JustCall Security and Compliance
Stay compliant5 min readUpdated 2026-03-12
JustCall Security and Compliance
JustCall is built for businesses that handle sensitive customer communications. This article provides an overview of JustCall's security architecture, compliance certifications, and data protection practices.
Compliance Certifications
| Certification | Status | Scope |
|---|---|---|
| SOC 2 Type II | Certified | Covers security, availability, and confidentiality trust service criteria. Audited annually by an independent third party. |
| HIPAA | Compliant | Available on the Business plan. JustCall signs a Business Associate Agreement (BAA) for covered entities and business associates. |
| ISO 27001 | Certified | Information Security Management System (ISMS) covering JustCall's infrastructure, application, and organizational controls. |
| GDPR | Compliant | Data Processing Agreement (DPA) available. EU data subject rights supported. See GDPR Compliance on JustCall. |
| PCI-DSS | Level 1 compliant (payment processing) | JustCall does not store credit card numbers. Payment processing is handled by a PCI-DSS Level 1 certified provider. |
To request copies of SOC 2 reports or ISO 27001 certificates, contact security@justcall.io or your Customer Success Manager.
Encryption
Data in Transit
All data transmitted between your browser/app and JustCall servers is encrypted using TLS 1.2 or higher. This covers:
- Web application traffic
- API calls
- Voice calls (SRTP encryption)
- SMS/MMS message transmission
- Webhook payloads
Data at Rest
All stored data is encrypted using AES-256 encryption. This includes:
- Call recordings
- Voicemail recordings
- SMS/MMS message content
- Contact data
- Account configuration
Encryption keys are managed through a dedicated key management service with automatic key rotation.
Infrastructure Security
| Layer | Details |
|---|---|
| Cloud provider | Hosted on AWS with multi-region redundancy. |
| Network | Virtual private cloud (VPC) with security groups, network ACLs, and DDoS protection (AWS Shield). |
| Application | Web Application Firewall (WAF) with OWASP Top 10 rule sets. Regular penetration testing by third-party firms. |
| Monitoring | 24/7 security monitoring with automated alerting. Intrusion detection and log analysis. |
| Backups | Automated daily backups with cross-region replication. Recovery Point Objective (RPO): 1 hour. Recovery Time Objective (RTO): 4 hours. |
Data Residency
JustCall processes and stores data in the following regions:
| Region | Data Center Location |
|---|---|
| US | AWS US East (Virginia) and US West (Oregon) |
| EU | AWS EU West (Ireland) |
| APAC | AWS Asia Pacific (Sydney) |
Business plan customers can request data residency in a specific region. Contact your CSM to configure regional data storage.
HIPAA Compliance Details
HIPAA compliance is available on the Business plan and requires:
- Business Associate Agreement (BAA). JustCall signs a BAA with your organization. Request it through your CSM or at Settings → Security → Compliance.
- HIPAA-specific configuration. JustCall enables additional safeguards:
- Call recording encryption with access controls
- Audit logging of all data access
- Automatic session timeouts
- Restricted data export permissions
- Staff training. JustCall employees with access to PHI complete annual HIPAA training.
HIPAA compliance applies to call recordings, voicemail, SMS/MMS messages, and contact data containing Protected Health Information (PHI).
Access Controls
| Feature | Details |
|---|---|
| Role-based access (RBAC) | Four roles: Owner, Admin, Supervisor, Agent. Each with distinct permission sets. |
| SSO (SAML 2.0) | Business plan. Supports Google Workspace, Azure AD, Okta, OneLogin, JumpCloud, Rippling. |
| Two-Factor Authentication (2FA) | Available on all plans. Enforced at the account level by admins. |
| Session management | Configurable session timeout. Automatic logout after inactivity period. |
| IP allowlisting | Business plan. Restrict access to specific IP addresses or ranges. |
| Audit logs | Admin-accessible logs of user actions: logins, configuration changes, data exports. |
Vulnerability Management
- Penetration testing: Conducted at least annually by an independent security firm. Findings are remediated based on severity within defined SLAs.
- Bug bounty: JustCall operates a responsible disclosure program. Report vulnerabilities to security@justcall.io.
- Dependency scanning: Automated scanning of application dependencies for known vulnerabilities. Critical patches deployed within 24 hours.
- Code reviews: All code changes require peer review before deployment.
Incident Response
JustCall maintains a documented incident response plan covering:
- Detection and analysis — automated monitoring triggers alerts for anomalous activity.
- Containment — immediate isolation of affected systems.
- Notification — customers notified within 72 hours for data breaches (per GDPR) or as required by applicable law.
- Recovery and post-mortem — root cause analysis published for significant incidents.
Requesting Security Documentation
| Document | How to Get It |
|---|---|
| SOC 2 Type II Report | Email security@justcall.io with a signed NDA |
| ISO 27001 Certificate | Email security@justcall.io |
| Data Processing Agreement (DPA) | Settings → Security → Compliance → Download DPA |
| Business Associate Agreement (BAA) | Contact your CSM (Business plan required) |
| Penetration Test Summary | Email security@justcall.io with a signed NDA |
| Security Questionnaire | Email security@justcall.io — typical turnaround 5 business days |
Related Articles
- GDPR Compliance on JustCall — data subject rights, DPA, consent management
- Set Up Google Workspace SSO for JustCall — SSO configuration
- Set Up Azure AD SSO for JustCall — Microsoft Entra ID SSO
- Choose the Right JustCall Plan — see which plans include HIPAA and SSO
Was this helpful?