Trust

Security

Your recordings are confidential client conversations. Here's how they're protected — plainly, without the marketing gloss.

Last updated: 4 July 2026

Encryption everywhere

All traffic to and from CallTrace — the dashboard, the tracking snippet, webhooks, media — travels over TLS. Recordings, transcripts and call metadata are stored encrypted at rest with our infrastructure providers (Twilio for audio, Upstash for data, Vercel for hosting).

Access control

Every account is organisation-scoped: your users can only ever see your firm’s calls, enforced server-side on every request. Passwords are stored using the scrypt key-derivation function, sessions are cryptographically signed, and recording links shared into your CRM are signed and unguessable rather than public URLs.

Payments

Card details are collected and stored by Stripe, a PCI-DSS Level 1 provider. Card numbers never pass through or rest on CallTrace systems.

Webhooks and integrations

Inbound telephony webhooks are verified against Twilio’s request signatures. Outbound webhooks to your CRM are signed with a shared secret so your systems can verify they genuinely came from us.

Reporting a vulnerability

If you believe you have found a security issue, email hello@calltrace.co.uk with the subject “Security”. We read those first, we will acknowledge quickly, and we will not take legal action against good-faith research. Please do not access other customers’ data while demonstrating an issue.