SOC 2 Compliance

SOC 2 compliance (Service Organization Control 2) is a voluntary compliance standard developed by the American Institute of CPAs (AICPA) that ensures an organization has established security processes and practices at each level of the company. SOC 2 compliance is evaluated by security, availability, and confidentiality.

The compliance is separated into two types of SOC 2 reports:

• Type 1: A report on the effectiveness of the organization’s security system and processes at the point in time in which the SOC audit was conducted.
• Type 2: A report on the effectiveness of the organization’s security system and processes in which the SOC audit observed these security controls for a period of at least 6 months.

As a voluntary security compliance, companies going the extra mile by aiming to achieve SOC 2 compliance do so to continue building trust with their customers and prospects.

CallRail is officially SOC 2 compliant

As a SaaS organization handling customer data in the form of calls, texts, forms, and chat, it’s vital to provide assurance that you and your customers data is managed and stored securely. That’s why we not only perform our own internal audits to evaluate our current risk management processes, we bring in a 3rd party auditor to deliver a detailed SOC 2 report with any potential oversights and vulnerabilities.

As part of the SOC 2 Type II report, CallRail was evaluated against the following three categories of SOC 2 requirements:

1. Security: We've taken strong measures to prevent unauthorized access to our systems and protect the integrity of any information CallRail stores or processes.
2. Availability: We've built our products to be up and running as close to 100% of the time as possible.
3. Confidentiality: Information designated as confidential is protected with extra security controls to ensure the privacy of our customers and their customers.

Over a period of greater than 6 months, our 3rd party auditors reported no findings or issues from their SOC 2 type II report.

Internal Security Measures

Keeping you and your business’ data safe and secure is up to every employee at every level of the organization. To ensure privacy and security, CallRail engaged an independent CPA to examine and report on its control that the AICPA has established, System and Organization Control (SOC) Type II. The independent CPA examined and reported on controls at CallRail relevant to Security, Availability, and Confidentiality. A copy of CallRail’s SOC 2 Type II report can be requested by contacting the legal team at legal@callrail.com.

All data encrypted “in transit” and “at rest”

All access to CallRail is encrypted via SSL to protect data from interception on network points between the user and CallRail. All call records, web visitor sessions, and call routing data are fully encrypted when stored on disk. This data is seamlessly decrypted as-needed for reporting purposes when accessed by the customer. These precautions protect the data even if hard drives fail, or are decommissioned or stolen.

Secure access

Individual users are granted their own login credentials, which can be controlled by an administrator. Login sessions automatically expire after a brief period of inactivity to prevent unauthorized access.

Firewalls and private network gaps

The databases, application servers, and other machines responsible for routing calls through CallRail are isolated and inaccessible via the public internet (except the web application itself, of course). This private network is protected by a pair of redundant hardware firewalls to ensure only expected traffic is allowed.