Close this search box.

Security at Callbi

Callbi takes security seriously and we work hard at ensuring that we implement the right security controls to protect your call data so that you may use our services with confidence

Compliance and regulations

Web Services Certified Callbi holds a valid Certificate of Vulnerability Assessment & Penetration Testing.


Callbi’s business processes, tools and technologies ensure that we are compliant with the requirements of the PoPI Act (South Africa’s privacy legislation). You can be sure that your use of our services does not place your own compliance with PoPIA at risk.

Security Practices

Callbi takes a holistic approach to security and try to weave it through everything we do at Callbi to be sure that we appropriately protect the data that you entrust to us. Here are some of the highlights of our security practices.

Organisational Security

Security is championed by our CEO and communicated to all staff via our information security policy. Staff receive training on the provisions of the security policy and we validate adherence to the policy on a regular basis.

Access Control

We see access control as one of the most effective tools in our security toolbox. We grant access using the principle of least privilege, ensuring that staff only have access to those data or functions that they need to do their job. All system access is centrally managed, logged and the logs are monitored periodically.

Access rights are reviewed regularly and specifically when there is any change in a staff member’s role. Multi-factor authentication is used to control access to all sensitive data, including our production environment which houses customer data.

Each staff member uses a password manager tool that generates unique strong passwords for all services to reduce the risk of phishing and other password-based attacks. The password policy that governs password strength and other characteristics is centrally enforced by an administrator.

Data protection rights

Callbi allows data subjects to exercise their data protection rights as required by POPIA legislation. Firstly, an organization is allowed to specify and alter their retention period for their uploaded calls. The default rolling retention period is 92 days from the current date, and the shortest retention period is 1 day. Once data has expired and been deleted, it may further be retained for up to 7 days within encrypted rolling backups, after which all traces are considered deleted. If it is required that only certain calls be modified or deleted, Callbi allows mechanisms (either per manual request via its support helpdesk or via the Callbi web application where available) to correct or delete a filtered list of calls prior to their expiry. Data can also be extracted using the Callbi web application or API, and access is limited to authorized users only.

Protecting Customer Data

Our main security objective is to prevent unauthorised access to customer information. To this end, we take exhaustive steps to identify and mitigate risks, implement best practices, and constantly develop ways to improve.

Each Callbi customer’s data is hosted in our shared infrastructure but logically separated from other customers’ data.

Our simplest security tool is our rigorous deletion of unnecessary data. We have automated processes in place that ensure that we only keep data that we are contractually obliged to keep. Everything else is regularly deleted in a secure manner.

Secure Applications

A key part of protecting customer data is ensuring that the software applications and APIs that allow access to customer data are secure and cannot be abused to gain unauthorised access to that data. Our development team has adopted a “secure by design” approach to our software development efforts and work from a comprehensive list of secure engineering principles when making changes or improvements to our apps. Our development methodology ensures that security is addressed at each stage of the development process. All changes to the system are logged and these logs are monitored periodically.


We encrypt all customer data in transit, and call recordings are encrypted at rest using the latest recommended secure cipher suites. Call transcripts are encrypted in all areas where possible. Encryption keys are managed using standard best practices for cryptography.

Disaster Recovery and Business Continuity

Callbi makes use of AWS database clusters which is fault tolerant by design. The cluster volume spans multiple Availability Zones in a single AWS Region, and each Availability Zone contains a copy of the cluster volume data. This functionality means that your database cluster can tolerate a failure of an Availability Zone without any loss of data and only a brief interruption of service.

Callbi also stores rolling backups (encrypted at rest within AWS) that can be used during a catastrophic failure to restore to any specific point in time for the past 7 days.

Callbi’s backend services are all load balanced and also fault tolerant by design. Multiple instances of the backend services span across different Availability Zones in a single AWS Region. The necessary automatic health checks and autoscaling and recovery services are implemented. There are no specific components that need to be manually restored if a hardware failure should occur.

A 7-day rolling backup copy of the production database is separately maintained in AWS, and recovery of the backups is tested at least annually.

Incident Response

Callbi has procedures in place to detect and respond to security threats. We have a defined Formal incident response plan.

Risk Management

Callbi has a have a formal risk management policy to help us identify and mitigate risks.

Validation and Review

Even though we think we’re pretty good at security, we don’t trust ourselves completely. We have our systems tested for security vulnerabilities on an annual basis. All results from these assessments are fed back to our development team and our system is strengthened where necessary.