Skip to content
Security & Compliance

Enterprise-Grade Security
From the Ground Up

We built Phone Keepsakes on infrastructure trusted by the world's largest companies. Here is exactly how your data is protected at every layer.

Create Your Guest Book Contact Us

Security Status

All systems protected

AES-256 encrypted storage
TLS 1.2+ in transit
PCI Level 1 payments
SOC 2 certified partners

4 layers — storage, transit, payments, edge

Built on Trusted Infrastructure

Every layer of Phone Keepsakes runs on industry-leading, independently audited platforms

Amazon Web Services

SOC 1 / SOC 2 / ISO 27001

All voicemail audio files are stored on AWS S3 with AES-256 server-side encryption. AWS data centers maintain the most comprehensive set of compliance certifications in the cloud industry.

Cloudflare

SOC 2 Type II / ISO 27001

All traffic is routed through Cloudflare's global network, providing DDoS protection, Web Application Firewall, and TLS encryption at the edge before requests reach our servers.

Google Cloud

SOC 2 / ISO 27001 / GDPR

Custom greeting audio is generated using Google Cloud Text-to-Speech. Google Cloud maintains SOC 2, ISO 27001, and GDPR compliance across its AI and cloud services.

OpenAI

SOC 2 Type II / GDPR

Voicemail transcription is powered by OpenAI's Whisper API. API data is never used for model training. Audio is encrypted in transit via TLS and at rest via AES-256 on OpenAI's infrastructure.

Stripe

PCI Level 1 / SOC 2 / GDPR

All payments are processed by Stripe. Your credit card details never touch our servers. Stripe holds PCI Level 1 certification — the highest standard in the payments industry.

Twilio

SOC 2 Type II / GDPR / HIPAA

Phone numbers, call routing, and voicemail recording are powered by Twilio. Twilio processes over a billion calls annually and maintains SOC 2 Type II certification.

We Will Never Sell Your Data. Period.

Your voicemails are not a product. Your caller information is not for sale. We make money by providing a useful service — not by monetizing your private content. This is a promise, not a marketing claim.

How We Protect Your Data

Multiple layers of security from the moment a call is placed to the moment you press play

Encryption at Rest

Every voicemail file is encrypted on AWS S3 using AES-256 server-side encryption. Even if storage media were physically compromised, your files would be unreadable without the encryption keys managed by AWS Key Management Service.

Encryption in Transit

All connections use TLS 1.2 or higher. Cloudflare enforces TLS at the edge, and all internal connections to AWS and Twilio are encrypted. No data is ever transmitted in plaintext.

Signed URLs

When you play or download a voicemail, the system generates a time-limited signed URL that expires within minutes. These URLs cannot be reused or shared — each request generates a unique, expiring link.

Private Storage Architecture

All S3 storage buckets are locked to private access by default — no public endpoints, no directory listing, no direct object URLs. Every file request must pass through our authenticated application layer before reaching storage.

Owner-Only Access

Your voicemails are only accessible through your authenticated account. There is no public URL and no shared folder. We do not routinely access recordings and only do so when required for technical support or legal compliance.

Webhook Verification

Incoming data from Twilio and Stripe is verified using cryptographic signatures before processing. This prevents spoofed or tampered requests from being accepted by our system.

DDoS & Edge Protection

Cloudflare's global network sits in front of our application, blocking malicious traffic, mitigating DDoS attacks, and filtering threats with a Web Application Firewall before they reach our servers.

Caller Blocking

Block unwanted callers from your event phone number with one click. Blocked numbers are immediately prevented from leaving further voicemails, keeping your inbox clean and your event secure.

Compliance & Your Data Rights

We respect your rights over your own data and support international privacy standards

GDPR Ready

We support the rights granted by the EU General Data Protection Regulation, including:

  • Right to access your data
  • Right to deletion (right to be forgotten)
  • Right to data portability (download all files)
  • Right to rectification of personal data

Account Deletion

You are in full control of your account. You can request account deletion at any time from within your dashboard:

  • Contact support from your dashboard at any time
  • All voicemails and personal data permanently removed
  • Download your files first — deletion is irreversible
  • No questions asked, no hoops to jump through

Privacy by Design

Privacy is not an afterthought — it is built into the architecture of the platform:

  • CSRF protection on every form submission
  • Email verification required for sensitive actions
  • Session-based auth (no persistent tokens)
  • Industry-standard encryption used wherever possible

Inherited Compliance

Through our infrastructure partners, your data benefits from certifications including:

  • SOC 1 & SOC 2 Type II (AWS, Twilio, Stripe, OpenAI, Google Cloud)
  • ISO 27001 (AWS, Cloudflare, Google Cloud)
  • PCI DSS Level 1 (Stripe)
  • GDPR & CCPA compliance (all providers)

Security Questions

Detailed answers about how your data is handled

Learn More

Explore our policies and security features in detail

Privacy Policy

Read our full privacy policy covering data collection, usage, and your rights.

Privacy & Security Feature

See how privacy features work day-to-day in your dashboard.

Terms of Service

Review our terms of service and acceptable use policies.

Have Security Questions?

We are happy to answer any questions about how your data is protected.

Contact Us View Pricing