Security & Compliance

We handle your phone line.
Here's exactly how we protect it.

Before you hand us your business number, you should know how we handle call recordings, caller data, consent requirements, and uptime. Everything is on this page.

All systems operational Last checked: live

01 / TCPA & Call Recording

Every call is disclosed.
No exceptions.

The Telephone Consumer Protection Act (TCPA) requires businesses to inform callers when a call is being recorded. Calling Matrix handles this at the start of every call with a configurable disclosure message — by default, something like: "This call may be recorded for quality and service purposes."

We work with you during onboarding to set the exact language. If your state requires a more explicit consent notice (see two-party consent states below), we configure the disclosure accordingly before your number goes live.

Calling Matrix does not use caller information to send unsolicited marketing messages. Caller data is used exclusively to fulfill the service — booking, routing, and follow-up — on your behalf.

Disclosure on every call

Recording notice plays at the start of every inbound call. Configurable language, set during your onboarding session.

No unsolicited outbound calls

Calling Matrix does not initiate outbound calls to callers without explicit instruction from you. No auto-dialing, no spam.

Caller data never sold

Names, phone numbers, and addresses collected during calls are yours. We don't share, sell, or use them for any purpose outside your account.

Audit-ready call logs

Every call is logged with timestamp, duration, outcome, and recording. Exportable from your dashboard at any time.

02 / Two-Party Consent States

We know which states require
consent from both parties.

Most U.S. states follow one-party consent — only one person on the call needs to know it's being recorded. Eleven states require all-party (two-party) consent, meaning every caller must be informed before recording begins.

If your business operates in any of the states below, Calling Matrix automatically uses a consent-compliant disclosure. We confirm your service territory during onboarding and configure the appropriate notice — you don't need to manage this yourself.

2-party California
2-party Connecticut
2-party Florida
2-party Illinois
2-party Maryland
2-party Massachusetts
2-party Michigan
2-party Montana
2-party New Hampshire
2-party Oregon
2-party Pennsylvania
2-party Washington

03 / Data Handling & Encryption

Encrypted in transit.
Encrypted at rest.

All data transmitted between callers, our infrastructure, and your integrations is encrypted using TLS 1.2 or higher. Call recordings and lead data stored on our servers are encrypted at rest using AES-256.

We do not store payment information. Billing is handled entirely through our payment processor — no card data touches our servers.

TLS 1.2+ in transit

All data moving between systems — calls, webhooks, CRM syncs — travels over encrypted connections.

AES-256 at rest

Call recordings, transcripts, and lead data stored on our servers are encrypted at rest.

No payment data stored

Billing is processed entirely through our payment provider. No card numbers, bank details, or PCI-scoped data on our servers.

Data deletion on request

Request full deletion of your account data at any time. We process deletion requests within 30 days.

04 / Data Retention

What we keep and
for how long.

We retain call recordings, transcripts, and lead data for 90 days by default. You can export or delete this data from your dashboard at any time within that window.

After 90 days, recordings and transcripts are automatically purged from our systems. Lead contact information synced to your CRM or Google Sheets remains in those systems — under your control, governed by those platforms' retention policies.

When you cancel your Calling Matrix account, all call data is deleted within 30 days of account closure. You'll receive an email confirmation when the deletion is complete.

05 / Uptime & SLA

What we guarantee
on every plan.

Calling Matrix runs on redundant infrastructure built for high-availability voice workloads. Emergency routing and after-hours coverage are the most uptime-critical parts of what we do — a missed call at 2 AM during a burst pipe costs your customer hundreds of dollars and costs you the job.

After Hours + Starter

99.9% uptime

Less than 9 hours downtime per year. Backed by infrastructure SLA.

Growth

99.9% uptime

Priority routing failover included. Incidents communicated within 15 minutes.

SLA credits apply when uptime falls below the guaranteed threshold. See your service agreement for credit calculation details. Scale-tier SLA terms are negotiated as part of the contract.

06 / Certifications & Roadmap

Where we are and
where we're headed.

We're a focused team building toward enterprise-grade compliance. Here's an honest picture of our current status and roadmap.

TCPA-compliant call disclosures

Enabled on all accounts. Configurable per state and use case.

TLS 1.2+ and AES-256 encryption

All data encrypted in transit and at rest.

Contractual SLA for Scale tier

99.99% uptime SLA available in Scale-tier service agreements.

SOC 2 Type I — In progress

Audit scoping underway. Target: Q4 2026. Report will be available to enterprise customers under NDA on completion.

Public status page — Planned

Live uptime dashboard with incident history. Scheduled for Q3 2026.

HIPAA Business Associate Agreement — Evaluating

Not currently offered. Under evaluation for healthcare-adjacent trades (home health, med-spa, dental HVAC). No timeline yet.

07 / Security Contact

Questions or a vulnerability
to report?

If you have a security question, a compliance requirement we haven't addressed here, or you've found a vulnerability in our systems — reach out directly. We take security reports seriously and respond within one business day.

Security questions, compliance inquiries, and vulnerability reports go to the same inbox — we handle them personally.

Email [email protected]
Request a callback