01Governance
Security at Twiching is owned by a dedicated team that reports directly to the CTO and meets monthly with the board's risk committee. We maintain an Information Security Management System (ISMS) aligned to ISO/IEC 27001 and reviewed at least annually.
Independent auditors test our controls every year against the AICPA Trust Services Criteria for SOC 2 Type II (Security, Availability, Confidentiality). Reports are available under NDA.
02Network security
Twiching's voice and signalling backbone is built on private peerings with redundant capacity in every region we serve. The public attack surface is minimised to a small set of TLS-terminating endpoints behind anti-DDoS scrubbing.
- Session Border Controllers (SBCs) in active-active pairs, hardware-isolated from billing and identity systems
- Default-deny network segmentation enforced via ACLs and service-mesh policies
- Volumetric and application-layer DDoS protection at every ingress
- SIP message inspection and rate limiting against toll-fraud signatures
03Data protection
In transit
All API and dashboard traffic is served over TLS 1.3 with modern cipher suites. SIP signalling is secured with TLS, media with SRTP. Internal service-to-service traffic uses mutual TLS with short-lived certificates rotated automatically.
At rest
All customer data is encrypted at rest using AES-256. Encryption keys are stored in HSMs and rotated quarterly. For customers with strict compliance requirements, we offer customer-managed encryption keys (CMEK).
04Identity & access
Access to customer data is strictly controlled. Role-based access controls (RBAC) ensure employees only have access to the systems they need. All production access requires multi-factor authentication and is logged for audit purposes.
05Secure development
Security is embedded in our development lifecycle. All code changes undergo peer review, automated SAST/DAST scanning, and dependency vulnerability checks before deployment. We maintain a private bug bounty programme for external researchers.
06Monitoring & response
Our Security Operations Center (SOC) monitors for threats 24/7. We use SIEM tools to correlate events across our infrastructure and have documented incident response procedures tested quarterly through tabletop exercises.
07Business continuity
Twiching maintains a Business Continuity Plan (BCP) and Disaster Recovery (DR) procedures. Our multi-region architecture allows for automatic failover with an RTO of less than 15 minutes for core services.
08Vulnerability disclosure
We welcome responsible disclosure of security vulnerabilities. If you believe you have found a vulnerability, please report it to security@twiching.ai. We commit to acknowledging reports within 24 hours and providing regular updates on remediation progress.
09Reports & contact
Request our security documentation
SOC 2 Type II reports, penetration test summaries, and our security questionnaire are available under NDA for qualified prospects and customers.
Request Reports