Security Overview

Last updated: May 2026

This page gives a high-level overview of SimpleFiber's security posture. It is intended for prospective customers conducting vendor security reviews, and for existing customers documenting their own compliance programs. The named subprocessor list and full security controls inventory are available to customers under our Master Services Agreement — email legal@simplefiber.com to request them.

Infrastructure

• Primary data center: Tier III+ co-location facility in the Dallas-Fort Worth metroplex, with redundant power, cooling, and physical access controls.
• Cloud-hosted components:SOC 2 Type II hosting providers for the customer portal, website, database, and backup storage. All providers are US-based and process data within the United States.
• Voice services: Carrier-grade VoIP infrastructure with geographically distributed media servers, SIP allowlisting on every signaling endpoint, and redundant upstream carriers for outbound termination.
• AI receptionist: Three-tier topology (sandbox, production-test, production-live) with synthetic-call canary monitoring and automated failover across primary + secondary providers for speech-to-text, language modeling, and text-to-speech.

Encryption

• In transit: TLS 1.2 minimum for all web, portal, and API traffic. TLS 1.3 where supported. SIP traffic uses TLS where the upstream carrier supports it.
• At rest: AES-256 server-side encryption for backups in object storage. Database encryption at the storage layer.
• Secrets management: API keys, signing keys, and credentials stored in environment-scoped secret stores; automated pre-commit secret scanning prevents accidental exposure to source control.

Access controls

• Identity: All employee access through Microsoft Entra (Azure AD) with conditional access policies and multi-factor authentication enforced on every admin account.
• Email security:Microsoft Defender for Office 365 with Safe Links and Safe Attachments enabled in Block mode. SPF, DKIM, and DMARC (p=quarantine) enforced on the simplefiber.com domain.
• Endpoint security: Microsoft Defender for Endpoint EDR on admin workstations, managed through Intune.
• Privileged access: Production server access limited to a named operations group, audit-logged, and monitored via Uptrends with phone-tree escalation.
• Customer portal: Tenant isolation enforced at the data layer; cross-tenant queries are blocked by scope middleware and database-level row-level security policies.

Data handling

• Customer Proprietary Network Information (CPNI): Handled per FCC requirements. See the CPNI page for the specific controls and your rights.
• Call recordings & transcripts:Stored encrypted at rest. Access scoped to the tenant's authorized users plus our support staff under standard confidentiality. Transcripts are not used to train AI models.
• Data residency: All customer data processed and stored within the United States. We do not transfer data cross-border.
• Data retention: See the Privacy Policy Section 10 for retention windows. Customers may request a data export or deletion via privacy@simplefiber.com.

Subprocessors

SimpleFiber engages third-party service providers ("subprocessors") for cloud hosting, telecommunications transport, speech recognition, language modeling, email delivery, payment processing, and analytics. Every subprocessor is bound by contractual terms that require them to:

• Process data only on our documented instructions and only for the scope of the service they provide.
• Maintain confidentiality, security, and privacy standards that meet or exceed applicable law.
• Refrain from using customer data for their own purposes, including AI/ML training, without specific opt-in.

A current named subprocessor list is available to existing customers on request under our Master Services Agreement — email legal@simplefiber.com. We notify customers in advance of any material change to the list as required by their contracts.

Backup & disaster recovery

• Daily backups:Encrypted snapshots to versioned object storage with a deny-delete IAM policy — protects against accidental and malicious deletion.
• Heartbeat monitoring: A dead-man watchdog alerts on any missed daily sync.
• Quarterly restore drills: End-to-end recovery from backup is tested every quarter on a non-production VM, with the procedure documented in our internal runbook.
• Versioning: Historical file versions retained for point-in-time recovery from corruption or ransomware.

Monitoring & incident response

• Server monitoring: Uptrends, 24/7, with phone-tree escalation to on-call.
• Application monitoring: OpenTelemetry traces shipped to Honeycomb, structured logs, error spike detection.
• Severity definitions & SLOs: Documented internally; customer-impacting outages receive a written postmortem.
• Notification: Customers are notified of security incidents that affect their data within the timeframe required by applicable law (and in any case within 72 hours of confirmation).

Compliance posture

• FCC CPNI: Compliant. See CPNI page.
• SOC 2:Our cloud hosting providers carry SOC 2 Type II reports. SimpleFiber as an entity is not currently SOC 2 certified.
• HIPAA: The AI Receptionist product is not HIPAA-compliant. Healthcare-covered entities should review the HIPAA exclusion clause in our standard terms before signing. We do not sign Business Associate Agreements for the AI Receptionist today.
• GDPR / CCPA: Our products are offered in the United States. We honor data-subject rights for U.S. residents under applicable state laws (Texas Data Privacy and Security Act, California Consumer Privacy Act).

Vulnerability disclosure

We welcome reports of security vulnerabilities. See our security.txt for the current disclosure path, preferred contact addresses, and language. The short version:

• Email: security@simplefiber.com
• Backup contact: david@simplefiber.com or call 1-888-455-0151
• Remediation window:30–90 days requested before public disclosure
• Recognition: Researchers who follow the disclosure window will be credited (with permission) at /security/researchers.

Requesting more detail

For a full vendor security review, subprocessor list, SOC 2 reports of our hosting providers, or a copy of our Data Processing Addendum, email legal@simplefiber.com with your company name and the contract you're evaluating against. We typically respond within 2 business days. Materials shared under our standard Master Services Agreement or NDA.