Security

Security is foundational to everything we build at PhoneSteward. We handle sensitive business communications, client data, and in many cases Protected Health Information (PHI). Our security programme is designed to exceed industry standards and earn your trust.

• Dedicated Chief Information Security Officer (CISO) with 15+ years of experience.
• Security-first engineering culture with mandatory secure coding training for all developers.
• Annual third-party penetration testing and quarterly vulnerability assessments.
• Comprehensive incident response plan tested through tabletop exercises twice yearly.

All data is encrypted both in transit and at rest using industry-leading standards:

• In transit — TLS 1.3 enforced on all connections. HSTS headers with 12-month max-age. Certificate Transparency monitoring enabled.
• At rest — AES-256 encryption for all stored data including call recordings, transcriptions, and account information.
• Key management — encryption keys managed through AWS Key Management Service (KMS) with automatic annual rotation and strict access policies.
• Database encryption — RDS instances use encrypted storage volumes with per-instance keys.
• Backup encryption — all backups are encrypted with separate keys from production data.

Our infrastructure is hosted on AWS with a focus on resilience, isolation, and compliance:

• Primary region — eu-west-2 (London) for data residency compliance. All customer data remains in the UK.
• Multi-AZ deployment — services distributed across multiple availability zones for high availability.
• Container orchestration — applications run in ECS Fargate with automatic scaling and zero-downtime deployments.
• Network isolation — production systems run in dedicated VPCs with private subnets. No direct internet access to application servers.
• WAF & DDoS protection — AWS WAF and Shield Advanced protect all public endpoints.
• Infrastructure as Code — all infrastructure defined in Terraform, version-controlled and peer-reviewed.

We enforce strict access controls following the principle of least privilege:

• Multi-factor authentication — required for all employee and customer dashboard access. Hardware security keys for production systems.
• Role-based access — granular permissions based on job function. Access reviewed quarterly by security team.
• Privileged access management — production access requires approval, is time-limited, and fully logged.
• SSO integration — SAML 2.0 single sign-on available for Enterprise customers.
• Session management — configurable session timeouts (default 30 minutes, 15 minutes for HIPAA accounts). Concurrent session limits enforced.
• Employee offboarding — access revoked within 1 hour of employment termination.

We maintain 24/7 visibility into our systems to detect and respond to threats:

• SIEM — centralised log aggregation and analysis with real-time alerting for suspicious activity.
• Intrusion detection — network and host-based IDS monitoring all production systems.
• Anomaly detection — machine learning-based detection of unusual access patterns, data exfiltration attempts, and account compromise.
• Uptime monitoring — synthetic checks every 30 seconds from multiple global locations.
• Audit trails — comprehensive logging of all administrative actions, data access, and system changes. Logs retained for 6 years.

Security is embedded throughout our software development lifecycle:

• Secure SDLC — security reviews required for all code changes. Automated SAST/DAST scanning in CI/CD pipeline.
• Dependency management — automated scanning for vulnerable dependencies with enforced upgrade policies.
• API security — rate limiting, input validation, and authentication on all API endpoints. OAuth 2.0 for third-party integrations.
• Data sanitisation — strict input/output sanitisation to prevent injection attacks (SQL, XSS, SSRF).
• Bug bounty — responsible disclosure programme for external security researchers.

Data protection is core to our security programme:

• Data classification — all data classified by sensitivity level with corresponding handling requirements.
• Data minimisation — we collect and retain only the data necessary to provide our services.
• Retention policies — configurable per-account retention periods. Automatic secure deletion upon expiry.
• Data portability — full data export available via dashboard or API at any time.
• Right to erasure — complete data deletion within 30 days of request, with cryptographic verification.

We maintain robust plans to ensure service continuity:

• RPO (Recovery Point Objective) — maximum 1 hour of data loss for all critical systems.
• RTO (Recovery Time Objective) — services restored within 4 hours of a major incident.
• Automated backups — hourly encrypted backups with cross-region replication.
• DR testing — full disaster recovery tests conducted quarterly with documented results.
• Business continuity plan — reviewed and updated annually, covering scenarios from regional outages to pandemic response.

We carefully vet all third-party vendors who may access customer data:

• Vendor assessment — security questionnaires, SOC 2 reports, and contract reviews for all vendors before engagement.
• Contractual requirements — all vendors contractually bound to maintain security standards equivalent to our own.
• Ongoing monitoring — annual vendor reassessments and continuous monitoring of vendor security posture.
• Sub-processor list — maintained and available to customers. Changes communicated 30 days in advance.

We are prepared to respond swiftly and effectively to security incidents:

• 24/7 on-call — security engineering team available around the clock for incident response.
• Defined severity levels — P1 through P4 classification with corresponding response and escalation timelines.
• Customer notification — impacted customers notified within 24 hours of confirmed security incidents.
• Post-incident review — detailed root cause analysis and remediation plan published for all significant incidents.
• Regulatory notification — we handle ICO and other regulatory notifications on your behalf where applicable.