Telepath

Security

Protecting your credentials, data, and Voice AI infrastructure

Overview

Telepath implements enterprise-grade security for your Voice AI infrastructure. The practices below help you keep your system, credentials, and customer data safe.

Credential Management

API Key Security

Your API keys grant full access to your account. Treat them as passwords.

  • Never commit keys to version control. Use environment variables or a secrets manager instead.
  • Rotate every 90 days — and immediately if a key is exposed or a team member leaves.
  • Scope keys appropriately — create separate keys per service; use read-only keys wherever write access is not needed; revoke unused keys.
bash
# Store as environment variable, not in code
export TELEPATH_API_KEY="sk_live_abc123def456..."

SIP Credentials

Your SIP username and password authenticate calls with carriers.

  • Use strong passwords: minimum 12 characters, mixed case, numbers, and symbols
  • Rotate passwords via the dashboard after any suspected exposure; update your carrier configuration immediately
  • Never share SIP credentials over chat or email; use separate credentials per environment

AI Provider Credentials

  • Create dedicated service accounts per integration — do not use personal API keys in production
  • Enable IP whitelisting on the provider side where available
  • Set spending limits or quotas to cap unintended usage
  • Review API key usage regularly and set up provider-side alerts for anomalies

Data Encryption

In Transit

  • HTTPS/TLS 1.2+ — all API communications between your application and Telepath
  • SIP TLS — recommended for sensitive deployments; UDP is acceptable for controlled private networks
  • AI Provider — all traffic between Telepath and AI providers is encrypted in transit

At Rest

  • API keys, SIP passwords, and AI provider credentials are stored with AES-256 encryption
  • Call metadata is encrypted; audio is not stored by default

Access Control

Dashboard Authentication

  • Use a strong, unique password (minimum 12 characters)
  • Enable two-factor authentication (authenticator app preferred over SMS)
  • Sessions automatically expire after 30 minutes of inactivity

API Key Management

  1. Go to Settings → API Keys and click Create New Key

  2. Give the key a descriptive name that identifies its purpose

  3. Copy the key immediately — it will not be displayed again

  4. To revoke a key, click Revoke in Settings → API Keys; any application using it will immediately lose access

Team Permissions

Apply the principle of least privilege — give team members only the access they need:

  • Admin — full account access and team management
  • Editor — create and modify connections; view logs
  • Viewer — read-only access to logs and settings
  • Billing — manage payment methods and billing information

Network Security

IP Whitelisting

If your carrier supports IP whitelisting, add Telepath’s IP ranges to restrict which sources can authenticate SIP calls. Contact [email protected] or check the dashboard for current Telepath IP ranges.

VPC / Network Isolation

For enterprise deployments: run internal systems inside a VPC; restrict dashboard and API access to authorized networks; monitor all inbound and outbound connections.

Compliance & Regulations

HIPAA

For healthcare applications, enable encryption for all data, implement strict access controls, maintain complete audit logs, and execute a Business Associate Agreement (BAA) with all relevant providers.

GDPR

For European users, implement the right to erasure, obtain explicit consent before any recording, keep your privacy policy current, and comply with data residency requirements.

CCPA

For California users, disclose data collection practices, honor deletion requests, provide data access on demand, and implement non-discrimination policies.

PCI DSS

Do not store payment card data in call logs. Ensure PCI compliance with any AI providers that may touch cardholder data.

Call Recording & Privacy

Default Behavior

By default, Telepath does not store audio — carrier audio and AI agent responses are streamed in real time and not retained. Only call metadata and, where applicable, transcripts are stored.

If You Capture Audio

If your application captures audio via a custom WebSocket endpoint:

  • Announce recording to callers at the start of every call (“This call may be recorded…”)
  • Store recordings with encryption at rest
  • Comply with all applicable consent and retention laws in your jurisdiction
  • Implement a deletion mechanism so recordings can be removed on request

Audit & Logging

Dashboard Audit Log

All account activities — API key creation/deletion, connection modifications, settings changes, and team changes — are logged with timestamps. Access via Settings → Audit Log; export for compliance reporting.

API Access Logging

Every API call is logged with source IP, timestamp, duration, and error messages. Review for unusual patterns: unexpected access times, spikes in call volume, or access from unrecognized IPs.

Incident Response

Suspected Compromise

  1. Immediately: revoke compromised API keys; rotate SIP passwords; change your dashboard password; enable 2FA if not already on
  2. Within 1 hour: review audit logs for unauthorized access; check call logs for suspicious activity; contact [email protected]
  3. Document: note the discovery timestamp, list affected API keys, and identify any suspicious calls

Report a Security Issue

Email [email protected] with a description of the issue, the affected components, when you discovered it, and any steps already taken. Include “URGENT SECURITY” in the subject for critical issues.

Best Practices Checklist

Development

  • Use environment variables for all secrets
  • Add .env files to .gitignore
  • Use separate API keys for dev, staging, and production
  • Test with read-only keys wherever possible

Deployment

  • Use a secrets manager (HashiCorp Vault, AWS Secrets Manager, etc.)
  • Rotate credentials on a regular schedule
  • Enable TLS for all connections
  • Log all access attempts and API calls

Team

  • Limit credential distribution to those who need it
  • Audit team access quarterly
  • Have a defined off-boarding procedure for departing team members
  • Train the team on credential hygiene