Security

Security First, Always

Enterprise voice carries sensitive data. MobDial is built from the ground up with security as a non-negotiable requirement, not an afterthought.

Certifications

Independently verified

SOC 2 Type II

Independently audited controls for security, availability, processing integrity, confidentiality, and privacy. Reports available upon request.

HIPAA

Business Associate Agreements available. PHI-adjacent data encrypted with AES-256 at rest. Access controls enforced via RBAC and audit logging.

PCI-DSS Level 1

No payment card data ever touches MobDial servers. Stripe tokenization handles all PAN processing. Call recordings auto-pause during DTMF input.

GDPR

Data Processing Agreements with Standard Contractual Clauses. Right to erasure, data portability, and consent management built into the platform.

Infrastructure

Infrastructure security

Multiple layers of protection from the network edge to the database row.

TLS 1.3

All data in transit encrypted with TLS 1.3. Older protocols disabled at the edge.

AES-256 at Rest

All data encrypted at rest using AES-256-GCM. Database, file storage, and backups included.

SRTP

Voice media encrypted with Secure Real-Time Transport Protocol. MobCryption adds optional E2EE layer.

Isolated VPCs

Customer environments run in isolated virtual private clouds with strict network segmentation.

DDoS Protection

Cloudflare WAF and rate limiting at the edge. Automatic traffic scrubbing and geo-blocking available.

Application

Application security

  • OWASP Top 10 compliance verified in every release
  • Parameterized queries only (Drizzle ORM) -- no SQL injection vectors
  • Zod schema validation at every API boundary
  • Rate limiting per user, organization, and IP via Redis sliding window
  • Web Application Firewall with custom rulesets
  • Content Security Policy headers on all responses
Data Protection

Your data, protected

Role-Based Access Control

Granular RBAC with 8 built-in roles and custom role support. Row-level security on every database table.

Audit Logging

Immutable, append-only audit log for every data access and modification. 7-year retention for compliance.

Encryption

AES-256-GCM encryption at rest, TLS 1.3 in transit, SRTP for media, and HKDF key derivation.

MobCryption E2EE

Optional zero-knowledge end-to-end encryption using ECDH P-256 key exchange. MobDial cannot decrypt your calls.

Operations

Operational security

  • Background checks required for all employees with data access
  • Annual security awareness training for all team members
  • Documented incident response plan with 1-hour SLA for critical issues
  • Quarterly penetration testing by independent third-party firms
  • Vulnerability scanning on every deployment via CI/CD pipeline
  • Secret rotation every 90 days enforced by infrastructure automation

Responsible Disclosure

Found a vulnerability? We appreciate responsible disclosure and will work with you to address the issue promptly. Please report security concerns to:

security@mobdial.com

We aim to acknowledge reports within 24 hours and provide a resolution timeline within 72 hours.

Need our SOC 2 report?

Request our latest SOC 2 Type II report, penetration test summary, or security questionnaire responses.

Request SOC 2 Report