callmor.ai
Security

Security

Protecting your data is fundamental to everything we build. This page describes the security measures we implement across our platform.

Our Commitment to Security

At callmor.ai, security is not an afterthought — it is built into every layer of our platform. We continuously evaluate and improve our security posture to ensure your data and accounts remain protected.

Infrastructure

  • Hosted on secure, modern cloud infrastructure.
  • HTTPS is enforced everywhere — all traffic is encrypted in transit.
  • HTTP Strict Transport Security (HSTS) headers are enabled to prevent protocol downgrade attacks.

Authentication

  • Passwords are hashed using bcrypt — they are never stored in plain text.
  • Sessions are managed with encrypted JWT tokens for secure, stateless authentication.
  • Email verification is required before accounts become fully active.
  • Rate limiting is applied to login endpoints to prevent brute-force attacks and enforce account lockout protections.

Data Protection

  • All data is encrypted in transit using TLS (Transport Layer Security).
  • Passwords are never stored in plain text — only bcrypt hashes are retained.
  • Administrative access requires the ADMIN role, verified through middleware on every request.

Payment Security

All payments are processed by Stripe, which is PCI DSS Level 1 compliant — the highest level of certification in the payments industry. We never store, process, or have access to your full credit card numbers. All payment data is handled entirely by Stripe's secure infrastructure.

Application Security

  • All user input is validated using Zod schemas to prevent injection and malformed data.
  • Rate limiting is enforced on sensitive endpoints to mitigate abuse.
  • CSRF protection is provided through NextAuth's built-in token verification.
  • Security headers are configured including Content Security Policy (CSP), X-Frame-Options, and X-Content-Type-Options.

Access Controls

  • Role-based access control (RBAC) with distinct ADMIN and CUSTOMER roles.
  • Middleware verifies JWT tokens and user roles on every protected request.
  • All API endpoints that access or modify data require authentication.

Responsible Disclosure

If you discover a security vulnerability in our platform, we encourage you to report it responsibly. Please contact us at security@callmor.ai with details of the vulnerability. We ask that you give us reasonable time to investigate and address the issue before making any public disclosure.

Contact Us

For security concerns, reach out to security@callmor.ai. For general inquiries, contact hello@callmor.ai.