CallMissed
Back to home

Security

Enterprise-grade security for your AI communication infrastructure.

Last updated: April 11, 2026

1. Infrastructure Security

Cloud Infrastructure

  • All infrastructure runs on AWS (Amazon Web Services) in the ap-south-1 (Mumbai) region
  • Database: Amazon RDS PostgreSQL 16 with encryption at rest (AES-256) and automated backups
  • Secrets management: AWS Secrets Manager — no credentials stored in code or environment files
  • Container orchestration: Docker on EC2 with automated deployments via GitHub Actions CI/CD
  • SSL/TLS: All endpoints enforced HTTPS with TLS 1.3

Network Security

  • AWS Security Groups restrict inbound traffic to ports 80/443 only
  • Database is in a private subnet — not directly accessible from the internet
  • SSH access requires a specific key pair and is restricted to authorized IP addresses
  • All API endpoints are behind rate limiting and request size limits (25 MB max)

2. Application Security

Authentication

  • JWT tokens — Access tokens expire in 24 hours, refresh tokens in 7 days
  • Password hashing — bcrypt with 12 rounds of salting
  • Google OAuth — Verified via Google's token endpoint with audience validation
  • Email OTP — 6-digit codes, SHA-256 hashed, 10-minute expiry, 5-attempt lockout with 15-minute cooldown
  • Email verification — Required for all email/password registrations before account activation
  • Token blacklisting — Revoked tokens are blacklisted immediately on logout with periodic cleanup

API Security

  • API key hashing — Keys stored as SHA-256 hashes. Raw keys shown only once at creation.
  • Domain whitelisting — API keys can be restricted to specific domains (default: unrestricted)
  • Per-key rate limiting — 60 requests/minute per API key
  • Per-IP rate limiting — 200 requests/minute globally, stricter limits on auth endpoints (5-10 req/min)
  • Plan enforcement — Free-tier model restrictions enforced server-side (not bypassable)
  • Credit deduction — Atomic database operations prevent double-spend and balance manipulation

Input Validation

  • SQL injection — All queries use parameterized SQLAlchemy ORM. No raw SQL with user input.
  • XSS protection — Content-Security-Policy, X-XSS-Protection, X-Content-Type-Options headers
  • CSRF — JWT Bearer token authentication (inherently CSRF-safe for stateless APIs)
  • Clickjacking — X-Frame-Options: DENY and CSP frame-ancestors 'none'
  • SSRF prevention — Webhook URLs validated against private IP ranges, localhost, and cloud metadata endpoints
  • Input sanitization — Unicode NFC normalization, null byte removal, control character stripping
  • Request size — 25 MB hard limit with both Content-Length and chunked transfer validation

3. Security Headers

Every API response includes the following security headers:

  • Strict-Transport-Security: max-age=31536000; includeSubDomains
  • Content-Security-Policy: default-src 'none'; frame-ancestors 'none'
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY
  • X-XSS-Protection: 1; mode=block
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy: camera=(), microphone=(), geolocation=()

4. Data Protection

Multi-Tenant Isolation

Every database query is scoped to the authenticated tenant's ID through middleware enforcement. It is architecturally impossible for one tenant to access another tenant's data through our API.

Encryption

  • At rest: AES-256 encryption on Amazon RDS
  • In transit: TLS 1.3 for all API and WebSocket connections
  • Secrets: All API keys, passwords, and OTP codes are one-way hashed (SHA-256 or bcrypt)

Payment Security

  • Payments processed by Cashfree Payments (PCI-DSS Level 1 compliant)
  • We never store card numbers, CVVs, or UPI PINs
  • Webhook signatures verified using HMAC-SHA256
  • Payment reconciliation runs hourly to catch missed webhooks
  • Credit balance uses atomic SQL operations — cannot be manipulated via API

5. WebSocket Security

  • WebSocket connections require authentication before the connection is accepted
  • /ws/call/{id} — Requires valid API key via query parameter
  • /ws/conversations — Requires valid JWT token via query parameter
  • Per-chunk size limit: 1 MB (prevents memory exhaustion)
  • Total connection data limit: 100 MB
  • Maximum connection duration: 1 hour

6. Monitoring and Incident Response

  • All API requests are logged with request ID, latency, status code, and IP address
  • Authentication failures, rate limit violations, and signature mismatches are logged and monitored
  • Error messages never expose internal details, stack traces, or upstream API keys
  • Provider error sanitization strips API keys and auth tokens from error responses

In the event of a security incident, we will:

  1. Contain the incident and prevent further exposure
  2. Notify affected users within 72 hours via email
  3. Report to the Data Protection Board of India as required by DPDPA 2023
  4. Publish a post-mortem on our status page within 7 days

7. Responsible Disclosure

We welcome security researchers to report vulnerabilities responsibly. If you discover a security issue:

  • Email: support@callmissed.com
  • Do not publicly disclose the vulnerability until we have addressed it
  • Do not access or modify other users' data
  • Do not perform denial-of-service attacks
  • Provide sufficient detail for us to reproduce the issue

We acknowledge all valid reports within 48 hours and aim to resolve critical vulnerabilities within 7 days. We do not pursue legal action against researchers who follow these guidelines.

8. Compliance

  • DPDPA 2023 — Digital Personal Data Protection Act (India) — compliant
  • IT Act 2000 — Information Technology Act (India) — compliant
  • PCI-DSS — Payment processing via Cashfree (PCI-DSS Level 1 certified)
  • Data residency — All primary data stored in India (AWS ap-south-1, Mumbai)

9. Contact

For security-related inquiries or to report a vulnerability: