Security & HIPAA

01Overview

Ring The Pro processes inbound and outbound calls on behalf of businesses, including in regulated verticals like dental, medical, and legal. This document describes the technical and operational controls we apply to keep customer data safe and explains our HIPAA-readiness scope, the BAA process, and how to report security issues.

This is a working description of our current posture, not a marketing claim. Items that are formally certified are noted as such. Items that are operating but not yet certified are noted as such.

02Encryption

In transit

TLS 1.2+ on every public endpoint with HSTS enforced. Modern cipher suites only; older protocols and weak ciphers are disabled at the edge.

At rest

AES-256 encryption for the application database, object storage, and backups. Encryption keys are managed by our hosting provider with rotation on a documented schedule.

Telephony media

Call audio is encrypted in transit between Twilio and Ring The Pro and between Ring The Pro and our model providers. Recordings are encrypted at rest.

03Access control

Authentication

Email-and-password with mandatory two-factor authentication (TOTP) for production access. Customer accounts support Google OAuth and TOTP.

Authorization

Role-based access control. Production access is restricted to the minimum number of engineers required to operate the service.

Audit logging

Authenticated dashboard actions, billing events, and production-system access are logged with actor, timestamp, and source IP for review.

Secrets

API keys, OAuth tokens, and other secrets are stored encrypted at rest and never written to logs.

04Infrastructure

Ring The Pro runs on hardened Linux containers behind Cloudflare. Cloudflare provides DDoS protection, TLS termination, and a Web Application Firewall. Application containers are stateless; persistent data lives in managed databases and object storage with daily backups and point-in-time recovery.

Production data is hosted in U.S.-based data centers. Subprocessors and their roles are listed in the Privacy Notice.

05Secure development

Code review

Every change to production code passes peer review before merge.

Automated testing

Unit, integration, and end-to-end tests run on every change. Static analysis flags common security issues at PR time.

Dependency management

Automated dependency-vulnerability scanning. Critical advisories are patched within 7 days; high within 30.

Production change control

Production deploys are gated behind CI, peer review, and reversible rollouts. Database migrations are reviewed for backwards compatibility.

06HIPAA-readiness scope

Ring The Pro offers a HIPAA-aligned operating mode on the Business plan. In this mode the system is configured to support a Business Associate relationship: encryption at rest and in transit, audit logging of access to PHI, restricted access to production systems, BAAs with subprocessors that touch PHI, and a defined incident-response process.

On the Starter and Pro plans we do not accept PHI. Calls and content on those plans should not include patient-identifying clinical detail. If your practice will route calls that contain PHI, request a BAA and use the Business plan.

07How to request a BAA

Email [email protected] with your business name, the practice or covered entity name, and the plan you intend to use. We respond within two business days with our standard BAA. PHI should not be forwarded to the Service before the BAA is fully executed and your account has been confirmed as operating on a BAA-eligible plan.

08Subprocessors

A current list of subprocessors and their roles is maintained in our Privacy Notice. Material changes to the subprocessor list are announced in advance with an opportunity to object before the change takes effect for HIPAA-eligible accounts.

09Data retention and deletion

Call audio and transcripts are retained for 90 days by default and then automatically purged. Customers can configure earlier deletion or request a longer retention window. When an account is closed we delete or de-identify customer call content within 60 days, except where retention is required by law.

10Incident response

We maintain a written incident-response plan that covers detection, containment, eradication, recovery, and post-incident review. In the event of a security incident affecting customer data, we will notify affected customers without undue delay and in accordance with applicable law and contract. For HIPAA-eligible accounts we follow the breach notification timelines required by 45 CFR 164.404 et seq.

11Business continuity

Daily encrypted backups are retained for 30 days with point-in-time recovery available for the most recent 7 days. Recovery procedures are exercised periodically. Application code and infrastructure-as-code are version-controlled and reproducible.

12Compliance posture

HIPAA

HIPAA-aligned operating mode available on the Business plan with BAA. Not a covered entity; we operate as a Business Associate when retained as such.

SOC 2

A SOC 2 Type II observation period is planned. Status: in preparation; we do not represent SOC 2 certification today.

TCPA / TRACED Act

The Service is configured to support customer compliance with the TCPA and the TRACED Act. The customer is the calling party and is responsible for consent and disclosure.

PCI DSS

We do not store full payment-card numbers. Stripe processes cards under PCI DSS Level 1. Ring The Pro's scope is limited to SAQ-A.

13Vulnerability disclosure

We welcome reports from security researchers. Email [email protected] with technical detail sufficient to reproduce the issue. Please give us a reasonable window to investigate and remediate before public disclosure. We do not currently run a paid bounty but will publicly credit researchers when requested.

14Contact

Security and HIPAA questions: [email protected]. Privacy rights and data-subject requests: [email protected]. General questions: [email protected].