> ## Documentation Index
> Fetch the complete documentation index at: https://support.quo.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Security and compliance
> Comprehensive security practices, data protection, and compliance standards for Quo, formerly OpenPhone, communications
## Overview
Quo maintains enterprise-grade security practices to protect your communications and data. Our comprehensive security framework includes infrastructure protection, data encryption, compliance certifications, and ongoing security improvements.
## Infrastructure security
### Cloud platform
**Amazon Web Services (AWS):**
* Enterprise-grade cloud infrastructure
* Multiple availability zones for redundancy
* Industry-leading physical security
* Continuous monitoring and threat detection
**Cloudflare protection:**
* DDoS protection and web application firewall
* Global content delivery network
* SSL/TLS encryption for all connections
* Real-time threat intelligence
### Monitoring and availability
**Service monitoring:**
* 24/7 system monitoring
* Automated alerting for issues
* Public status page: [status.quo.com](https://status.quo.com/)
* Proactive incident response
View real-time service status and historical uptime data on our [status page](https://status.quo.com/).
## Data protection
### Backup and recovery
**Backup strategy:**
* **Daily backups** of all databases
* **Hourly backups** for high-priority systems
* **Multi-location storage** across geographically distributed data centers
* **Automated recovery testing** to ensure backup integrity
**Data retention:**
* Data retained as long as you maintain your account
* 30-day retention period after account cancellation
* Permanent deletion available upon request
### Privacy compliance
**Supported regulations:**
* **GDPR (General Data Protection Regulation)**: European Union data protection
* **CCPA (California Consumer Privacy Act)**: California privacy rights
* **PIPEDA**: Canadian personal information protection
**Data rights management:**
* Self-service data export through workspace settings
* Account deletion through subscription cancellation
* Complete data removal available through support request
* Transparent data handling practices
Contact our [Support Team](https://support.quo.com/help/submit-a-request) for complete data removal from all systems.
## Application security
### Communication encryption
**Text messaging:**
* End-to-end encryption in transit
* Secure transmission to carrier networks
* Message content protected during delivery
* Encrypted storage of message history
**Voice calling:**
* **WebRTC technology** for secure real-time communication
* **TLS encryption** for call signaling and setup
* **Encrypted media streams** during active calls
* **Complete privacy** and data integrity
### Data encryption
**Encryption standards:**
* **AES-256 encryption** for data at rest
* **TLS 1.3** for data in transit
* **End-to-end encryption** for communications
* **Key management** through AWS encryption services
**Protected data includes:**
* Contact information and conversation history
* Call recordings and voicemail files
* User account data and preferences
* Billing and payment information
## Compliance certifications
### SOC 2 Type II
**Compliance overview:**
* **SOC 2 Type II certified** for security, availability, and confidentiality
* **Annual audits** by independent third-party assessors
* **Continuous monitoring** of security controls
* **Comprehensive documentation** of security procedures
**Trust principles covered:**
* **Security**: Protection against unauthorized access
* **Availability**: System operational availability as committed
* **Confidentiality**: Information designated as confidential is protected
Learn more about our [SOC 2 certification and security practices](https://support.quo.com/core-concepts/administration/soc2-compliance).
## Payment security
### PCI compliance
**Stripe payment processing:**
* **PCI Service Provider Level 1** certified
* **Highest level** of payment industry certification
* **Secure tokenization** of payment information
* **Fraud detection** and prevention systems
**Payment protection:**
* Credit card information never stored on Quo servers
* Encrypted transmission of all payment data
* Regular security audits and compliance reviews
* Multi-factor authentication for billing changes
Learn more about Stripe's security practices in their [security documentation](https://stripe.com/docs/security).
## Industry-specific compliance
### Healthcare (HIPAA)
Quo can be used in a HIPAA-compliant manner when configured and managed appropriately.
Customers on ****Business orScale plans**** can request a **Business Associate Agreement (BAA)**. A signed BAA is required to handle protected health information (PHI) under HIPAA.
To request your BAA, please fill out [this form](https://openphone.typeform.com/to/vAX6Mdaz).
Once signed, your organization can use Quo to communicate with patients in compliance with HIPAA’s Privacy and Security Rules.
**Included safeguards and features:**
* Encrypted storage for calls, voicemails, and messages that remain within Quo’s infrastructure
* Access controls and audit logging for oversight
* Secure session management and automatic timeouts
**Supported usage:**
* General practice management and patient coordination
* Communication involving protected health information (PHI), when used under a signed BAA and in accordance with HIPAA’s Privacy and Security Rules\*
* Patient calls, voicemails, and messages handled in accordance with HIPAA’s Privacy and Security rules\* and your organization’s policies
\*Details are outlined in your Business Associate Agreement (BAA). For general guidance and examples of HIPAA-compliant use, see [Using Quo in a HIPAA-compliant manner.](https://support.openphone.com/core-concepts/administration/hippa-compliance#using-quo-in-a-hipaa-compliant-way)
This information is provided for educational purposes only and does not constitute legal advice.
### Financial services
**Current capabilities:**
* SOC 2 compliance supports financial industry security requirements
* Encryption standards meet banking industry expectations
* Data retention policies align with financial regulations
* Contact support for specific compliance requirements
## Security best practices
### For administrators
**Account security:**
* Use strong, unique passwords for admin accounts
* Enable two-factor authentication where available
* Regularly review team member access and permissions
* Monitor workspace activity for unusual behavior
**Data management:**
* Export data regularly for backup purposes
* Document access controls and permission changes
* Train team members on security best practices
* Establish clear data handling policies
### For all users
**Communication security:**
* Avoid sharing sensitive information in text messages
* Use voice calls for confidential discussions
* Verify recipient before sending sensitive information
* Report suspicious activity to administrators
**Device security:**
* Keep Quo apps updated to latest versions
* Use device lock screens and authentication
* Log out of shared or public devices
* Report lost or stolen devices immediately
## Incident response
### Security monitoring
**Continuous protection:**
* 24/7 security monitoring and threat detection
* Automated incident response procedures
* Regular penetration testing and vulnerability assessments
* Proactive security updates and patches
### Incident reporting
**If you suspect a security issue:**
1. **Contact support immediately** through secure channels
2. **Document the incident** with relevant details
3. **Avoid sharing details** publicly until resolved
4. **Follow guidance** from Quo security team
For security-related questions or concerns, contact our [Support Team](https://support.quo.com/help/submit-a-request).
## Privacy and transparency
### Privacy policy
**Comprehensive privacy protection:**
* Clear data collection and usage policies
* Transparent data sharing practices
* User control over personal information
* Regular policy updates to reflect best practices
**Key privacy principles:**
* **Minimal data collection**: Only collect necessary information
* **Purpose limitation**: Use data only for stated purposes
* **Data minimization**: Retain data only as long as needed
* **User control**: Provide access and deletion options
### Transparency reports
**Regular reporting:**
* Annual security assessments and improvements
* Compliance audit results and certifications
* Privacy policy updates and changes
* Security incident summaries (when appropriate)
View our complete [Privacy Policy](https://www.quo.com/privacy) for detailed information about data handling practices.