An honest summary of how the platform is built and what protections are in place today. We do not claim certifications we do not hold.
Every domain table is workspace-scoped and protected by database-enforced row-level security. Authorization is enforced in the database, not just the UI — a compromised client cannot read another workspace's data. Platform-computed records (calls, call events, transcripts, usage) are read-only for tenants; only backend services can write them.
Workspace roles (owner, admin, manager, operator, member, viewer) gate sensitive actions; only owners can change roles, and privileged platform functions are executable only by backend service credentials. Sensitive administrative actions are written to an immutable audit log by database triggers.
Data is hosted in the Asia-Pacific (Mumbai) region and encrypted in transit (TLS). Storage encryption at rest is provided by our infrastructure providers. Secrets are kept server-side only and are never shipped to the browser. Phone numbers are masked in cross-tenant admin views and in operational logs.
Payments run through Razorpay. Card and UPI details never touch our servers; payment confirmations are verified server-side with cryptographic signatures, and webhook deliveries are HMAC-verified and de-duplicated.
The calling engine enforces TRAI quiet hours (9:00–21:00 IST), per-workspace Do-Not-Call lists, optional consent-required calling, retry caps, and concurrency limits.
We are an early-stage product. We do not currently hold SOC 2, ISO 27001, or similar certifications, and we do not yet offer a formal SLA. If a certification matters for your procurement, talk to us about our roadmap.
If you believe you have found a security issue, email hello@samparkkaro.in with details. We acknowledge reports within 2 business days and will not pursue good-faith researchers.