Security and Trust
AlwaysRespond handles call recordings, customer contact data, and payment information. Here is how we keep it safe.
What we do not currently claim
AlwaysRespond is not currently SOC 2 certified as an organization, nor are we HIPAA certified. Our infrastructure providers (Vercel, Neon, Telnyx) hold their own SOC 2 Type II certifications. If you need a signed Business Associate Agreement (BAA) for healthcare use, or a SOC 2 report for enterprise procurement, email security@alwaysrespond.com and we will work with you.
All traffic between your browser (or our mobile app) and AlwaysRespond servers travels over TLS 1.3. Older protocol versions are rejected at the edge.
Sensitive fields stored in our database, including OAuth refresh tokens, API keys, and integration credentials, are encrypted at rest using AES-256 with keys managed through our cloud provider's managed key service. Keys are rotated on a 90-day schedule.
Call recordings, voicemail audio, and SMS message bodies are stored on encrypted volumes. Access to raw recording files is scoped to the owning tenant and to authorized AlwaysRespond engineers on a break-glass basis.
AlwaysRespond runs on Vercel (SOC 2 Type II) for compute and Neon Postgres (SOC 2 Type II) for primary storage. Both providers maintain independent security programs with annual third-party audits.
Voice and SMS pipelines route through Telnyx (HIPAA-ready infrastructure, SOC 2 Type II) for call handling and Twilio as a secondary provider for SMS delivery. All providers process data under signed Data Processing Agreements.
Infrastructure logs and application metrics are retained for 90 days. Access is restricted to on-call engineers and requires an authenticated session with MFA.
We do not sell, rent, or share tenant data with third parties for advertising or analytics purposes.
Every API request is tenant-scoped at the database layer. A query from Tenant A can never return records belonging to Tenant B, regardless of the request path or parameters.
Within each account, role-based access control (RBAC) limits what each user can do:
Two-factor authentication (2FA) is available to all users via TOTP authenticator apps. Owners can enforce 2FA for every team member from the Security settings page.
AlwaysRespond employees never access tenant data unless explicitly invited as a team member or in response to a support ticket you opened. Internal access is logged and audited quarterly.
AlwaysRespond never stores credit card numbers, CVVs, or full payment account details on our servers. All payment data flows directly through Stripe, which holds PCI DSS Level 1 certification, the highest level available.
Card details are tokenized inside Stripe's environment before reaching our application. We store only the Stripe Customer ID and payment method fingerprint for display purposes.
Invoices generated through the AlwaysRespond platform and collected via our payment links are also processed through Stripe Connect. Your customers' card data never touches AlwaysRespond servers.
Call recordings are stored encrypted at rest in region-specific object storage. Transcripts are generated in-platform and stored alongside the recording. Both are accessible only to authenticated members of the owning account.
You can delete individual call recordings and their transcripts at any time from the Calls page. Deletion is permanent. If you close your AlwaysRespond account, all recordings are purged within 30 days.
Some jurisdictions require two-party consent before recording a call. AlwaysRespond plays a disclosure at the start of calls handled by your AI receptionist. You are responsible for ensuring your disclosure language meets the requirements in your jurisdiction.
AlwaysRespond operates as a registered 10DLC message originator in the United States. Our brand and campaigns are registered with The Campaign Registry (TCR), a requirement for commercial messaging through all U.S. carriers.
STOP and HELP keywords are handled automatically at the messaging layer. Opt-outs are honored immediately and propagated across all outbound SMS flows within your account.
AlwaysRespond maintains a consent ledger for every contact: when consent was captured, through which channel, and what message category was agreed to. Messages are never sent to contacts who have opted out or who have not provided consent for the relevant message type.
You are responsible for collecting and recording valid TCPA consent from contacts before using AlwaysRespond to message them. Our SMS compliance settings page includes opt-in language templates that meet common legal standards.
AlwaysRespond acts as a data processor for the personal data of your customers. You remain the data controller. Our Privacy Policy and Data Processing Agreement (DPA) describe how we handle personal data on your behalf.
For GDPR-regulated accounts: you can request a full export of all personal data we hold for your account and your contacts at any time by emailing privacy@alwaysrespond.com. Deletion requests are completed within 30 days.
For CCPA-regulated accounts: California residents can request to know, delete, or opt out of the sale of their personal information. AlwaysRespond does not sell personal data. Requests can be submitted to the same address above.
AlwaysRespond maintains a written incident response plan reviewed and updated annually. If a security incident results in unauthorized access to personal data, affected customers will be notified within 72 hours of our confirmation, consistent with GDPR Article 33 timelines.
Notification will include: what data was affected, how the breach occurred (once determined), what we have done to contain it, and steps you should take to protect your account.
Service status and ongoing incident updates are posted at status.alwaysrespond.com.
The following third-party providers process data on behalf of AlwaysRespond:
| Provider | Purpose | Location |
|---|---|---|
| Vercel | Hosting and edge compute | US / global |
| Neon | Database (Postgres) | US |
| Telnyx | Voice calls and SMS | US |
| Twilio | SMS delivery | US |
| Stripe | Payment processing | US |
| Anthropic | AI call handling (Claude) | US |
| Cartesia | Voice synthesis | US |
| Deepgram | Speech transcription | US |
| Resend | Transactional email | US |
| Sentry | Error monitoring | US |
This list is updated as subprocessors are added or removed. Last updated April 2026.
If you believe you have found a security vulnerability in AlwaysRespond, please report it to security@alwaysrespond.com. Include a description of the issue, reproduction steps, and any relevant screenshots or logs.
We commit to:
Please do not publicly disclose the issue until we have confirmed a fix is in place.