Back to home

Security

How we protect your data and our platform — described at a level appropriate for public disclosure.

Last updated: June 23, 2026

We apply defence-in-depth controls including encryption in transit and at rest, logical tenant isolation, access controls, monitoring, and incident response aligned with applicable Indian law. For operational security, we do not publish detailed control inventories, network diagrams, authentication parameters, rate-limit thresholds, or API route maps on public pages.

Enterprise customers may request additional security documentation, completed assessment summaries, or a countersigned DPA via karan@callmissed.com.


1. Infrastructure and hosting

CallMissed hosts primary production systems on Microsoft Azure data centres in India (Central India region). Customer personal data and service content are ordinarily stored and processed within India unless we notify you otherwise in writing or applicable law requires a different approach.

Production infrastructure runs on Microsoft Azure in India (Central India). Encrypted backups for production data are maintained within India.

  • Production workloads run in hardened cloud environments with encryption at rest and automated encrypted backups
  • Credentials and secrets are stored in managed secret facilities — not in source code or public configuration
  • Public-facing services use HTTPS with modern TLS configurations
  • Administrative access is restricted, authenticated, and limited to authorised personnel
  • Network access to production systems is restricted; data stores are not exposed directly to the public internet

2. Application and API security

  • Account authentication with session/token lifecycle controls and revocation on sign-out
  • API access via customer-issued keys; raw keys are shown only at creation time
  • Server-side plan and usage enforcement
  • Rate limiting and abuse protection on authentication and API traffic
  • Input validation, sanitisation, and protections against common web vulnerabilities
  • Webhook and callback URL validation to reduce SSRF risk
  • Real-time channels (e.g. voice and live dashboards) require authentication before use

3. Data protection

Multi-tenant isolation

Customer data is logically isolated per organisation. Our APIs are designed so that one customer cannot access another customer's data through normal product use.

Encryption and secrets

  • Encryption in transit for API and real-time connections
  • Encryption at rest for databases and object storage
  • Credentials and secrets are protected using industry-standard one-way protection — we do not store raw API keys after issuance

Payments

Payments are processed through RBI-authorised, PCI-DSS compliant payment gateways. CallMissed does not store full card numbers, CVVs, or UPI PINs.


4. People and vendor security

  • Personnel and contractors with access to customer data are bound by confidentiality obligations and are granted access on a least-privilege, need-to-know basis
  • Access is provisioned on onboarding and revoked promptly when no longer required or on offboarding
  • We provide security awareness guidance to team members handling personal data
  • Service partners and sub-processors are vetted for appropriate security practices and are bound by written contracts requiring safeguards consistent with ours (see our DPA)

5. Resilience, backups, and recovery

  • Production data is backed up on a regular schedule using encrypted backups retained within India
  • We periodically test our ability to restore from backups
  • We maintain incident-response and business-continuity procedures proportionate to the risks to the Service

6. Secure development and testing

  • Changes go through code review before release
  • We maintain a vulnerability-management process and apply security updates to our systems and dependencies on an ongoing basis
  • We perform security testing of the platform and engage independent testing from time to time; summaries are available to enterprise customers under NDA

7. Monitoring and incident response

  • Security-relevant events are logged and reviewed according to our internal procedures and applicable Indian cybersecurity directions
  • Customer-facing errors are sanitised — internal details, stack traces, and third-party secrets are not returned to clients

In the event of a security incident or personal data breach likely to affect your rights, we will:

  1. Contain the incident and limit further exposure
  2. Notify affected users without undue delay where personal data is impacted, in plain language
  3. Notify the Data Protection Board of India and/or CERT-In as required by applicable law
  4. Provide statutory breach reporting within prescribed timelines (including detailed reporting to the Board within 72 hours where required under DPDP Rules)
  5. Publish a summary on our status page for material service-impacting incidents

8. Responsible disclosure

We welcome responsible security research. To report a vulnerability:

  • Email: support@callmissed.com
  • Do not publicly disclose until we have addressed the issue
  • Do not access or modify other users' data
  • Do not perform denial-of-service attacks

We acknowledge valid reports within 48 hours and aim to resolve critical issues promptly. We do not pursue legal action against researchers who follow these guidelines.


9. Compliance framework

Our security and privacy programme is designed to align with, among others:

  • Digital Personal Data Protection Act, 2023 and Digital Personal Data Protection Rules, 2025
  • Information Technology Act, 2000 and rules thereunder (including reasonable security practices)
  • Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 — grievance mechanism where applicable
  • Indian Computer Emergency Response Team (CERT-In) directions — incident reporting and log retention where applicable
  • Consumer Protection Act, 2019 and Consumer Protection (E-Commerce) Rules, 2020
  • Reserve Bank of India framework for payment aggregation — customer payments via authorised gateways only

10. Contact