Security at RingBack
RingBack handles real customer phone calls, calendars and contact details. We treat that data with the same care we'd want for our own. This page summarises the controls we have in place. For the full picture, including our SOC 2 progress and DPA, email security@ringbackai.co.uk.
1. Encryption
- All traffic to and from RingBack is encrypted with TLS 1.2 or higher; modern ciphersuites only.
- All persisted data — call recordings, transcripts, OAuth tokens, configuration — is encrypted at rest with AES-256.
- OAuth refresh tokens are stored in a dedicated key-vault with envelope encryption; application code never sees the master key.
2. Access control
- Production access requires hardware security keys (FIDO2) and is limited to a named subset of engineers.
- All access is logged and reviewed monthly. Just-in-time, time-bounded credentials only — no long-lived shared secrets.
- Customer data is logically isolated per tenant; cross-tenant access is impossible without a deliberate, audited admin override.
3. Infrastructure
- Hosted on Google Cloud and Firebase Hosting, primarily in EU regions where configured.
- Production secrets are held in managed secret storage; only the public web edge and approved API endpoints are internet-reachable.
- Static frontend served from Firebase Hosting with strict security headers (HSTS, X-Frame-Options DENY, Referrer-Policy strict-origin, Permissions-Policy disabling camera/microphone/geolocation, Content-Security-Policy).
4. Monitoring & incident response
- 24/7 alerting on application and infrastructure anomalies.
- Audit logs retained for a minimum of 12 months.
- Documented incident-response runbook with named on-call rota; we commit to notifying affected customers and the ICO of qualifying personal-data breaches without undue delay (within 72 hours).
5. Sub-processors
We use vetted sub-processors with signed Data Processing Agreements. The current list and processor terms are set out in our Data Processing Addendum. Headline sub-processors:
- Google Cloud and Firebase Hosting — application hosting, database, object storage, secret management and frontend hosting, primarily in
europe-west1where configured. - Vapi and Twilio — voice AI orchestration, telephony, phone numbers and SMS.
- OpenAI, Deepgram, Anthropic and ElevenLabs — speech, transcription, language-model and optional voice-generation services under contractual data-protection terms.
- Stripe, SendGrid and PostHog EU — billing, transactional email and product analytics.
6. Responsible disclosure
If you believe you've found a security issue in RingBack, please email security@ringbackai.co.uk with reproduction steps. We respond within 2 business days and credit reporters in our hall of fame on request. Please do not publicly disclose until we've had a reasonable opportunity to investigate and fix.
You can find our security contact information in our security.txt.
7. Account deletion
Account owners can request closure and deletion at any time from Settings → Account → Delete account, or by emailing privacy@ringbackai.co.uk. The portal workflow cancels active Stripe subscription billing, removes portal access, wipes calendar tokens and starts deletion or anonymisation of account data. We complete verified deletion requests within 30 days, except for billing, contract, security and legal records we must retain under applicable law.