Security

Built to keep your customers’ data safe.

TTN handles inbound calls, SMS, photos and customer details on behalf of trade businesses. This page describes controls that are currently implemented and avoids claiming certifications we do not hold.

How we protect data

Current application controls.

Encryption in transit

Public TTN web, API and voice endpoints are served over HTTPS. Provider connections use TLS.

Tenant isolation

Authenticated application queries derive the business identity from the verified session and scope customer records to that business.

Access controls

Customer identity is provided by Clerk. Privileged actions use role checks and selected administrative changes are audit logged.

Provider verification

Stripe, Clerk and Twilio HTTP webhooks are verified using provider signatures before their payloads are processed.

Private uploads

Customer upload links use random expiring tokens. Uploaded files are kept private and served through authorised application routes.

Security improvement

We review dependencies, infrastructure and application controls and prioritise remediation based on customer and business risk.

Compliance & frameworks

Honest about where we are.

We are not currently SOC 2 audited or ISO/IEC 27001 certified. Certification may be considered when customer requirements justify it.

Australian privacy obligations
Alignment in progress
SOC 2 Type II
Not audited or certified
ISO/IEC 27001
Not certified

Data retention

  • Call recordingsOptional; business controlled
  • TranscriptsOptional; business controlled
  • Job contentRetained for service delivery
  • Technical logsLimited operational retention
  • DeletionSubject to provider and backup expiry

Sub-processors

Principal providers used to deliver the service. Processing may occur outside Australia as described in our privacy notice.

  • Cloud infrastructureHetzner (Singapore)
  • Edge / DNSCloudflare
  • TelephonyTwilio
  • AI / speechOpenAI
  • IdentityClerk
  • PaymentsStripe
  • EmailResend
Responsible disclosure

Found something? Tell us.

We treat responsible disclosure as a partnership. Use our contact form and select the security category, including reproduction steps and impact.

Please don’t access data that isn’t yours, run automated scanners against our production systems, or publicly disclose before we’ve had a chance to fix.