Security overview โ€” where to find what

Last updated: April 2026 ยท Receptionist, Inc.

Two different "Security" surfaces

Receptionist.co has two different things called "Security," and it helps to know which one you want:

**Your dashboard Security settings** (Settings โ†’ Security). This is about your account access โ€” active sessions, sign-in devices, authentication settings, and similar per-account controls. This is what you touch if you want to sign out of a device, review recent sign-ins, or manage your own authentication.

**Our Security & Trust Center** at <a href="https://receptionist.co/security">receptionist.co/security</a>. This is about how Receptionist.co as a platform protects your data โ€” the architecture, the encryption, the sub-processors, and the compliance roadmap. This is what you look at (or share with your IT team) when you want to understand how your customer data is protected.

This help section covers the dashboard Settings โ†’ Security page. For the architectural story, read the Trust Center at receptionist.co/security โ€” that page is the authoritative source and we keep it updated.

The short version of the architecture

For the full story see receptionist.co/security, but the one-paragraph summary:

Call audio is never stored (Zero Audio Retention). Text transcripts and contact PII are encrypted with AES-256-CBC + HMAC-SHA256 at the application layer before reaching the database, so even a direct SQL query returns ciphertext. Every business's data is isolated from every other business by PostgreSQL row-level security enforced at the database kernel. The Aria call handler refuses to start if the encryption key is missing. Webhook inputs from Twilio and LiveKit are signature-verified. We do not sell data, we do not train AI models on customer data, and we do not serve HIPAA-regulated industries.

Where to find specific things

โ€ข**Zero Audio Retention explanation:** <a href="https://receptionist.co/security#zar">receptionist.co/security #1</a>
โ€ข**Encryption details:** <a href="https://receptionist.co/security#pii-encryption">receptionist.co/security #3</a>
โ€ข**Sub-processor list:** <a href="https://receptionist.co/ai-policy#subprocessors">receptionist.co/ai-policy</a>
โ€ข**Compliance status and roadmap:** <a href="https://receptionist.co/security#roadmap">receptionist.co/security #10</a>
โ€ข**Reporting a vulnerability:** <a href="https://receptionist.co/security#reporting">receptionist.co/security #11</a> or email <a href="mailto:security@receptionist.co">security@receptionist.co</a>

For your IT or security team

If you are at a business where IT or security review is part of onboarding new vendors, the Security & Trust Center page plus our Data Processing Addendum at <a href="https://receptionist.co/dpa">receptionist.co/dpa</a> are the two documents to share. If your team needs a signed DPA for GDPR Article 28 compliance or procurement purposes, email privacy@receptionist.co and we will return a countersigned copy within 3 business days. There is no charge for this.

Was this article helpful?
๐Ÿ‘ Yes๐Ÿ‘Ž No