Security

We apply defence-in-depth controls including encryption in transit and at rest, logical tenant isolation, access controls, monitoring, and incident response aligned with applicable Indian law. For operational security, we do not publish detailed control inventories, network diagrams, authentication parameters, rate-limit thresholds, or API route maps on public pages.

Enterprise customers may request additional security documentation, completed assessment summaries, or a countersigned DPA via karan@callmissed.com.

1. Infrastructure and hosting

CallMissed hosts primary production systems on Microsoft Azure data centres in India (Central India region). Customer personal data and service content are ordinarily stored and processed within India unless we notify you otherwise in writing or applicable law requires a different approach.

Production infrastructure runs on Microsoft Azure in India (Central India). Encrypted backups for production data are maintained within India.

• Production workloads run in hardened cloud environments with encryption at rest and automated encrypted backups
• Credentials and secrets are stored in managed secret facilities — not in source code or public configuration
• Public-facing services use HTTPS with modern TLS configurations
• Administrative access is restricted, authenticated, and limited to authorised personnel
• Network access to production systems is restricted; data stores are not exposed directly to the public internet

2. Application and API security

• Account authentication with session/token lifecycle controls and revocation on sign-out
• API access via customer-issued keys; raw keys are shown only at creation time
• Server-side plan and usage enforcement
• Rate limiting and abuse protection on authentication and API traffic
• Input validation, sanitisation, and protections against common web vulnerabilities
• Webhook and callback URL validation to reduce SSRF risk
• Real-time channels (e.g. voice and live dashboards) require authentication before use

3. Data protection

Multi-tenant isolation

Customer data is logically isolated per organisation. Our APIs are designed so that one customer cannot access another customer's data through normal product use.

Encryption and secrets

• Encryption in transit for API and real-time connections
• Encryption at rest for databases and object storage
• One-way hashing for credentials, API keys, and one-time codes — we do not store raw API keys after issuance

Payments

Payments are processed through RBI-authorised, PCI-DSS compliant payment gateways. CallMissed does not store full card numbers, CVVs, or UPI PINs.

4. Monitoring and incident response

• Security-relevant events are logged and reviewed according to our internal procedures and applicable Indian cybersecurity directions
• Customer-facing errors are sanitised — internal details, stack traces, and third-party secrets are not returned to clients

In the event of a security incident or personal data breach likely to affect your rights, we will:

1. Contain the incident and limit further exposure
2. Notify affected users without undue delay where personal data is impacted, in plain language
3. Notify the Data Protection Board of India and/or CERT-In as required by applicable law
4. Provide statutory breach reporting within prescribed timelines (including detailed reporting to the Board within 72 hours where required under DPDP Rules)
5. Publish a summary on our status page for material service-impacting incidents

5. Responsible disclosure

We welcome responsible security research. To report a vulnerability:

• Email: support@callmissed.com
• Do not publicly disclose until we have addressed the issue
• Do not access or modify other users' data
• Do not perform denial-of-service attacks

We acknowledge valid reports within 48 hours and aim to resolve critical issues promptly. We do not pursue legal action against researchers who follow these guidelines.

6. Compliance framework

Our security and privacy programme is designed to align with, among others:

• Digital Personal Data Protection Act, 2023 and Digital Personal Data Protection Rules, 2025
• Information Technology Act, 2000 and rules thereunder (including reasonable security practices)
• Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 — grievance mechanism where applicable
• Indian Computer Emergency Response Team (CERT-In) directions — incident reporting and log retention where applicable
• Consumer Protection Act, 2019 and Consumer Protection (E-Commerce) Rules, 2020
• Reserve Bank of India framework for payment aggregation — customer payments via authorised gateways only

7. Contact

• Security: support@callmissed.com
• Privacy: support@callmissed.com
• Grievance Officer: karan@callmissed.com
• Legal / enterprise security pack: karan@callmissed.com
• Status: status.callmissed.com