Security controls with explicit workflow boundaries
LeadGreeter combines technical safeguards with conservative workflow rules: validated provider requests, encrypted stored secrets, redacted audit data, backend-owned voice tools, and deterministic customer-state transitions. Those controls support responsible operation without making a blanket certification claim.
Who this is for: This overview is for owners, administrators, implementation partners, and reviewers who need to understand which protections the application implements and which privacy, provider, account, and deployment decisions remain their responsibility.
Use HTTPS and a defined Content Security Policy
Production application and webhook URLs are configured for HTTPS, and outbound integration destinations are validated as HTTPS before delivery. The web application also emits a Content Security Policy that limits browser resource categories to defined sources. These are concrete controls, though their effectiveness still depends on correct deployment, proxy, DNS, certificate, and environment configuration.
CSP reduces classes of browser injection risk but is not a substitute for secure code, dependency review, authentication, or safe content handling. Customers and operators must keep production origins and provider callbacks configured correctly. Development exceptions and third-party scripts should be reviewed deliberately rather than assumed to have the same posture as the production site.
- HTTPS application and provider callback configuration
- HTTPS-only outbound integration destinations
- Content Security Policy response headers
- Deployment and proxy configuration owned by operators
- No claim that one browser header removes every web risk
Validate provider and integration signatures
Inbound Twilio and OpenAI webhook paths validate provider signatures before processing protected events. Outbound integration deliveries include a timestamp and HMAC signature, and the repository includes matching verification with a replay tolerance and timing-safe comparison. Signature validation helps distinguish an authorized sender from an arbitrary request when secrets and URLs are configured correctly.
The receiving party still has responsibilities: preserve the raw body needed for verification, protect signing secrets, reject stale or malformed requests, and avoid logging the secret or full sensitive payload. A valid signature identifies the holder of a secret; it does not prove that every field is accurate, safe to act on, or authorized for every downstream use.
Encrypt supported stored secrets and control media access
LeadGreeter uses versioned authenticated encryption for supported stored secret fields, including integration signing secrets and configured provider credentials. Runtime services decrypt those values only when needed for an authorized provider or delivery action. This statement is limited to the fields wired through that encryption layer; it is not a broad claim that every database value is field-encrypted.
Lead photos and attachments use configured local or object storage paths with application-controlled access and signed media delivery where implemented. Storage security also depends on deployment credentials, bucket policy, backups, retention, exports, and any external destination selected by the customer. Account owners must decide who should access or redistribute customer media.
Redact sensitive provider data before storage or logs
Webhook and realtime paths apply redaction helpers before persisting audit payloads or raw event representations, and provisioning errors remove recognizable provider identifiers, long token-like values, and phone numbers. New logs are expected to avoid customer message bodies, decrypted credentials, provider payloads, and internal identifiers unless a tightly controlled debugging need requires them.
Redact does not mean that every possible sensitive value can be recognized automatically. Operators should keep log access narrow, configure retention appropriately, and inspect new telemetry for accidental disclosure. Customers should not place secrets in free-text business instructions or lead notes, because operational text may legitimately appear in authorized product views.
Keep voice tools and business state backend-owned
Realtime voice tools are backend-owned and validated server-side. The model can assist with extraction, summaries, approved replies, and narrowly defined tool calls, but it cannot directly mutate arbitrary lead fields or decide final business status. Unknown or disabled business numbers fail safely, and owner-dialing or conservative fallback paths remain part of provider handling.
Deterministic code owns opt-out ordering, lead status, owner review state, notification timing, and booking semantics. STOP, UNSUBSCRIBE, CANCEL, END, and QUIT handling precedes AI extraction or follow-up. A callback request or booking-link send is not recorded as a completed calendar booking without the required controlled application action.
Separate provider, platform, and customer responsibility
LeadGreeter implements application controls, while hosting operators configure infrastructure and secrets, communications providers operate their networks and accounts, and customers configure phone routing, users, business instructions, consent, destinations, and retention practices. Each layer can weaken the workflow if it is misconfigured, so production readiness requires reviewing the whole path rather than only the interface.
This page is not a blanket compliance certification and does not replace a customer's legal, privacy, security, or industry assessment. Requirements vary by jurisdiction, trade, data type, provider, contract, and use case. Customers remain responsible for lawful calling and messaging, authorized data collection, user access, response procedures, and the tools to which they export lead information.
