitoring
  • Automated alerting for issues
  • Public status page: status.openphone.co
  • Proactive incident response
View real-time service status and historical uptime data on our status page.

Data protection

Backup and recovery

Backup strategy:
  • Daily backups of all databases
  • Hourly backups for high-priority systems
  • Multi-location storage across geographically distributed data centers
  • Automated recovery testing to ensure backup integrity
Data retention:
  • Data retained as long as you maintain your account
  • 30-day retention period after account cancellation
  • Permanent deletion available upon request

Privacy compliance

Supported regulations:
  • GDPR (General Data Protection Regulation): European Union data protection
  • CCPA (California Consumer Privacy Act): California privacy rights
  • PIPEDA: Canadian personal information protection
Data rights management:
  • Self-service data export through workspace settings
  • Account deletion through subscription cancellation
  • Complete data removal available through support request
  • Transparent data handling practices
Contact our Support Team for complete data removal from all systems.

Application security

Communication encryption

Text messaging:
  • End-to-end encryption in transit
  • Secure transmission to carrier networks
  • Message content protected during delivery
  • Encrypted storage of message history
Voice calling:
  • WebRTC technology for secure real-time communication
  • TLS encryption for call signaling and setup
  • Encrypted media streams during active calls
  • Complete privacy and data integrity

Data encryption

Encryption standards:
  • AES-256 encryption for data at rest
  • TLS 1.3 for data in transit
  • End-to-end encryption for communications
  • Key management through AWS encryption services
Protected data includes:
  • Contact information and conversation history
  • Call recordings and voicemail files
  • User account data and preferences
  • Billing and payment information

Compliance certifications

SOC 2 Type II

Compliance overview:
  • SOC 2 Type II certified for security, availability, and confidentiality
  • Annual audits by independent third-party assessors
  • Continuous monitoring of security controls
  • Comprehensive documentation of security procedures
Trust principles covered:
  • Security: Protection against unauthorized access
  • Availability: System operational availability as committed
  • Confidentiality: Information designated as confidential is protected
Learn more about our SOC 2 certification and security practices on our blog.

Payment security

PCI compliance

Stripe payment processing:
  • PCI Service Provider Level 1 certified
  • Highest level of payment industry certification
  • Secure tokenization of payment information
  • Fraud detection and prevention systems
Payment protection:
  • Credit card information never stored on OpenPhone servers
  • Encrypted transmission of all payment data
  • Regular security audits and compliance reviews
  • Multi-factor authentication for billing changes
Learn more about Stripe’s security practices in their security documentation.

Industry-specific compliance

Healthcare (HIPAA/PHIPA)

Current status: OpenPhone is not currently certified for:
  • HIPAA (Health Insurance Portability and Accountability Act)
  • PHIPA (Personal Health Information Protection Act)
Recommended usage:
  • Appointment scheduling and general business communication
  • General practice management and patient outreach
  • Protected health information (PHI) should not be shared
  • Detailed medical discussions via text or voicemail
Do not share protected health information through OpenPhone until HIPAA compliance is achieved.

Financial services

Current capabilities:
  • SOC 2 compliance supports financial industry security requirements
  • Encryption standards meet banking industry expectations
  • Data retention policies align with financial regulations
  • Contact support for specific compliance requirements

Security best practices

For administrators

Account security:
  • Use strong, unique passwords for admin accounts
  • Enable two-factor authentication where available
  • Regularly review team member access and permissions
  • Monitor workspace activity for unusual behavior
Data management:
  • Export data regularly for backup purposes
  • Document access controls and permission changes
  • Train team members on security best practices
  • Establish clear data handling policies

For all users

Communication security:
  • Avoid sharing sensitive information in text messages
  • Use voice calls for confidential discussions
  • Verify recipient before sending sensitive information
  • Report suspicious activity to administrators
Device security:
  • Keep OpenPhone apps updated to latest versions
  • Use device lock screens and authentication
  • Log out of shared or public devices
  • Report lost or stolen devices immediately

Incident response

Security monitoring

Continuous protection:
  • 24/7 security monitoring and threat detection
  • Automated incident response procedures
  • Regular penetration testing and vulnerability assessments
  • Proactive security updates and patches

Incident reporting

If you suspect a security issue:
  1. Contact support immediately through secure channels
  2. Document the incident with relevant details
  3. Avoid sharing details publicly until resolved
  4. Follow guidance from OpenPhone security team
For security-related questions or concerns, contact our Support Team.

Privacy and transparency

Privacy policy

Comprehensive privacy protection:
  • Clear data collection and usage policies
  • Transparent data sharing practices
  • User control over personal information
  • Regular policy updates to reflect best practices
Key privacy principles:
  • Minimal data collection: Only collect necessary information
  • Purpose limitation: Use data only for stated purposes
  • Data minimization: Retain data only as long as needed
  • User control: Provide access and deletion options

Transparency reports

Regular reporting:
  • Annual security assessments and improvements
  • Compliance audit results and certifications
  • Privacy policy updates and changes
  • Security incident summaries (when appropriate)
View our complete Privacy Policy for detailed information about data handling practices.