Security at RingBack
RingBack handles real customer phone calls, calendars and contact details. We treat that data with the same care we'd want for our own. This page summarises the controls we have in place. For the full picture, including our SOC 2 progress and DPA, email security@ringbackai.co.uk.
1. Encryption
- All traffic to and from RingBack is encrypted with TLS 1.2 or higher; modern ciphersuites only.
- All persisted data — call recordings, transcripts, OAuth tokens, configuration — is encrypted at rest with AES-256.
- OAuth refresh tokens are stored in a dedicated key-vault with envelope encryption; application code never sees the master key.
2. Access control
- Production access requires hardware security keys (FIDO2) and is limited to a named subset of engineers.
- All access is logged and reviewed monthly. Just-in-time, time-bounded credentials only — no long-lived shared secrets.
- Customer data is logically isolated per tenant; cross-tenant access is impossible without a deliberate, audited admin override.
3. Infrastructure
- Hosted on Microsoft Azure and Google Cloud, in UK and EU regions only.
- Network controlled by private VPC peering; only the public web edge is internet-reachable.
- Static frontend served from Firebase Hosting with strict security headers (HSTS, X-Frame-Options DENY, Referrer-Policy strict-origin, Permissions-Policy disabling camera/microphone/geolocation, Content-Security-Policy).
4. Monitoring & incident response
- 24/7 alerting on application and infrastructure anomalies.
- Audit logs retained for a minimum of 12 months.
- Documented incident-response runbook with named on-call rota; we commit to notifying affected customers and the ICO of qualifying personal-data breaches without undue delay (within 72 hours).
5. Sub-processors
We use vetted sub-processors with signed Data Processing Agreements. The current list is available on request from privacy@ringbackai.co.uk. Headline sub-processors:
- Microsoft Azure (UK South, West Europe) — application hosting and storage.
- Google Cloud (europe-west2) — frontend hosting and DNS.
- Telephony provider — inbound call delivery.
- Speech and language-model providers — under no-training contractual terms.
6. Responsible disclosure
If you believe you've found a security issue in RingBack, please email security@ringbackai.co.uk with reproduction steps. We respond within 2 business days and credit reporters in our hall of fame on request. Please do not publicly disclose until we've had a reasonable opportunity to investigate and fix.
You can find our security contact information in our security.txt.
7. Data deletion
You can delete your account and all associated data at any time from Settings → Account → Delete, or by emailing privacy@ringbackai.co.uk. We complete verified deletion requests within 30 days.