telepace

Security

Boring — on purpose.

Security is easy to talk about and hard to deliver. Here's the truth about what we do, what we don't, and what's next.

Data isolation

Every customer's data lives in its own logical tenant, keyed on org_id. Row-level policies enforce isolation at the database layer, not just the app layer.

Encryption

TLS 1.3 in transit. AES-256-GCM at rest. Envelope-encrypted secrets via cloud KMS. Zero plaintext credentials on disk.

PII redaction

All transcripts pass through a Presidio + custom-pattern redactor before persistence. Names, phone numbers, SSN, CC — never stored raw.

Access control

SSO (Okta, Google Workspace, Azure AD) on Team+. Fine-grained roles: viewer, editor, admin. Every access is audit-logged.

Model training

Your data is never used to train models — ours or any vendor's. BYO LLM keys route directly, bypassing our proxy entirely.

Incident response

24/7 on-call rotation. Notification within 72 hours for any incident affecting customer data. Postmortems public by default.

Certifications & compliance

Where we are — and where we're headed.

SOC 2 Type II
In audit · report expected Q4 2026
GDPR
DPA available on request · EU data residency on Team+
HIPAA
BAA available on Enterprise · roadmap Q1 2027
ISO 27001
Planned 2027

Responsible disclosure

Found something? Tell us.

Report vulnerabilities to security@telepace.com. We acknowledge within 24 hours, triage within 72, and pay bounties starting at $500 for confirmed issues (up to $10k for critical).

PGP key: 0xA1B2C3D4E5F6 · fingerprint on keys.openpgp.org.

Security · telepace