Security

Summary: iamadroid uses technical and organisational safeguards to protect customer accounts, AI Agent data, telephony data, call records, transcripts, recordings, dashboards and service infrastructure. Security is shared: we protect the platform, while customers must keep their own users, passwords, API keys, website embeds, phone settings and access permissions secure.

1. Scope

This Security page explains the safeguards used for iamadroid’s websites, AI Agents, AI Phone, Business Phone, virtual numbers, dashboards, APIs, plugins, integrations, billing areas, account areas and related services.

This page should be read together with our Terms of Service, Privacy Policy, Data Protection & GDPR page, Acceptable Use Policy and Cookie Policy.

2. Security Responsibilities

Security is a shared responsibility between iamadroid and each customer.

iamadroid responsibilities: protecting the Service infrastructure, application security, access controls, monitoring, backups and operational safeguards.
Customer responsibilities: managing account access, user permissions, strong passwords, secure devices, API keys, embed tokens, webhook URLs, phone-routing settings and lawful configuration of AI Agents and phone services.
End-user responsibilities: avoiding disclosure of unnecessary sensitive information through chats, calls or forms.

3. Infrastructure and Hosting Security

iamadroid uses reputable infrastructure, hosting, database, telecoms and service providers to operate the platform. We use security controls designed to reduce unauthorised access, data loss, misuse and disruption.

Production systems are separated from development and administrative workflows where practical.
Network access is limited to what is required for service operation and administration.
Provider security controls, firewalls, access restrictions and monitoring are used where available.
Operational systems are maintained with security updates and patching appropriate to the environment.
Backups and recovery processes are used to support service continuity and resilience.

4. Encryption and Transport Security

In transit: Web traffic is protected using HTTPS/TLS where supported.
At rest: Databases, storage and backups are protected using encryption or provider-managed safeguards where available.
Credentials and tokens: Access credentials, secrets, API keys and service tokens are handled with restricted access and should not be shared publicly.
Customer responsibility: Customers must protect embed scripts, API keys, webhooks, access tokens and admin credentials from unauthorised use.

5. Application Security

iamadroid applies application-level safeguards designed to protect accounts, dashboards, forms, billing flows, AI Agent configuration and phone-service administration.

Authentication is required for account and administrative areas.
Role-based access and permission checks are used where supported by the application.
CSRF protection is used for sensitive form actions where appropriate.
Input validation, output escaping and sanitisation are used to reduce injection and cross-site scripting risks.
Session controls, secure cookies and token checks are used where appropriate.
Rate limits, throttling or abuse controls may be applied to protect the Service.
Security-relevant changes may be logged for investigation and audit purposes.

6. Account Security and Access Control

Customers are responsible for controlling who can access their account, dashboard, agents, phone settings, billing details, integrations and data.

Use strong, unique passwords for account users.
Limit admin access to trusted users with a genuine business need.
Remove user access promptly when staff, contractors or administrators leave or change role.
Do not share passwords, login sessions, API keys, embed tokens or webhook secrets.
Review account users, permissions and configuration regularly.
Notify us promptly if you suspect unauthorised access, compromised credentials or misuse.

7. AI Agent Data Security

AI Agent data may include chat messages, prompts, responses, knowledge sources, lead details, booking requests, support tickets, handoff information, uploaded content and related metadata.

Customers should only upload business information and knowledge sources they are authorised to use.
Customers should avoid collecting unnecessary sensitive personal data through AI Agents.
Agent prompts, knowledge sources and handoff rules should be reviewed before deployment.
Access to chat logs, leads, analytics and admin tools should be limited to authorised users.
AI outputs should be reviewed where accuracy, safety, compliance or customer impact matters.

8. AI Phone and Business Phone Security

AI Phone and Business Phone services may involve phone numbers, caller ID, call logs, call routing, IVR configuration, voicemail, recordings, transcripts, summaries, call metadata, usage records and carrier/provider systems.

Phone numbers may require verification, service-address information or business checks before activation.
Customers must keep call routing, forwarding, voicemail, IVR and escalation settings accurate and secure.
Customers must restrict access to call recordings, transcripts, summaries and phone analytics.
Customers must obtain required consent before recording, transcribing, monitoring or analysing calls.
Phone services depend on third-party carriers, telecoms providers, internet access, power and correct configuration.
Emergency calling is not supported through iamadroid virtual numbers or telephony services. Customers must maintain alternative emergency calling arrangements.

9. Monitoring, Logging and Abuse Detection

We may monitor usage, logs, metadata, account activity, traffic patterns, system events, call patterns, provider notices and security signals to protect the Service.

Monitoring may be used to detect fraud, abuse, security incidents, spam, unlawful activity, excessive usage or telecoms risk.
Logs may include account access, admin actions, usage events, system events, errors, IP addresses and call or chat metadata.
We may investigate suspicious activity and may suspend, restrict or block access where risk is detected.
Security logs are retained for operational, compliance, fraud-prevention and investigation purposes.

10. Data Retention and Backups

Retention periods vary by product, plan, configuration, legal requirements and operational need. Backups may persist for a limited period before deletion.

Account, billing, tax and compliance records may be retained as required by law.
Chat logs, call logs, transcripts, recordings, summaries and analytics are retained according to plan, configuration and operational rules.
Security and audit logs may be retained for investigation, compliance and service protection.
Data may be deleted, anonymised or aggregated when no longer required.

11. Incident Response

iamadroid maintains procedures for identifying, investigating and responding to security incidents.

We assess suspected incidents and take steps to contain, investigate and remediate where appropriate.
We may suspend accounts, keys, numbers, integrations or services to protect users, customers, providers or the platform.
Where legally required, we will notify affected customers, regulators or individuals.
Customers are responsible for notifying their own end users where they are the controller and the law requires them to do so.

12. Sub-processors and Third-Party Providers

iamadroid uses third-party providers to operate the Service, including hosting providers, database providers, AI model providers, telecom carriers, number providers, payment processors, email providers, analytics providers, monitoring providers and support tools.

Third-party providers may process personal data where needed to deliver, secure, support or improve the Service.
Provider availability, security controls and data locations may vary by provider and feature.
Telephony services may depend on carrier and number-provider security, compliance and availability controls.
Sub-processor information may be requested by contacting compliance@iamadroid.com.

13. Business Continuity and Availability

We aim to provide a reliable Service, but no online, AI or telecoms service can be guaranteed to be uninterrupted or error-free.

Maintenance, updates, provider outages, carrier issues, internet disruption, power issues, AI-provider outages, regulatory action or customer misconfiguration may affect availability.
We may perform maintenance, updates or security work where needed to protect or improve the Service.
Customers should maintain their own continuity plans, backup contact methods and alternative emergency calling arrangements.

14. Responsible Disclosure

We welcome responsible reports of potential security vulnerabilities. If you believe you have found a security issue, please contact us at compliance@iamadroid.com.

Please include enough detail for us to understand and reproduce the issue where possible. Do not access, modify, delete, exfiltrate, disrupt or disclose data that does not belong to you.

Do not perform denial-of-service testing, spam testing, social engineering or physical attacks.
Do not test against customer accounts or customer data without written permission.
Give us reasonable time to investigate before making public disclosures.
We review responsible reports in good faith but do not guarantee a reward or bounty.

15. Customer Security Checklist

To help protect your account and customers, we recommend that customers:

use strong passwords and keep admin access limited;
remove access for former staff and contractors promptly;
review agent prompts, knowledge sources and phone routing regularly;
avoid collecting unnecessary sensitive information;
provide clear privacy, AI and call-recording notices where required;
keep webhook URLs, API keys, tokens and embed codes secure;
test AI Agent and AI Phone workflows before launch;
maintain alternative phone and emergency calling arrangements.

16. Contact

For security, compliance or responsible disclosure matters, contact: compliance@iamadroid.com.

You may also contact us through Contact Us.

Effective date: 1 May 2026