Security at CallPayMin
Your security is our top priority. Learn about our enterprise-grade security practices and infrastructure.
Last updated: January 27, 2026
Our Security Commitment
At CallPayMin, we implement industry-leading security practices to protect your data, communications, and payments. Our infrastructure is designed with security at every layer, from encryption to access controls to continuous monitoring.
🔒Infrastructure Security
Cloud Infrastructure
- Hosted on enterprise-grade cloud infrastructure (Google Cloud Platform, Firebase)
- Data centers in secure, SOC 2 Type II certified facilities
- Automatic failover and redundancy across multiple availability zones
- 99.9% uptime SLA with continuous monitoring
Network Security
- DDoS protection and rate limiting on all API endpoints
- Web Application Firewall (WAF) to protect against common attacks
- Regular security audits and penetration testing
- Intrusion detection and prevention systems
🔐Data Encryption
Encryption at Rest
- All data encrypted using AES-256 encryption
- Database encryption with automatic key rotation
- Encrypted backups stored in geographically distributed locations
- Secure key management using Google Cloud KMS
Encryption in Transit
- TLS 1.3 for all API communications
- End-to-end encryption for video and audio calls using WebRTC DTLS-SRTP
- Perfect forward secrecy for all encrypted connections
- HTTPS-only with HSTS enabled
🛡️Application Security
- Authentication: Multi-factor authentication (MFA) support and secure session management
- Authorization: Role-based access control (RBAC) with principle of least privilege
- API Security: API keys with granular scopes and automatic rotation capabilities
- Input Validation: Comprehensive input sanitization to prevent injection attacks
- Secure Development: Security code reviews, static analysis, and dependency scanning
- Zero Trust Architecture: All requests authenticated and authorized, no implicit trust
💳Payment Security
- PCI DSS Compliance: Stripe handles all payment processing (PCI Level 1 certified)
- No Card Storage: We never store credit card information on our servers
- Tokenization: Card data tokenized through Stripe before processing
- 3D Secure: Support for 3D Secure authentication for card payments
- Fraud Detection: Machine learning-based fraud detection through Stripe Radar
✅Compliance & Certifications
- GDPR: Full compliance with EU General Data Protection Regulation
- CCPA: California Consumer Privacy Act compliance
- SOC 2 Type II: In progress (expected completion Q2 2026)
- HIPAA: HIPAA-compliant infrastructure available for healthcare customers
- ISO 27001: Aligned with ISO 27001 information security standards
👥Access Controls
- Principle of Least Privilege: Employees have access only to data required for their role
- Background Checks: All employees undergo background checks before access
- Audit Logging: Comprehensive logging of all data access and system changes
- Access Reviews: Quarterly reviews of employee access permissions
- Secure Workstations: Encrypted laptops with full-disk encryption and MDM
🚨Incident Response
We maintain a comprehensive incident response plan:
- 24/7 security monitoring and alerting
- Dedicated incident response team
- Documented incident response procedures
- Customer notification within 72 hours of confirmed breach
- Post-incident reviews and remediation
Responsible Disclosure
We appreciate the security research community's efforts in keeping CallPayMin secure. If you discover a security vulnerability, please report it responsibly:
- Email: security@callpaymin.com
- Include detailed steps to reproduce the vulnerability
- Allow us reasonable time to address the issue before public disclosure
- We'll acknowledge your report within 48 hours
We do not currently offer a bug bounty program but may provide recognition for responsible disclosures.
Questions About Security?
If you have questions about our security practices or need to discuss enterprise security requirements: