We don't sell certifications we haven't earned. Here's what's actually wired into the platform — every feature backed by code.
Marketing sites love badges. SOC 2. HIPAA. ISO 27001. All meaningful, all expensive, all eventually-on-our-list.
What's actually wired into the platform today is more interesting than badges anyway — it's the behavior, not the certificate. A SOC 2 report tells you a third party watched the team for ninety days. The features below tell you what the platform does at runtime, every request, with no auditor in the room.
Thirteen real features. Every one of them is in the codebase right now. Each has an endpoint, a guard, a log, or a key behind it.
A spec sheet, not a marketing matrix. If it's listed here, you can grep for it in the codebase.
Email-based TOTP triggered on new device or IP. Suspicious login is challenged before access, not after the fact.
5 failed login attempts triggers a 15-minute lockout. Brute-force credential attacks die at the door.
Browser + device recognition on every login. Admins see suspicious-login alerts in real time, with device + IP context.
Three user roles — Admin, Manager, Member — enforced at the API guard layer. Every endpoint declares the minimum role required.
Sensitive integration tokens (carrier auth, third-party API keys) are encrypted in storage. The application server never sees plaintext credentials at rest.
Four distinct audit tables — analytics events, block audit, CRM sync, platform audit — all append-only. No update or delete paths exist in the codebase.
Configurable per-route limits — 20 DNC checks/min, 5 bulk checks/min, 30 login attempts/5min per IP — with Redis-backed counters.
DID-level attestation status tracked per phone number for caller-ID trust. Numbers without A-level attestation flagged for replacement.
JWT tokens with session-ID binding. Tokens can be revoked instantly — every server-side handler validates session presence on each request.
Inbound carrier webhooks are HMAC-validated against the carrier's signing key. Spoofed status callbacks are dropped before reaching the database.
Cross-account E.164 blocklist. A STOP from any account silences the number for every account on the platform. Cannot be overridden by a different user attempting to message the same number.
Broadcasts auto-pause when stop rates exceed a configurable threshold. The platform protects itself from carrier penalties before a single complaint reaches a regulator.
No shared defaults across tenants. Every organization configures its own AI reply behavior, daily caps, business hours, rate limits, follow-up cadence, and template library — independently. Settings made in one org never leak into another.
We're explicit about what we don't have today. SOC 2 Type II isn't done. GDPR formal Article 30 documentation isn't published. HIPAA BAAs aren't offered. PCI DSS isn't certified. ISO 27001 isn't audited.
We're not going to put those badges in the footer until they're real. If any are buying requirements, talk to us — most are on the roadmap.
Architecture diagram, threat model, encryption posture, incident-response playbook — all in one PDF. Ask and you'll have it the same day.
