Your data is protected at every layer
ChirpReply handles sensitive business communications — phone calls, text messages, appointment data, and customer information. We take that responsibility seriously with enterprise-grade security at every layer of the stack.
Encryption Everywhere
All data is encrypted in transit using TLS 1.2+ and at rest using AES-256. Database connections are encrypted. API communications use HTTPS exclusively. No exceptions.
TCPA Compliance
ChirpReply is built with TCPA compliance in mind. Automated text messages include opt-out mechanisms, and all outbound communications respect consent requirements. We provide tools to manage consent records and honor opt-out requests immediately.
Recording Disclosures
Every AI-answered call begins with an automated recording disclosure. This disclosure is configurable — you can customize the language while maintaining compliance. We recommend consulting legal counsel to ensure compliance with your state's recording consent laws, especially in two-party consent states.
Twilio Signature Verification
Every incoming webhook from Twilio is verified using Twilio's request signature validation. This prevents spoofed requests and ensures that only legitimate Twilio traffic can trigger actions in your ChirpReply account. Invalid signatures are rejected and logged.
Rate Limiting
All API endpoints are protected by sliding-window rate limiting. This prevents abuse, brute-force attacks, and ensures fair resource allocation. Rate limits are applied per-account and per-IP. Exceeded limits return standard 429 responses with retry-after headers.
Clerk Authentication
User authentication is handled by Clerk, an enterprise-grade authentication provider. Clerk provides secure session management, multi-factor authentication support, JWT-based tokens, social login, and protection against common authentication attacks including CSRF and session fixation.
Infrastructure Security
ChirpReply is hosted on Vercel's global edge network with automatic DDoS protection, geographic redundancy, and zero-downtime deployments. Our PostgreSQL database runs on managed infrastructure with automated backups, point-in-time recovery, and network isolation.
Role-Based Access Control
Team accounts support role-based access with three levels: Owner (full access), Admin (management without billing), and Member (read-only with limited actions). Each team member has their own authenticated session — no shared passwords.
Data Handling Practices
Call recordings are stored securely and retained for 12 months. You can delete recordings at any time from your dashboard. Recordings are encrypted at rest and only accessible to authenticated account holders.
Text message content is stored in our encrypted PostgreSQL database and retained for the duration of your account. Message data is never sold to third parties or used for advertising purposes.
AI conversation data is processed by Anthropic's Claude AI and Vapi's voice platform. Conversation logs are stored to provide transcripts and improve AI accuracy. Neither Anthropic nor Vapi uses your business data to train general-purpose models.
Payment information is handled entirely by Stripe. ChirpReply never stores credit card numbers, CVVs, or other sensitive payment data on our servers. Stripe is PCI-DSS Level 1 certified.
Data export is available at any time. You can export call logs (CSV), appointment data (CSV, iCal), text message threads, and billing history directly from your dashboard.
Compliance
ChirpReply is designed with compliance in mind for US-based small businesses handling phone and text communications. Key compliance areas include:
- TCPA (Telephone Consumer Protection Act): Automated text messages include opt-out language. Consent management tools are built into the platform. We respect Do Not Call registries.
- State Recording Laws: Configurable recording disclosures support both one-party and two-party consent states. You can customize the disclosure message for your jurisdiction.
- CCPA (California Consumer Privacy Act): California residents can request access to, deletion of, and portability of their personal data. See our Privacy Policy for details.
- SOC 2 Alignment: Our infrastructure providers (Vercel, Stripe, Clerk) maintain SOC 2 Type II compliance. We follow SOC 2 principles in our own development and operational practices.
Responsible Disclosure
If you discover a security vulnerability in ChirpReply, we want to hear about it. Please report vulnerabilities to security@chirpreply.com. We ask that you give us reasonable time to address the issue before any public disclosure. We do not take legal action against good-faith security researchers.
Questions about security?
Contact our team at security@chirpreply.com for additional information about our security practices.