Skip to main content

Overview

SmartAlex is built with security as a priority. We implement industry-standard practices to protect your data, calls, and customer information.

Data Protection

Encryption

Data StateProtection
In TransitTLS 1.3 encryption for all connections
At RestAES-256 encryption for stored data
RecordingsEncrypted storage with access controls
API KeysHashed and never stored in plain text

Data Centers

SmartAlex infrastructure is hosted on secure cloud platforms with:
  • SOC 2 Type II certified data centers
  • Geographic redundancy
  • 24/7 monitoring
  • Physical security controls

Authentication & Access

Account Security

FeatureDescription
Password RequirementsMinimum 8 characters with complexity rules
Multi-Factor AuthenticationTOTP-based 2FA available
Session ManagementAutomatic timeout and device tracking
API Key RotationGenerate new keys anytime

Multi-Factor Authentication (MFA)

Protect your account with MFA:
1

Go to Security Settings

Navigate to SettingsSecurity
2

Enable MFA

Click Enable Multi-Factor Authentication
3

Scan QR Code

Use an authenticator app (Google Authenticator, Authy, 1Password)
4

Verify Code

Enter the 6-digit code to confirm setup
5

Save Backup Codes

Download backup codes for account recovery
Store backup codes securely. They’re required if you lose access to your authenticator app.

Team Access Controls

RolePermissions
OwnerFull access including billing and user management
AdminFull access except billing
ManagerManage agents, campaigns, and contacts
ViewerRead-only access to analytics

Call Security

Recording Protection

  • Recordings are encrypted at rest
  • Access requires authentication
  • Recording URLs are temporary and expire
  • Optional recording deletion policies

Transcript Security

  • Transcripts are processed securely
  • No human review without consent
  • Data is not used to train models
  • Automatic PII detection available

Compliance

GDPR

SmartAlex supports GDPR compliance:
RightSupport
Right to AccessExport all your data anytime
Right to RectificationUpdate contact information
Right to ErasureDelete accounts and data
Data PortabilityExport in standard formats

TCPA Compliance

For US calling regulations:
  • DNC List Support - Maintain Do Not Call lists
  • Calling Hours - Configure allowed calling times
  • Consent Tracking - Record consent for outbound calls
  • Caller ID - Proper caller identification

HIPAA

For healthcare organizations:
  • Business Associate Agreement (BAA) available
  • PHI protection measures
  • Audit logging
  • Access controls
Contact sales for HIPAA-compliant deployments and BAA agreements.

Infrastructure Security

Network Security

  • Web Application Firewall (WAF)
  • DDoS protection
  • Rate limiting
  • IP allowlisting (enterprise)

Monitoring

  • 24/7 security monitoring
  • Intrusion detection systems
  • Automated threat response
  • Regular security audits

Incident Response

In the event of a security incident:
  1. Immediate containment
  2. Customer notification within 72 hours
  3. Root cause analysis
  4. Preventive measures implementation

API Security

Authentication

All API requests require authentication: 
curl -X GET "https://api.getsmartalex.com/v1/agents" \
  -H "Authorization: Bearer YOUR_API_KEY"

Best Practices

  • Never commit API keys to version control
  • Use environment variables
  • Rotate keys regularly
  • Use separate keys for development and production
Verify webhook signatures to ensure requests are from SmartAlex:
const crypto = require('crypto');

function verifySignature(payload, signature, secret) {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(JSON.stringify(payload))
    .digest('hex');

  return signature === expected;
}
Implement rate limiting on your webhook endpoints to prevent abuse.

Vulnerability Reporting

Responsible Disclosure

If you discover a security vulnerability:
  1. Do not publicly disclose the vulnerability
  2. Email security@getsmartalex.com
  3. Include detailed information about the issue
  4. Allow reasonable time for resolution
We appreciate security researchers and will:
  • Acknowledge receipt within 24 hours
  • Provide updates on remediation progress
  • Credit reporters (with permission) in security advisories

Security FAQ

Only authorized users in your organization can access recordings. SmartAlex staff do not access recordings unless specifically authorized for support purposes.
Data retention varies by plan:
  • Professional: 30 days for recordings
  • Dental: 90 days for recordings
  • Real Estate: 1 year for recordings
Contacts and call metadata are retained until you delete them.
Yes. You can:
  • Delete individual contacts and calls
  • Delete recordings
  • Export and delete all data
  • Delete your entire account
No. Your call data, recordings, and transcripts are not used to train any AI models. Your data remains private and is used only to provide the service.
SOC 2 Type II certification is in progress. Contact us for the current security assessment report.