Security
How we protect your data
Local-first audio processing
Raw audio from your calls is processed entirely on your local machine. Audio data never leaves your device — only text transcripts are sent to our servers. This significantly reduces the attack surface and data exposure risk.
Encryption
In transit: All data is encrypted using TLS 1.3 during transmission.
At rest: Stored data is encrypted using AES-256 encryption.
Passwords: Securely hashed using bcrypt with appropriate cost factors.
Infrastructure
Callwell is hosted on Cloudflare, benefiting from:
- Global edge network with DDoS protection
- Web Application Firewall (WAF)
- Automatic SSL/TLS certificate management
- SOC 2 Type II certified infrastructure
Access controls
Authentication: Secure session management with HTTP-only cookies.
API keys: Hashed storage with ability to revoke at any time.
Team access: Role-based permissions for Team plans.
Data retention & deletion
You control your data retention period (30, 90, or 365 days). You can also:
- Delete individual calls from your history
- Delete all call data with one click
- Delete your entire account and all associated data
Third-party security
Stripe: PCI DSS Level 1 certified payment processing.
AI providers: Data processing agreements ensure your transcripts are not used for training.
Vulnerability reporting
Found a security issue? We appreciate responsible disclosure. Please email security@callwell.ai with details and we'll respond promptly.
Questions
Security questions? Contact us at security@callwell.ai