Autocloz
Security

How Autocloz protects your data.

Tenant isolation enforced at the SQL layer, encryption everywhere, role-based access for every operator action, and an audit log you can drill into. The defaults are paranoid; you can keep them that way.

Last updated:

Security principles

Three rules govern how the platform handles customer data:

  • Defense in depth — every sensitive action passes through at least two independent gates (authn + RBAC + cross-tenant filter at SQL layer).
  • No silent fallbacks — when a carrier or integration credential is missing, the system fails loudly with an explicit error code rather than fabricating a fake successful outcome.
  • Auditable by default — every operator action lands in the audit log with actor, target, IP, and event type. Compliance officers can query it.

Tenant isolation

Every query into Autocloz includes the caller's org_id as a hard filter. There is no global read path — even a misconfigured RBAC role cannot leak rows from another workspace because the SQL layer rejects the query.

  • Postgres row-level scoping with org_id as a required predicate
  • JWT carries the org_id; revalidated on every request via membership lookup
  • Cross-tenant tests gate every release — 50+ test_*_cross_tenant_isolation cases run on every commit
  • Bulk endpoints scope the input list to the caller's org before the action; out-of-org IDs are silently dropped

Encryption at rest + in transit

Every connection to Autocloz uses TLS 1.2+. Postgres at rest is encrypted via the cloud provider's standard volume encryption (AES-256). Backups are encrypted with a separate key and stored in a different region.

  • HTTPS-only; HSTS preload header set with max-age=63072000; includeSubDomains; preload
  • TLS termination at the edge with modern cipher suites only (ECDHE + AES-GCM / ChaCha20)
  • Database disks AES-256 encrypted; daily snapshots retained for 30 days
  • Backups encrypted with a customer-managed key for Enterprise plans on request

Mailbox + carrier credentials

Mailbox passwords, OAuth refresh tokens, carrier API keys, and SIP passwords are sensitive. They are never logged, never returned by any API endpoint after the initial save, and stored encrypted at the application layer above the database encryption.

  • SMTP / IMAP passwords — encrypted with a per-org key derived via HKDF from the platform secret
  • OAuth tokens — refresh tokens encrypted; access tokens never persisted (re-derived from refresh on demand)
  • Carrier API keys — Telnyx / DIDLogic / FreJun keys live in env at the platform level (one shared key per provider), never per-customer; per-agent FreJun OAuth tokens encrypted with the same scheme as mailbox passwords
  • SIP passwords — write-only; the API surfaces only sip_password_set: bool after the initial save

Role-based access control

Every operator surface in Autocloz is gated by an explicit permission check. The four built-in roles (Owner, Admin, Member, Viewer) cover most workspaces; Enterprise plans get the custom-role editor that grants per-module action permissions.

  • Module × action grid — 30+ modules × view/create/edit/delete
  • require_perm(module, action, strict=True) on every admin endpoint — strict mode rejects unknown roles instead of falling through
  • API keys carry a scoped permission grid that narrows beyond the role — a key with only leads:view cannot delete leads even if minted by an admin
  • Voice surfaces have additional role-scoping — members and viewers see only their own calls in the CDR + recordings views

Audit log

Every operator-initiated action — and every administrative system event — writes to a tamper-evident audit log. Compliance officers can drill in by org, actor, event type, or time range.

  • Captured fields: org_id, actor_user_id, actor_email, event, entity_type, entity_id, IP, user-agent, free-form metadata, timestamp (UTC)
  • Append-only — no API path lets anyone delete rows; even Owners can only export
  • Retained for 12 months on Pro, 24 months on Business, 7 years on Enterprise
  • Export to CSV from Settings → Audit log

Voice + webhook signature verification

Voice provider webhooks are not JWT-authenticated — the carrier doesn't have an Autocloz token. Instead, every webhook is verified using the provider's signature scheme, mandatory in production:

  • Telnyx — Ed25519 signature over timestamp|body; rejects requests with stale or missing timestamps (>300s drift)
  • FreJun — HMAC-SHA256 over the raw body with the per-org webhook secret
  • DIDLogic — HMAC-SHA256 with constant-time comparison
  • Idempotency — every webhook event_id is recorded in voice_webhook_event_dedup; replays are silently rejected

Verification can be opt-in in dev for ease of local testing; AUTOCLOZ_ENV=production makes it mandatory.

AI data handling

Autocloz uses third-party LLMs (OpenAI, Anthropic, Groq, ElevenLabs, Deepgram) for AI replies, summaries, voice synthesis, and transcription. We do not use customer data to train models — neither ours nor the providers'.

  • Bring your own key — paste your OpenAI / Anthropic / Groq key per workspace; we never proxy via a shared key
  • Zero retention enabled on every API call where the provider supports it (OpenAI data_retention=none, Anthropic enterprise zero-retention)
  • No content sent to providers is stored on Autocloz beyond the retention window of the source artefact (e.g., a generated reply is stored only as long as the message it answers)
  • Voice transcripts stored next to the recording URL; retention follows the recording-retention policy in workspace ops settings

Infrastructure

  • Hosted on AWS (Mumbai, ap-south-1 by default) with multi-AZ Postgres + Redis
  • EU data residency available on request (eu-west-1) for European customers
  • VPC-isolated database; no public access — only the API workers can reach it
  • Quarterly third-party penetration tests; current report available under NDA
  • Daily encrypted backups with point-in-time recovery (RPO 5 min, RTO 1 hour)

Incident response

On a confirmed security incident affecting customer data, we notify affected workspaces within 24 hours via email to the workspace Owner + a status-page incident. Detail and remediation follow within 72 hours.

  • On-call engineering rotation 24/7 with a 15-minute response SLA
  • Customer notification via email + the workspace's notifications panel + status page
  • Postmortem published publicly within 7 business days for any customer-data-affecting incident

Compliance posture

  • SOC 2 Type II — audit underway; Type I report available now under NDA
  • GDPR — DPA available; EU data residency on request; subject access requests handled within 30 days
  • India DPDP Act 2023 — full compliance (data fiduciary registered; consent capture for marketing emails)
  • CCPA / CPRA — California residents can request data deletion via privacy@autocloz.com
  • TCPA + India DLT — outbound calling enforces DNC + quiet hours + DLT registration before every dial

Reporting a security issue

We run a coordinated-disclosure program. Please report security issues to security@autocloz.com with steps to reproduce. We acknowledge within 24 hours and aim to resolve high-severity issues within 14 days.

We don't currently run a bug-bounty program but we do credit researchers in our security hall-of-fame on request, and we cover reasonable expenses (e.g., a paid plan for verification testing).