Skip to content
14-day free trial · compliance included · one account for numbers, voice and SMS.14-day free trial · compliance included · one account for numbers, voice and SMS.14-day free trial · compliance included · one account for numbers, voice and SMS.14-day free trial · compliance included · one account for numbers, voice and SMS.
Twiching
Trust Center

Security at Twiching.

We carry millions of conversations every day for businesses in regulated industries. Security is not a feature — it is the floor under everything we ship. Here is how we build it, prove it, and break it ourselves.

SOC 2 Type II

AUDITED 2025

ISO 27001

CERTIFIED

PCI DSS

LEVEL 1

HIPAA

BAA AVAILABLE

GDPR · PDPA

COMPLIANT

Posture

Defence at every layer.

From the silicon in our peering routers to the JWT on your API call, we treat every layer as untrusted by default and build outward from there.

01INFRASTRUCTURE

Carrier-grade by design

Redundant peerings, geo-distributed SBCs, and DDoS-scrubbed ingress — the same hardening pattern used by Tier-1 carriers.

  • Multi-region active-active
  • Anti-DDoS at the edge
  • Hardened SBCs & media plane

02DATA

Encrypted, segregated, observed

TLS 1.3 on every transit hop, AES-256 at rest, customer-managed keys for sensitive workloads, and full audit trails on every read.

  • SRTP for media, TLS for SIP
  • HSM-backed key management
  • Tamper-evident audit logs

03PEOPLE & PROCESS

Least privilege, always

Every Twiching employee with production access is background-checked, hardware-key authenticated, and granted JIT permissions reviewed quarterly.

  • SSO + WebAuthn enforced
  • JIT production access
  • Annual security training

01Governance

Security at Twiching is owned by a dedicated team that reports directly to the CTO and meets monthly with the board's risk committee. We maintain an Information Security Management System (ISMS) aligned to ISO/IEC 27001 and reviewed at least annually.

Independent auditors test our controls every year against the AICPA Trust Services Criteria for SOC 2 Type II (Security, Availability, Confidentiality). Reports are available under NDA.

02Network security

Twiching's voice and signalling backbone is built on private peerings with redundant capacity in every region we serve. The public attack surface is minimised to a small set of TLS-terminating endpoints behind anti-DDoS scrubbing.

  • Session Border Controllers (SBCs) in active-active pairs, hardware-isolated from billing and identity systems
  • Default-deny network segmentation enforced via ACLs and service-mesh policies
  • Volumetric and application-layer DDoS protection at every ingress
  • SIP message inspection and rate limiting against toll-fraud signatures

03Data protection

In transit

All API and dashboard traffic is served over TLS 1.3 with modern cipher suites. SIP signalling is secured with TLS, media with SRTP. Internal service-to-service traffic uses mutual TLS with short-lived certificates rotated automatically.

At rest

All customer data is encrypted at rest using AES-256. Encryption keys are stored in HSMs and rotated quarterly. For customers with strict compliance requirements, we offer customer-managed encryption keys (CMEK).

04Identity & access

Access to customer data is strictly controlled. Role-based access controls (RBAC) ensure employees only have access to the systems they need. All production access requires multi-factor authentication and is logged for audit purposes.

05Secure development

Security is embedded in our development lifecycle. All code changes undergo peer review, automated SAST/DAST scanning, and dependency vulnerability checks before deployment. We maintain a private bug bounty programme for external researchers.

06Monitoring & response

Our Security Operations Center (SOC) monitors for threats 24/7. We use SIEM tools to correlate events across our infrastructure and have documented incident response procedures tested quarterly through tabletop exercises.

07Business continuity

Twiching maintains a Business Continuity Plan (BCP) and Disaster Recovery (DR) procedures. Our multi-region architecture allows for automatic failover with an RTO of less than 15 minutes for core services.

08Vulnerability disclosure

We welcome responsible disclosure of security vulnerabilities. If you believe you have found a vulnerability, please report it to security@twiching.ai. We commit to acknowledging reports within 24 hours and providing regular updates on remediation progress.

09Reports & contact

Request our security documentation

SOC 2 Type II reports, penetration test summaries, and our security questionnaire are available under NDA for qualified prospects and customers.

Request Reports

Start free

Try it for 14 days.
See what a real phone stack does.

Phone numbers, voice, SMS and AI on one account. No credit card required — no charges during the trial.

Compliance with applicable regulations required.