Security — PinnacleVoice Networks

1Certifications & Compliance Frameworks

PinnacleVoice is independently audited against the industry's most rigorous security standards to give you confidence that your data is handled with the highest level of care.

🛡️

SOC 2 Type II

Independently audited annually by a certified third-party CPA firm. Our SOC 2 Type II report covers the Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Available to enterprise clients under NDA.

🌐

GDPR Compliance

Full compliance with the EU General Data Protection Regulation. We serve as Data Processor for customer data and provide Data Processing Agreements (DPAs) to all customers upon request. Standard Contractual Clauses (SCCs) in place for international transfers.

🏛️

CCPA / CPRA

Compliant with the California Consumer Privacy Act and California Privacy Rights Act. We support data subject access requests, deletion requests, and opt-out processing in accordance with California law.

📞

TCPA & FCC Compliance

Platform built with TCPA compliance requirements from the ground up, including DNC scrubbing, consent management, calling hours enforcement, and STIR/SHAKEN caller authentication integration.

2Encryption & Data Protection

Data at Rest

All data stored in PinnacleVoice systems — including call recordings, contact records, CRM data, and AI-generated transcripts — is encrypted using AES-256 encryption, the same standard used by financial institutions and government agencies worldwide.

Database-level encryption for all stored data
Encryption keys managed via AWS Key Management Service (KMS) with automatic rotation
Separate encryption keys per customer for true data isolation
Encrypted backups stored in geographically separate locations

Data in Transit

All data transmitted between your browsers, agents' devices, and PinnacleVoice servers is encrypted using TLS 1.3, the latest version of the Transport Layer Security protocol.

TLS 1.3 for all HTTPS web traffic — A+ rating on Qualys SSL Labs
WebRTC encryption with DTLS for voice traffic
SIP over TLS (SIPS) for VoIP signaling
SRTP (Secure Real-Time Transport Protocol) for media streams
All API communications secured with TLS 1.3 minimum

End-to-end call encryption: Voice calls made through PinnacleVoice are encrypted from your agent's device to our infrastructure using DTLS and SRTP. Call recordings stored at rest are encrypted with AES-256.

3Infrastructure Security

PinnacleVoice is built on Amazon Web Services (AWS) — the world's leading cloud infrastructure provider trusted by the US government, financial institutions, and healthcare organizations globally.

Data Centers

Primary infrastructure in AWS US-East and US-West regions with automatic failover
AWS data centers are SOC 2 Type II and ISO 27001 certified
Physical security includes multi-layered perimeter protection, biometric access controls, and 24/7 on-site security personnel
No unauthorized physical access to servers is possible

High Availability & Redundancy

Multi-availability-zone deployment ensures no single point of failure
Automated failover: if one zone goes down, traffic shifts to another within seconds
99.9% uptime SLA backed by contractual guarantee
Daily encrypted backups with 30-day retention
Recovery Time Objective (RTO): < 4 hours | Recovery Point Objective (RPO): < 1 hour

Network Security

Web Application Firewall (WAF) protecting all public-facing endpoints
DDoS protection via AWS Shield Standard on all services
Network segmentation with private VPCs isolating critical systems
Automated intrusion detection and prevention systems (IDS/IPS)
All internal traffic inspected and logged

4Access Control

Customer Account Security

Role-Based Access Control (RBAC) — Define granular permissions for administrators, supervisors, and agents
Multi-Factor Authentication (MFA) — Available and strongly recommended for all accounts; required for administrator roles
Single Sign-On (SSO) — SAML 2.0 and OAuth 2.0 SSO integration available on Professional and Enterprise plans
Session management — Automatic timeout after inactivity; forced re-authentication for sensitive actions
IP allowlisting — Restrict account access to specific IP ranges (Enterprise feature)

PinnacleVoice Internal Access

All PinnacleVoice employees with access to production systems require MFA
Access to customer data is strictly need-to-know and logged in immutable audit trails
Production access requires just-in-time (JIT) approval from a second employee
All access events are logged and reviewed by our security team
Employee access is revoked within 24 hours of departure

5Application Security

Security is built into our development process from the start, not added as an afterthought:

Secure development lifecycle (SDLC) — Security requirements integrated into every development sprint
Automated static code analysis (SAST) — Code is scanned for vulnerabilities before every deployment
Dynamic application security testing (DAST) — Running applications tested for vulnerabilities in staging before production releases
Dependency scanning — All third-party libraries scanned for known CVEs automatically
OWASP Top 10 protections — Our application is defended against all OWASP Top 10 vulnerability classes
Content Security Policy (CSP) — XSS and injection attack mitigations on all web interfaces
Developer security training — All engineers complete annual secure development training

6Monitoring & Incident Response

24/7 Security Monitoring

PinnacleVoice maintains round-the-clock security monitoring across all systems:

Security Information and Event Management (SIEM) aggregating logs from all infrastructure components
Automated anomaly detection alerting on unusual access patterns or data volumes
Real-time alerts for authentication failures, privilege escalation attempts, and unusual API activity
AWS GuardDuty for intelligent threat detection

Incident Response

In the event of a security incident, our response follows an established playbook:

Detection & Containment: Automated systems detect anomalies; on-call security engineer engaged within 15 minutes
Assessment: Severity classification and impact scope determination within 1 hour
Notification: Affected customers notified within 72 hours of confirmed breach (per GDPR requirements)
Remediation: Root cause identified and patch deployed
Post-Mortem: Full incident report and preventative measures documented

7Call Recording Security

Call recordings are among the most sensitive data our platform handles. We treat them accordingly:

All recordings encrypted at rest with AES-256 and customer-specific encryption keys
Access to recordings restricted by role-based permissions you define
Recordings accessible only via authenticated HTTPS connections — never via direct file URLs
Automatic expiration available per your configured retention policy
State-by-state two-party consent disclosure management built into the platform
Complete audit log of every recording access event

Recording compliance note: Many states require two-party consent for call recordings. PinnacleVoice's platform can be configured to play automatic disclosures at the start of recorded calls. Consult legal counsel to ensure your recording practices comply with all applicable state laws.

8Vendor & Third-Party Security

PinnacleVoice conducts security reviews of all third-party vendors that process customer data. Our key infrastructure providers:

Vendor	Purpose	Certifications
Amazon Web Services (AWS)	Cloud infrastructure & storage	SOC 2, ISO 27001, FedRAMP, PCI DSS
Stripe	Payment processing	PCI DSS Level 1, SOC 2
Twilio	Voice & SMS carrier	SOC 2, ISO 27001

All vendors with access to personal data are required to sign Data Processing Agreements (DPAs) and are subject to annual security reviews.

9Penetration Testing

PinnacleVoice engages independent certified security firms to conduct annual penetration tests of our entire platform — including network infrastructure, application layer, and API endpoints. Our penetration testing program includes:

Annual full-scope penetration test by a CREST or OSCP-certified third party
Quarterly automated vulnerability scanning across all public-facing systems
Continuous dependency vulnerability monitoring via automated tools
All critical and high-severity findings remediated within 30 days
Penetration test attestations available to Enterprise customers under NDA

We have never had a penetration test result in a customer data exposure. We intend to keep that record.

10Your Security Responsibilities

Security is a shared responsibility. While PinnacleVoice secures the platform, you are responsible for:

Strong passwords: Use unique, complex passwords for all PinnacleVoice accounts (minimum 12 characters, mix of types)
Enable MFA: Multi-factor authentication is available on all plans and strongly recommended for all users, especially administrators
User access management: Remove or deactivate accounts promptly when employees leave or change roles
Reporting: Notify us immediately at support@pvndialer.com if you suspect unauthorized access to your account
Device security: Ensure devices used to access PinnacleVoice have up-to-date security patches and endpoint protection
Data classification: Understand what sensitive data you're uploading and ensure it's handled appropriately by your team

11Report a Security Vulnerability

PinnacleVoice takes all security reports seriously. If you believe you have discovered a security vulnerability in our platform, we want to hear from you.

Responsible Disclosure Program
📧 Email: support@pvndialer.com
Please include: Description of the vulnerability, steps to reproduce, potential impact, and your contact information.

We will acknowledge your report within 24 hours and provide a resolution timeline within 5 business days. We ask that you do not publicly disclose vulnerabilities until we have had a reasonable opportunity to address them.

We do not pursue legal action against security researchers who report vulnerabilities in good faith and follow responsible disclosure principles.

Enterprise-Grade Security