Security
How we protect your business and customer data. Last updated: 25 February 2026.
Security is fundamental to everything we build at Turnless. You're trusting us with sensitive business data and customer information — we take that seriously at every layer of our stack.
Data Encryption
- All data in transit encrypted with TLS 1.3
- Data at rest encrypted with AES-256
- Call recordings encrypted before storage
- Phone calls secured with SRTP
Infrastructure
- Hosted on AWS (SOC 2 & ISO 27001 certified infrastructure)
- DDoS protection via AWS Shield
- Databases not publicly accessible — restricted to authorised systems
- Automated encrypted backups with point-in-time recovery
Access Controls
- Two-factor authentication (2FA) available for all accounts
- Session management with automatic timeout
- Role-based access control with least-privilege principle
- Multi-tenant data isolation — your data is never shared
Application Security
- SQL injection prevention via parameterised queries
- XSS and CSRF protection
- Rate limiting to prevent abuse
- Automated dependency vulnerability scanning
Trusted third-party providers
StripePCI DSS Level 1 certified payment processor
TwilioSOC 2 Type II certified telephony provider
OpenAIEnterprise-grade AI with data privacy and security commitments
AnthropicEnterprise-grade AI with data privacy commitments
AWSSOC 2, ISO 27001, and multiple security certifications
Data retention & deletion
- Call recordings retained for 90 days by default
- Account data deleted within 90 days of account closure
- Secure deletion using industry-standard methods
- You can request immediate data deletion at any time
Compliance
Australian Privacy Act 1988GDPR (where applicable)SOC 2 (in progress)
Found a vulnerability?
Please report it responsibly. Don't publicly disclose until we've had a chance to address it — we aim to respond within 24 hours.
hello@turnless.ai