Security

At CallNex, security is not an afterthought — it is built into every layer of our platform. We handle sensitive business communications and personal data, and we take our responsibility to protect that data seriously. This page describes the technical and organisational measures we have in place.

All data is protected with industry-standard encryption:

• In transit: TLS 1.3 for all communications between your browser, our API, and sub-processors. Older TLS versions (1.0, 1.1) are disabled.
• At rest: AES-256 encryption for call recordings, AI transcripts, and all sensitive data stored in our databases and file storage
• Database credentials, API keys, and secrets are stored in an encrypted secrets manager and never in source code or environment files accessible to third parties

We enforce strict access controls at every level:

• Role-based access control (RBAC): all platform users have access scoped to their organisation and assigned role
• Principle of least privilege: CallNex staff access only the minimum data required to perform their job function
• Multi-factor authentication (MFA): mandatory for all CallNex staff accessing production infrastructure
• Privileged access management: production database access is time-limited, audited, and requires approval
• Customer account isolation: your data is logically separated from other customers and cannot be accessed across account boundaries

Our platform runs on EU-based cloud infrastructure with the following protections:

• Private network architecture: application servers, databases, and storage are not directly exposed to the public internet
• Web Application Firewall (WAF): protects against common web attacks including OWASP Top 10 threats (SQL injection, XSS, CSRF, etc.)
• DDoS protection: network-level mitigation with automatic traffic filtering for volumetric attacks
• Regular automated vulnerability scanning of our infrastructure and application dependencies
• Patch management: operating system and dependency security patches applied within 72 hours of release for critical vulnerabilities

Security is integrated into our development process:

• Secure development lifecycle (SDLC): security review is part of every feature build
• Dependency scanning: automated checks on all third-party packages for known CVEs before deployment
• Input validation and output encoding: all user-provided data is validated and sanitised to prevent injection attacks
• API authentication: all API endpoints require valid authentication tokens; tokens expire and are rotated regularly
• Rate limiting: API endpoints are rate-limited to prevent brute-force and enumeration attacks

Call recordings and AI transcripts contain sensitive business and personal data. We apply additional controls:

• Recordings are stored in encrypted, access-controlled object storage accessible only to the account that generated them
• All access to recordings is logged with user, timestamp, and IP address
• Recordings are served via time-limited, signed URLs — direct access without authentication is not possible
• Automated deletion enforces your configured retention period; manual bulk deletion is also available in account settings

We operate continuous security monitoring to detect and respond to threats:

• 24/7 automated monitoring of infrastructure health, application errors, and security events
• Anomaly detection: unusual access patterns, failed authentication attempts, and data export spikes trigger alerts
• Defined incident response plan: classification, containment, eradication, recovery, and post-incident review
• GDPR breach notification: in the event of a personal data breach, affected customers and the Belgian GBA are notified within 72 hours as required by GDPR Article 33

Our people are a critical part of our security posture:

• Background checks on all employees with access to production data
• Annual security awareness training covering phishing, social engineering, and data handling
• Acceptable use policy and data classification guidelines provided to all staff
• Offboarding procedure: all access is revoked within 1 hour of an employee's departure

We evaluate the security posture of all sub-processors before onboarding and review them annually. We require:

• ISO 27001 certification or equivalent for sub-processors handling personal data
• Data Processing Agreements (DPAs) with all sub-processors
• Contractual obligations to notify us of any security incident affecting our data within 24 hours

We welcome security research and responsible disclosure. If you have found a potential vulnerability in the CallNex platform, please report it to us privately before making it public:

Email: support@callnex.nl (subject: 'Security Disclosure')

We will acknowledge your report within 2 business days, keep you informed of our investigation progress, and aim to resolve confirmed vulnerabilities within 30 days. We do not take legal action against researchers who act in good faith and follow responsible disclosure principles.