Security & Compliance

Data Encryption

All data transmitted between your browser and VoiceBen's servers is encrypted using TLS 1.2 or higher. Passwords are hashed using bcrypt with a work factor of 12 — they are never stored in plain text and cannot be reversed.

Check-in tokens are generated using cryptographically secure random bytes (random_bytes(32)), making them practically impossible to guess or forge.

Data Type	Protection
Passwords	bcrypt (cost 12) — irreversible one-way hash
Check-in tokens	256-bit cryptographically random, single-use, time-limited
Password reset tokens	256-bit random, expire in 1 hour, single-use
Session data	Server-side PHP sessions, HttpOnly + SameSite cookies
All form submissions	CSRF token validation on every POST request
All DB queries	PDO prepared statements — SQL injection prevention
All output rendering	htmlspecialchars() / UTF-8 escaping — XSS prevention

Access Control

VoiceBen uses role-based access control with three distinct roles:

Member

Can only access their personal check-in link. No dashboard, no login, no access to any account data.

Subscriber

Can only see their own members, contacts, and billing data. Cannot access other subscribers' data.

Admin

Uses a completely separate admin session with additional authentication. Admin actions are audit-logged.

Every authenticated page validates session status on every request. Suspended accounts are immediately rejected. Sessions are regenerated on login to prevent fixation attacks.

Third-Party Providers

VoiceBen uses a small number of carefully selected, industry-leading providers. We share the minimum data required for each service:

Provider	Purpose	Data Shared	Compliance
Stripe	Payment processing	Name, email, billing address	PCI DSS Level 1
Twilio	SMS delivery	Phone number, message body	SOC 2 Type II · A2P 10DLC registered
Mailtrap	Transactional email	Name, email address, message content	GDPR-compliant infrastructure

No data is shared with any other third parties. We do not use advertising networks, analytics platforms that share data, or social login providers.

SMS & A2P 10DLC Compliance

All US SMS messages sent by VoiceBen are delivered via a Twilio number registered under the CTIA A2P 10DLC (Application-to-Person, 10-Digit Long Code) program.

Brand Registration

VoiceBen is registered as an A2P Brand with the Campaign Registry (TCR), confirming we are a legitimate business operator.

Campaign Registration

Each SMS use case (check-in prompts, escalation alerts) is registered as a separate campaign with explicit opt-in consent documented.

Members and contacts who receive SMS messages have given explicit consent by being added to the system by the account subscriber. All messages include "Reply STOP to unsubscribe" in compliance with CTIA guidelines.

Data Retention

Data Type	Bronze	Silver	Gold
Check-in history	30 days	90 days	365 days
Escalation logs	30 days	90 days	365 days
Account data (active)	Retained while account is active
Account data (cancelled)	Retained for 30 days, then permanently deleted
Login attempt logs	15 minutes (for rate limiting), then purged

Incident Response

In the event of a security incident that affects personal data, we commit to:

Notify affected subscribers within 72 hours of becoming aware of a breach
Report to relevant supervisory authorities as required by applicable law
Provide a clear description of what data was affected, how, and what remediation is underway
Maintain an internal incident log for all security events

To report a security vulnerability responsibly, please email security@voiceben.com. We aim to acknowledge reports within 24 hours.

Security contacts

Vulnerability reports:
security@voiceben.com

General security:
hello@voiceben.com

Billing / fraud:
billing@voiceben.com

Related policies

Care facility requirements?

We can provide a Data Processing Agreement (DPA) and security questionnaire for enterprise and care facility customers.

Contact Sales