Security & trust.

Name: Hey Quad
Availability: InStock

A phone platform handles voice, messages, and billing — three things you cannot afford to get wrong. Here's how we protect them.

Request our security packet

Hard tenant isolation

Every tenant table runs Postgres row-level security in FORCE mode. The only path to data is through a per-org session — no cross-tenant query is reachable, even from our own application code.

Encryption at rest and in transit

TLS 1.2+ on every external connection. Database storage and managed object stores are AES-256 encrypted at rest. Recordings live in tenant-scoped buckets with signed-URL access.

Role-based access control

Granular permissions per organization (admin, billing, agent, observer). API keys are scoped, rotatable, and tied to a specific role. Every privileged action is auditable.

STIR/SHAKEN signing

Outbound calls are signed at the carrier (A-level attestation when the originating number is verified) so calls are less likely to land as "Spam Likely" on receiving phones.

10DLC and TCPA workflows

10DLC brand and campaign registration is handled in the dashboard. TCPA-compliant opt-out and consent tracking is built into the messaging surface.

Backups and recovery

Daily encrypted backups with point-in-time recovery on the primary database. Quarterly restore drills validate the recovery path against real data.

Compliance roadmap.

We publish status honestly. "In progress" means engaged with an auditor, not aspirational.

Standard	Status	Detail
SOC 2 Type II	In progress	Audit window opened Q1 2026. Report expected late 2026.
STIR/SHAKEN	Live	Signing live on all originating US/Canada calls.
10DLC registration	Live	Brand + campaign registration handled per customer.
GDPR / DPA	Live	DPA available on request.
HIPAA / BAA	Planned	BAA available for Reseller-tier customers Q3 2026.

Subprocessors

We rely on a small set of vendors to operate the platform. Each is contractually bound to confidentiality and security obligations.

Vendor	Purpose	Region
Telnyx	Voice + messaging carrier	US, EU
Stripe	Payment processing	US, EU
Amazon Web Services	Compute, database, storage	US East
Cloudflare	CDN, DDoS protection	Global
Sentry	Error monitoring	US
Postmark	Transactional email	US

Found a vulnerability?

We welcome responsible disclosure. Email security@heyquad.com with reproduction steps. We respond within two business days and credit researchers (with permission) on this page.