Trust center

Security isn't a feature.
It's the foundation.

Every layer of Fonabit โ€” from the models we run to the carrier routes we own โ€” is built with security and compliance as defaults, not afterthoughts.

SOC 2 Type II HIPAA GDPR CCPA TCPA A2P 10DLC STIR/SHAKEN ISO 27001 โ†’
99.9%
Uptime SLA
256-bit
AES encryption at rest
TLS 1.3
All data in transit
0
Data sold to third parties
Certifications
Verified by independent auditors
๐Ÿ›ก๏ธ
SOC 2 Type II
Certified
Annual audit by independent CPA firm. Covers Security, Availability, Confidentiality, and Processing Integrity across all production systems. Report available under NDA.
๐Ÿฅ
HIPAA
Compliant
BAA (Business Associate Agreement) available for enterprise plans. Technical, physical, and administrative safeguards in place for PHI. PHI never routed to in-house LLM without explicit consent.
๐Ÿ‡ช๐Ÿ‡บ
GDPR
Compliant
EU data stays in EU. Frankfurt node for all European processing. Data Processing Agreements (DPAs) available. Right to erasure, data portability, and subject access requests fully supported.
๐Ÿ›๏ธ
CCPA / CPRA
Compliant
California consumer privacy rights fully supported. Opt-out of sale/sharing. 45-day DSR response SLA. Do-not-sell signals honoured across all channels.
๐Ÿ“‹
ISO 27001
In progress ยท Q3 2026
Information security management system certification in progress. Gap assessment complete. Audit scheduled for Q3 2026.
๐Ÿ”’
PCI DSS
Roadmap ยท 2026
Payment card industry compliance planned for FinTech-specific deployments. Scoped for wallet and billing infrastructure. Timeline: H2 2026.
Security architecture
Four pillars, no shortcuts
๐Ÿ”
Encryption everywhere
AES-256 at rest. TLS 1.3 in transit. Keys managed in AWS KMS with automatic rotation. No plaintext secrets in code, configs, or logs.
๐ŸŒ
Network isolation
VPC-isolated environments. Private subnets for databases. Web Application Firewall on all endpoints. DDoS protection. Zero-trust internal networking.
๐Ÿ‘๏ธ
Continuous monitoring
SIEM with real-time alerting. Vulnerability scanning on every deploy. Penetration testing quarterly. Security event logs retained 12 months.
๐ŸŽฏ
Access control
Role-based access control. MFA enforced for all staff. Privileged access management. Audit log of every administrative action. Principle of least privilege enforced.
Regulatory compliance
Every channel. Every regulation.
Compliance is enforced at the infrastructure layer โ€” not as an optional add-on.
Regulation
Scope
Status
Enforced
TCPA
US SMS & voice consent, DNC, quiet hours
Active
Automatically
A2P 10DLC
US SMS brand & campaign registration
Registered
Per account
STIR/SHAKEN
US voice call authentication
Full A
All calls
GDPR
EU data privacy & residency
Compliant
Automatically
CAN-SPAM
US email marketing rules
Active
All emails
CCPA / CPRA
California consumer privacy
Compliant
Per account
HIPAA
Healthcare data protection
BAA required
Enterprise plan
TRAI DLT
India telecom regulatory authority
Registered
India routes
Data privacy
Your data is yours.

We don't sell, share, or train on your data.

Fonabit does not use customer data to train AI models โ€” including our own in-house models. All model training uses proprietary datasets and publicly licensed corpora only.

Message content is never stored beyond the delivery confirmation window. PII is redacted before any data touches a peer LLM (Claude, GPT-4o, Gemini). You control exactly what data leaves your environment.

๐Ÿšซ
No training on your data
Customer conversations, messages, and documents are never used to train Fonabit models.
๐Ÿ”’
PII redaction before peer LLMs
Phone numbers, names, and sensitive fields are redacted before any query reaches an external model.
๐ŸŒ
Data residency by region
US data stays in US. EU data stays in EU (Frankfurt). India data stays in India (Mumbai). Choose your region.
๐Ÿ“ค
Full data portability
Export all your data any time, in machine-readable format. Deletion requests completed within 30 days.
Found a vulnerability?

We take security reports seriously. If you've found a security issue in any Fonabit product, we want to hear from you โ€” immediately.

Responsible disclosure process
1
Email security@fonabit.ai with a detailed description and proof of concept if available.
2
We acknowledge within 24 hours and provide a tracking reference.
3
We investigate and patch critical issues within 72 hours, others within 14 days.
4
We credit researchers in our security acknowledgements. Bug bounties available for critical findings.

ยฉ 2026 Fonabit Inc. All rights reserved.

SOC 2HIPAAGDPRCCPATCPA