Security

How we keep your phone (and your callers) safe.

We're an early-stage company; we don't have a SOC 2 report yet. Below is a plain accounting of what we do today. We update this page as we grow.

Encryption everywhere
TLS 1.2+ in transit. AES-256 at rest via our Postgres and object-storage providers. No plaintext customer data on disk, ever.
Secrets in a vault
Every API key, JWT secret, and connection string lives in Bitwarden Secrets Manager — never in source control, never in environment files we email around.
Two-factor for the team
Production access is gated by 2FA-protected SSO. Admin actions are logged and reviewed weekly.
Tenant isolation
Every query is scoped by tenant_id at the application layer. Database role separation prevents one customer's data from being read while serving another.
Subprocessors disclosed
Full list (Vapi, Twilio, Stripe, Neon, Resend, Cal.com, Netlify, etc.) lives in our Privacy Policy with the role each plays.
Coordinated disclosure
Found a vulnerability? Email security@howdyly.com. We respond within one business day and won't pursue good-faith researchers who follow standard disclosure practice.

Questions or compliance review? Email security@howdyly.com.