Specific posture, not vague trust language.
KaiCalls is a phone service with a built-in secretary. This page explains how access, telephony, messaging, retention, and buyer caveats work today without pretending the platform has certifications it has not verified.
What KaiCalls enforces today
These are product and integration controls already represented in the repo and public docs, not aspirational marketing bullets.
Scoped and hashed API keys
KaiCalls issues scoped API keys, stores key hashes server-side, and returns the full secret only once at creation.
Signed outbound webhooks
Webhook deliveries use an HMAC signature so receiving systems can verify origin before trusting the payload.
Twilio signature validation
Inbound Twilio webhook routes validate Twilio signatures and do not allow production validation to be disabled.
Business-level isolation
Access to business data is scoped through linked `user_businesses` membership instead of trusting a caller-supplied business id alone.
Rate limits and guarded entry points
Public signup, messaging, and API surfaces have documented rate limits so trial abuse and integration misuse are harder to hide.
Retention and deletion paths
KaiCalls documents retention windows, honors deletion requests, and keeps privacy contacts public instead of burying them in support threads.
Messaging and calling controls
KaiCalls treats messaging rules as operating behavior, not a footer disclaimer.
- AI disclosure and recording disclosure settings exist at the business level.
- STOP handling can auto-add numbers to the DNC list to block future outreach.
- Calling hours are configurable and default compliance settings respect state-specific rules.
- A2P 10DLC registration status is tracked for businesses using SMS campaigns and messaging flows.
What this page does not say
- KaiCalls does not claim SOC 2 certification on this page.
- KaiCalls does not claim HIPAA certification on this page.
- KaiCalls does not describe itself as "fully compliant" across every use case.
- KaiCalls does not present security marketing as a substitute for buyer legal review.
Retention and deletion posture
The public privacy policy already documents the main retention windows. The table below turns that into buyer-readable operating expectations.
| Data type | Current public posture |
|---|---|
| Account data | Retained while active and for 30 days after deletion request. |
| Call recordings and transcripts | Retained for 90 days after creation unless a longer legal or operational need applies. |
| Google Calendar availability cache | Temporary cache only, up to 24 hours. |
| Email logs | Recipient, subject, and timestamp retained for 12 months. |
| Lead and CRM data | Retained while the account is active and deleted within 30 days of account closure. |
| SMS consent records | Retained for TCPA purposes with a minimum five-year posture in the privacy policy. |
Privacy and deletion requests stay public: privacy@kaicalls.com and support@kaicalls.com.