Purpose

VerbaCall is an AI-powered multichannel communication platform handling sensitive client conversations across voice, SMS, and email channels in verticals including real estate, senior living, healthcare, restaurants, and financial services. The protection of customer data, platform integrity, and operational continuity is fundamental to our business and to the trust our clients place in us.

This Information Security Policy establishes the framework, requirements, and responsibilities for protecting VerbaCall's information assets. It is designed to:

• Safeguard the confidentiality, integrity, and availability of all information and systems.
• Ensure compliance with applicable laws, regulations, and contractual obligations (including TCPA, HIPAA where applicable, and GDPR where relevant).
• Define clear roles and accountability for information security across the organisation.
• Provide a foundation for risk management, incident response, and continuous improvement.

Scope

This Policy applies to:

• All VerbaCall employees (full-time, part-time, and remote), including leadership and development teams.
• Contractors, consultants, and temporary staff with access to VerbaCall systems.
• Third-party vendors and integration partners who process, store, or transmit VerbaCall data.
• All information assets owned, leased, or managed by VerbaCall, including the production platform, CRM, telephony infrastructure (Twilio/SIP), AI voice services (ElevenLabs), speech recognition services (Deepgram), and all cloud and on-premise servers.

Information Classification

All VerbaCall information must be classified and handled according to the following tiers:

Access Control

4.1 Principle of Least Privilege

Access to VerbaCall systems and data must be granted based strictly on job requirements. No user shall have broader access than necessary to perform their role.

4.2 User Account Management

• All system access must be tied to a uniquely identified individual account. Shared accounts are prohibited.
• Access must be approved by the user's direct manager and provisioned by the designated System Administrator.
• Access rights must be reviewed quarterly and immediately upon role change or termination.
• Terminated employees or contractors must have all access revoked within 24 hours of departure.

4.3 Authentication

• All production systems must enforce multi-factor authentication (MFA) for remote access.
• Passwords must meet the following minimum requirements: 12 characters; mix of uppercase, lowercase, numbers, and symbols; not reused from the previous 12 passwords.
• API keys and service credentials must be stored in a designated secrets manager (environment variables or vault) and never hard-coded in source code repositories.
• SSH key-based authentication is required for server access; password-based SSH must be disabled.

4.4 Privileged Access

• Root or administrator access to production servers must be logged and reviewed monthly.
• Production server access must be performed via a jump host or VPN where feasible.

Data Protection & Privacy

5.1 Data Minimisation

VerbaCall collects only the personal data necessary for the delivery of its services. Data collection practices must be reviewed annually and unnecessary data purged.

5.2 Data at Rest

• All Confidential and Restricted data stored on servers or cloud storage must be encrypted using AES-256 or equivalent.
• Database backups must be encrypted and stored in a separate, access-controlled location.

5.3 Data in Transit

• All data transmitted between VerbaCall systems and external parties must use TLS 1.2 or higher.
• Twilio SIP trunks and PSTN connections must use SRTP/TLS where supported.
• Unencrypted transmission of Confidential or Restricted data is prohibited.

5.4 Data Retention & Disposal

• Call recordings, SMS logs, and email records are retained for a maximum of 12 months unless a client contract specifies otherwise or a legal hold applies.
• CRM lead data is retained for the duration of the client engagement plus 90 days.
• At end of retention, data must be securely deleted (overwritten or cryptographically erased); physical media must be shredded.

5.5 Regulatory Compliance

• Calls made via the VerbaCall platform must comply with TCPA requirements, including proper opt-out handling and Do Not Call list checks.
• Where VerbaCall processes data on behalf of healthcare clients, HIPAA Business Associate Agreement (BAA) obligations apply and must be documented.
• Where EU/UK individuals' data is processed, GDPR/UK GDPR obligations including data subject rights requests must be honoured.

Network & Infrastructure Security

6.1 Production Environment

• Production servers (including VerbaCall API, CRM backend, and telephony services) must be separated from development and staging environments.
• Firewall rules must follow a default-deny policy; only explicitly required ports and protocols may be open.
• Unused ports, services, and default credentials must be disabled on all servers.

6.2 Log Management

• Application and system logs must be retained for a minimum of 90 days in a centralised, tamper-evident store.
• Log rotation must be configured to prevent disk exhaustion. Log volumes must be monitored with alerting on abnormal growth.
• Logs must not contain plaintext passwords, API keys, or Restricted-class data.

6.3 Patch Management

• Operating system and application security patches rated Critical or High must be applied within 7 days of release.
• A monthly patching window is established for lower-severity updates.
• Patch status for all production systems must be reviewed monthly by the System Administrator.

6.4 Cloud & Third-Party Services

• Third-party service integrations (Twilio, ElevenLabs, Deepgram, CRM platforms) must be reviewed annually for security posture and contractual compliance.
• API keys for third-party services must be rotated at least every 12 months or immediately upon suspected compromise.
• Vendor access to VerbaCall data must be governed by a signed Data Processing Agreement (DPA) before integration.

Application Security

7.1 Secure Development

• All code changes must be reviewed by at least one peer developer before merging to the main branch.
• Input validation and output encoding must be implemented to prevent injection attacks (SQL injection, XSS, command injection).
• Sensitive configuration (database URIs, API secrets, JWT secrets) must never be committed to source code repositories; use environment variables or a secrets manager.
• Dependencies must be checked for known vulnerabilities before integration using automated scanning tools (e.g., npm audit, Dependabot).

7.2 AI & Telephony-Specific Controls

• LangGraph call scripts and AI agent prompts must be reviewed before deployment to production to prevent prompt injection or unintended data exposure.
• Warm handoff, outbound campaign, and CRM automation features must include audit logging of all actions taken by the AI agent.
• Email address read-back and sensitive data confirmation flows must not expose full values in logs.

7.3 Vulnerability Management

• Penetration testing must be conducted at least annually by an independent assessor.
• Critical vulnerabilities discovered during assessments must be remediated within 30 days.

Incident Management

8.1 Definition

A security incident is any event that compromises, or has the potential to compromise, the confidentiality, integrity, or availability of VerbaCall systems or data. This includes, but is not limited to: unauthorised access, data breaches, ransomware/malware, service outages caused by attack, and loss of encrypted devices.

8.2 Reporting

• All employees and contractors must report suspected incidents immediately to the CEO and/or designated Security Officer.
• Incidents must not be disclosed externally (including on social media) without authorisation.

8.3 Response Procedure

Business Continuity & Disaster Recovery

• Critical systems (VerbaCall API, CRM, telephony gateway) must maintain automated daily backups stored offsite or in a separate cloud region.
• Recovery Time Objective (RTO): 4 hours for Tier 1 systems (API, telephony). Recovery Point Objective (RPO): 24 hours.
• Disaster recovery procedures must be tested at least once per year via a simulated failover exercise.
• Results of DR tests must be documented and reviewed by leadership.

Physical & Endpoint Security

• Company-issued and personal devices used to access VerbaCall systems must have full-disk encryption enabled.
• Devices must be password-protected with an auto-lock timeout of 5 minutes or less.
• Lost or stolen devices must be reported to the Security Officer immediately and remotely wiped if possible.
• Team members working remotely must use a VPN when accessing Confidential or Restricted systems.
• Public Wi-Fi networks must not be used to access production systems without an active VPN.

Human Resources Security

11.1 Pre-Employment

• Background checks must be conducted for all employees and contractors with access to Confidential or Restricted data, in accordance with local law.
• All new hires must sign a Confidentiality and Acceptable Use Agreement before being granted system access.

11.2 Security Awareness Training

• All personnel must complete security awareness training within 30 days of joining and annually thereafter.
• Training must cover: phishing identification, password hygiene, incident reporting, data handling, and acceptable use.

11.3 Offboarding

• Upon departure, all system credentials, accounts, and physical access must be revoked within 24 hours.
• Company devices must be returned and wiped within 5 business days.

Third-Party & Supplier Management

• All third-party suppliers with access to VerbaCall systems or data must complete a security assessment before engagement.
• Suppliers must agree to VerbaCall's security requirements and sign a DPA where personal data is involved.
• Integration credentials must be granted with the minimum permissions required; broad API access to production systems is prohibited.
• Supplier security posture must be reviewed annually; material changes to a supplier's security practices must be reported to VerbaCall within 30 days.

Acceptable Use

All personnel with access to VerbaCall systems must adhere to the following requirements:

• Systems must be used only for legitimate business purposes.
• Downloading, installing, or executing unauthorised software on company or company-connected systems is prohibited.
• Client call recordings, SMS logs, and contact data must not be copied to personal devices or unapproved cloud storage.
• Personnel must not attempt to circumvent security controls, access systems beyond their authorised scope, or conduct vulnerability scanning without written approval.
• Any discovered vulnerability in VerbaCall systems must be reported immediately and not exploited or disclosed externally.

Compliance & Enforcement

Compliance with this Policy is mandatory. Violations may result in:

• Disciplinary action, up to and including termination of employment or contract.
• Legal action where applicable law has been violated.
• Notification to relevant regulatory authorities where required.

Compliance is monitored through periodic internal audits, automated security tooling, and annual third-party assessments. Audit findings are reported to leadership and tracked to remediation.

Roles & Responsibilities

Exception Management

Exceptions to this Policy may be granted in exceptional circumstances. All exception requests must:

• Be submitted in writing to the Security Officer with a business justification.
• Include a risk assessment and proposed compensating controls.
• Receive written approval from the CEO.
• Be reviewed at least every 90 days; exceptions that cannot be remediated must be escalated.

Review & Maintenance

This Policy will be reviewed annually or following any of the following triggering events:

• A material security incident.
• Significant changes to VerbaCall's technology stack, product features, or client verticals.
• Changes to applicable laws or regulatory requirements.
• Acquisition of new enterprise clients with heightened compliance requirements.

The Security Officer is responsible for initiating reviews and presenting updates to leadership for approval.

Approval & Sign-Off