VICIfast
Security posture

How we keep your dialer safe.

Concrete, line-item answers — no “industry-leading” or “military- grade.” Everything below is in production today. If you need something specific for compliance, ask.

Sub-processorsDPAStatus

Hardened base image

  • TLS via Let's Encrypt, auto-renewing.
  • Firewall on by default, only required ports open.
  • fail2ban configured against SSH brute-force.
  • Default passwords removed before the server hits ACTIVE.
  • SSH password authentication disabled.

SSH access architecture

  • Per-provision ephemeral keypair, never reused across customers.
  • Platform operations authenticated by short-lived (1h) SSH certificates from a Certificate Authority — not a static shared key.
  • Customer keys live in a dedicated table, synced atomically; remove them and they're gone within seconds.
  • CA private key sealed at rest with AES-256-GCM, only loaded into worker memory at sign time.

Account auth

  • TOTP 2FA with 10 single-use backup codes.
  • Passkey (FIDO2 / WebAuthn) support — biometric or hardware key sign-in.
  • Passwords checked against the haveibeenpwned breach corpus on signup, reset, and change.
  • Suspicious-login email alerts when a new IP or new device touches your account.
  • Active session list per user, revoke any session with one click.

Data at rest

  • Encrypted secrets (Cloudflare tokens, VICIdial admin passwords, CA private keys) sealed via AES-256-GCM with a server-side master key.
  • Database connections via TLS.
  • Customer payment details handled entirely by Stripe; we never see card numbers.

Audit + observability

  • Every server state transition, billing event, admin action, and impersonation session is logged in a single AuditLog table.
  • Admin impersonation is time-limited (1 hour), banner-marked across the UI, and requires a written justification.
  • Filterable + exportable from /admin/audit. Public API access (preview).
  • Suspicious activity surfaces on a public status page in real time.

Sub-users + permissions

  • Three roles: Billing, Operator, Viewer. Owner is a fourth implicit role.
  • Destructive actions (cancel, change plan, delete) restricted to the owner.
  • Membership invitations via signed token, 7-day expiry.
  • Revoking a sub-user kills all their sessions immediately.

Anti-abuse

  • CAPTCHA (Cloudflare Turnstile) on signup + login.
  • Disposable-email blocklist (~250 providers) on signup.
  • Per-IP and per-email rate limits across auth + checkout.
  • Honeypot fields on every public form.
  • Stripe Radar integration with critical-severity alerts on early-fraud-warning events.

Operational safety

  • Servers stuck in INSTALLING for >45 min auto-fail and trigger automatic refunds.
  • Daily snapshots retained 7 days (Pro+).
  • Provisioning failures within 1 hour of payment auto-refund without ticket.
  • Health checks every minute; sustained failures open public incidents.

GDPR + privacy

  • Self-serve account anonymization from /dashboard/settings.
  • Sub-processor list at /sub-processors.
  • DPA available pre-purchase — no enterprise gating.
  • Data residency: your data stays in the region you pick at order time.

Reporting a security issue

We respond to every disclosure within 24 hours. If you’ve found a vulnerability, email us — public PGP key coming soon, in the meantime we accept TLS-encrypted email.

Email security@vicifast.com