Security

Built like a system you can audit.

AutomationFire handles voice calls, SMS, customer records, and Google API data for seven local service brands every day. Here’s how that data is protected.

Six pillars

Encryption everywhere

TLS 1.2+ in transit. Encryption at rest for every database row. Sensitive fields (BYON credentials, API keys, push tokens) wrapped in authenticated symmetric encryption with per-tenant keys.

Row-level security on every table

No customer can read another customer's data. RLS is enforced at the database layer, not the application layer. Service-role bypass is reserved for system jobs and audited.

Scoped API keys

Per-permission keys (booking-only, voice-only, full). Per-tenant rate limiting. Revoke any key in one click. Every request logged in the API audit log.

Google Limited Use compliance

Google API user data (Business Profile, Search Console, Calendar, Sign-In) is used only to deliver user-facing features. Not for advertising. Not for AI training. See the Privacy Policy section 5.

No human reads your messages

Voice transcripts and SMS content are not read by humans except for security investigations or with your explicit consent for support. AI subprocessors operate under their respective DPAs.

Audit logs

Every API request, login, settings change, and admin action lands in sitegen_api_request_log. Searchable by tenant, user, action, and time window.

Subprocessor compliance posture

Database & auth subprocessorSOC 2 Type II certified.
Payment processorSOC 1 / SOC 2 certified.
Application hostingSOC 2 Type II certified.
Voice & SMS subprocessorHIPAA-eligible. BAA available on request for healthcare verticals.

Full subprocessor list with categories of data shared appears in the Privacy Policy.

Specific protections we ship

  • Voice call recordings and transcripts retained per your tier (default 90 days, longer on Voice Growth and Pro).
  • BYON credentials encrypted with authenticated symmetric keys; only the service-role client can decrypt.
  • Per-customer AI subprocessor accounts available on the agency tier so voice data flows through customer-controlled infrastructure.
  • Self-hosted voice media infrastructure (US-East) for voice-call media plane isolation.
  • IP allowlisting available for admin endpoints on the enterprise tier.
  • Bug bounty: email security@automationfire.com with details. We respond within 24 hours.

HIPAA

For dental, medical, and other healthcare verticals: AutomationFire supports HIPAA-aware automation rules out of the box (PHI-safe SMS templates, no treatment details in marketing flows, audit logs on every PHI-adjacent action). Full HIPAA compliance with a Business Associate Agreement is a separate enrollment. Talk to sales.

Request a BAA

Reporting a vulnerability?

Email security@automationfire.com. We respond within 24 hours and credit you in the changelog.