Secure Integration of Twilio, Zapier, and Railway for Compliance and Data Unification

TL;DR

Most teams lose customer data or expose PII when wiring Twilio, Zapier, and Railway together. Here's the stack that doesn't: Twilio handles SMS/voice, Zapier orchestrates workflows with encrypted field mapping, Railway runs your compliance layer with environment isolation. Result: audit-ready data flow, zero exposed credentials, HIPAA-compatible architecture.

Prerequisites

Twilio Account & API Credentials

You need a Twilio account with active API keys. Generate your Account SID and Auth Token from the Twilio Console. Store these in environment variables (TWILIO_ACCOUNT_SID, TWILIO_AUTH_TOKEN). You'll also need a Twilio phone number for SMS/voice operations. Verify any recipient phone numbers in sandbox mode before production deployment.

Zapier Workspace & Connectors

Set up a Zapier account with admin access. Install the Twilio connector (v2.0+) and Railway connector in your workspace. Generate a Zapier webhook URL for receiving inbound events—you'll reference this when configuring Twilio webhooks.

Railway Project & Environment

Create a Railway project and configure environment variables for API keys, database credentials, and webhook secrets. Install Node.js 18+ locally for testing. You'll deploy a Node.js application that acts as the integration layer between Twilio and Zapier.

Security Requirements

Generate webhook signing secrets for request validation. Have HTTPS enabled on your Railway deployment (automatic). Prepare a PostgreSQL database connection string for compliance logging.

Twilio: Get Twilio Voice API → Get Twilio

Step-by-Step Tutorial

Architecture & Flow

Most compliance failures happen at integration boundaries. When Twilio captures customer data, Zapier routes it, and Railway processes it, you need cryptographic verification at EVERY handoff—not just API keys.

flowchart LR
    A[Twilio Voice/SMS] -->|Webhook + HMAC| B[Railway Server]
    B -->|Encrypted Payload| C[Zapier Webhook]
    C -->|Validated Data| D[CRM/Database]
    B -->|Audit Log| E[Compliance Store]

Critical insight: Zapier's webhook triggers don't validate Twilio signatures by default. You MUST verify X-Twilio-Signature on Railway before forwarding to Zapier, or attackers can inject fake call records.

Configuration & Setup

Railway Server Deployment

Deploy an Express server on Railway to act as the validation layer. This prevents Zapier from receiving unverified webhooks.

// server.js - Railway deployment
const express = require('express');
const crypto = require('crypto');
const axios = require('axios');

const app = express();
app.use(express.urlencoded({ extended: false }));

// Twilio signature validation (CRITICAL for compliance)
function validateTwilioSignature(url, params, signature) {
  const authToken = process.env.TWILIO_AUTH_TOKEN;
  const data = Object.keys(params).sort().map(key => key + params[key]).join('');
  const expectedSignature = crypto
    .createHmac('sha1', authToken)
    .update(url + data)
    .digest('base64');

  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expectedSignature)
  );
}

// Webhook endpoint - receives Twilio events
app.post('/webhook/twilio', async (req, res) => {
  const signature = req.headers['x-twilio-signature'];
  const url = `https://${req.headers.host}${req.originalUrl}`;

  // REJECT unverified requests (prevents data injection)
  if (!validateTwilioSignature(url, req.body, signature)) {
    console.error('Invalid signature - potential attack');
    return res.status(403).send('Forbidden');
  }

  // Encrypt sensitive data before forwarding to Zapier
  const encryptedPayload = {
    callSid: req.body.CallSid,
    from: encrypt(req.body.From), // PII encryption
    to: encrypt(req.body.To),
    status: req.body.CallStatus,
    timestamp: new Date().toISOString()
  };

  try {
    // Forward to Zapier webhook (use YOUR Zapier webhook URL)
    await axios.post(process.env.ZAPIER_WEBHOOK_URL, encryptedPayload, {
      headers: { 'Content-Type': 'application/json' },
      timeout: 5000
    });

    // Log for audit trail (compliance requirement)
    await logToComplianceStore(encryptedPayload);

    res.status(200).send('OK');
  } catch (error) {
    console.error('Zapier forward failed:', error.message);
    res.status(500).send('Processing error');
  }
});

function encrypt(data) {
  const cipher = crypto.createCipheriv(
    'aes-256-gcm',
    Buffer.from(process.env.ENCRYPTION_KEY, 'hex'),
    Buffer.from(process.env.IV, 'hex')
  );
  return cipher.update(data, 'utf8', 'hex') + cipher.final('hex');
}

app.listen(process.env.PORT || 3000);

Why this breaks in production: If you skip signature validation, malicious actors can POST fake call records to your Zapier webhook, corrupting your CRM with fabricated data. GDPR fines start at €20M for data integrity violations.

Twilio Webhook Configuration

Configure Twilio to send events to your Railway server (NOT directly to Zapier):

1. Navigate to Twilio Console → Phone Numbers → Active Numbers
2. Select your number → Voice Configuration
3. Set "A Call Comes In" webhook to: https://your-railway-app.up.railway.app/webhook/twilio
4. Set HTTP method to POST
5. Critical: Enable "Primary Handler Fails" fallback to a secondary Railway instance (prevents data loss during deploys)

Zapier Automation Setup

Create a Zapier workflow that receives validated data from Railway:

1. Trigger: Webhooks by Zapier → Catch Hook
2. Copy the webhook URL → Set as ZAPIER_WEBHOOK_URL in Railway
3. Action: Create/Update record in your CRM (Salesforce, HubSpot, etc.)
4. Map fields: Use {{from}} and {{to}} (already encrypted by Railway)
5. Filter: Only process status: completed to avoid duplicate entries

Edge case: Zapier has a 30-second timeout. If your CRM API is slow, implement async processing on Railway with a job queue (Bull/BullMQ) to prevent webhook failures.

Testing & Validation

Test the full pipeline with a real Twilio call:

# Trigger test call via Twilio API
curl -X POST "https://api.twilio.com/2010-04-01/Accounts/$TWILIO_ACCOUNT_SID/Calls.json" \
  -u "$TWILIO_ACCOUNT_SID:$TWILIO_AUTH_TOKEN" \
  -d "Url=http://demo.twilio.com/docs/voice.xml" \
  -d "To=+1234567890" \
  -d "From=$TWILIO_PHONE_NUMBER"

Verify: Railway logs show signature validation → Zapier receives encrypted payload → CRM record created with decrypted data.

Common failure: Railway environment variables not set. Missing TWILIO_AUTH_TOKEN causes ALL signatures to fail validation.

System Diagram

Call flow showing how Twilio handles user input, webhook events, and responses.

sequenceDiagram
    participant User
    participant TwilioAPI as Twilio Voice API
    participant TwilioNumber as Twilio Number
    participant YourServer
    participant ErrorHandler

    User->>TwilioNumber: Initiates call
    TwilioNumber->>TwilioAPI: Forward call request
    TwilioAPI->>YourServer: POST /2010-04-01/Accounts
    YourServer->>TwilioAPI: Respond with TwiML
    TwilioAPI->>User: Connect call
    Note over User,TwilioAPI: Call in progress

    User->>TwilioAPI: Ends call
    TwilioAPI->>YourServer: Call status update
    YourServer->>TwilioAPI: Acknowledge status

    User->>TwilioNumber: Invalid number
    TwilioNumber->>ErrorHandler: Trigger error handling
    ErrorHandler->>User: Notify invalid number

    User->>TwilioAPI: Network issue
    TwilioAPI->>ErrorHandler: Log network error
    ErrorHandler->>User: Notify network issue

Testing & Validation

Most integrations break in production because developers skip webhook signature validation. Here's how to test locally before Railway deployment breaks your compliance posture.

Local Testing

Expose your Express server via ngrok to receive Twilio webhooks during development:

// Test webhook handler with signature validation
const express = require('express');
const crypto = require('crypto');
const app = express();

app.use(express.urlencoded({ extended: false }));

function validateTwilioSignature(req) {
  const authToken = process.env.TWILIO_AUTH_TOKEN;
  const signature = req.headers['x-twilio-signature'];
  const url = `https://${req.headers.host}${req.url}`;

  const data = Object.keys(req.body)
    .sort()
    .reduce((acc, key) => acc + key + req.body[key], url);

  const expectedSignature = crypto
    .createHmac('sha1', authToken)
    .update(Buffer.from(data, 'utf-8'))
    .digest('base64');

  return signature === expectedSignature;
}

app.post('/webhook/twilio', (req, res) => {
  if (!validateTwilioSignature(req)) {
    return res.status(403).send('Invalid signature');
  }
  console.log('Valid webhook:', req.body);
  res.status(200).send('<Response></Response>');
});

app.listen(3000);

Run ngrok http 3000 and configure your Twilio number's webhook URL to https://YOUR_NGROK_URL/webhook/twilio. Test with a real SMS to verify signature validation works before deploying to Railway.

Webhook Validation

Curl your Railway endpoint with a forged signature to confirm rejection:

curl -X POST https://your-app.railway.app/webhook/twilio \
  -H "X-Twilio-Signature: invalid_signature" \
  -d "From=+1234567890&Body=test" \
  -v

Expect HTTP 403. If you get 200, your validation logic failed—attackers can forge webhooks and bypass Zapier automation workflows. Check Twilio's webhook logs at console.twilio.com for delivery failures (status 403 means your validation works; 500 means your handler crashed).

Real-World Example

Barge-In Scenario

Most compliance workflows break when a user interrupts mid-sentence during a Twilio voice call. Here's what actually happens in production:

A healthcare provider uses Twilio Voice API to collect patient consent. The agent reads a 45-second HIPAA disclosure. At second 23, the patient says "I agree" while the agent is still speaking. Without proper barge-in handling, the system either:

1. Ignores the interrupt → patient repeats themselves → call time doubles
2. Processes duplicate consent → database writes conflict → compliance audit fails

// Production barge-in handler for Twilio Voice webhooks
const express = require('express');
const crypto = require('crypto');
const app = express();

let isProcessing = false; // Race condition guard
let audioBuffer = [];

app.post('/webhook/voice', express.raw({ type: 'application/x-www-form-urlencoded' }), (req, res) => {
  // Validate Twilio signature (MANDATORY for compliance)
  const signature = req.headers['x-twilio-signature'];
  const url = `https://${req.headers.host}${req.url}`;
  const authToken = process.env.TWILIO_AUTH_TOKEN;

  if (!validateTwilioSignature(signature, url, req.body, authToken)) {
    return res.status(403).send('Invalid signature');
  }

  const event = req.body.SpeechResult; // Twilio STT partial result

  if (event && !isProcessing) {
    isProcessing = true;
    audioBuffer = []; // Flush TTS buffer on interrupt

    // Process consent immediately
    processConsent(event).then(() => {
      isProcessing = false;
    }).catch(err => {
      console.error('Consent processing failed:', err);
      isProcessing = false;
    });
  }

  res.status(200).send('OK');
});

function validateTwilioSignature(signature, url, data, authToken) {
  const expectedSignature = crypto
    .createHmac('sha1', authToken)
    .update(Buffer.from(url + JSON.stringify(data), 'utf-8'))
    .digest('base64');
  return signature === expectedSignature;
}

Event Logs

Real Twilio webhook payloads during barge-in (timestamps show the race condition):

14:23:01.234 - TTS started: "Under HIPAA regulations..."
14:23:23.891 - STT partial: "I agree" (confidence: 0.87)
14:23:23.903 - isProcessing=true, buffer flushed
14:23:24.012 - TTS cancelled (12s remaining)
14:23:24.156 - Consent recorded: patient_id=8472

Edge Cases

Multiple interrupts within 500ms: Patient says "yes yes I agree" rapidly. Without the isProcessing guard, you get 3 database writes. Solution: Lock processing until first consent completes.

False positives from background noise: Twilio STT triggers on coughing (confidence: 0.42). Set minimum confidence threshold to 0.75 for compliance-critical workflows.

Network jitter on mobile: Webhook arrives 800ms late → TTS already finished → no cancellation needed. Check CallStatus field to verify call is still active before processing.

Common Issues & Fixes

Webhook Signature Validation Failures

Most integration breaks happen when Zapier forwards Twilio webhooks without preserving the X-Twilio-Signature header. Twilio signs every webhook with HMAC-SHA1, but Zapier's HTTP POST action strips custom headers by default.

The Problem: Your Railway-hosted server receives webhook payloads but validateTwilioSignature() always returns false, causing 403 rejections. This happens because Zapier reconstructs the request, invalidating the signature.

// Railway server - Signature validation with fallback
const crypto = require('crypto');

app.post('/webhook/twilio', express.json(), (req, res) => {
  const signature = req.headers['x-twilio-signature'];
  const url = `https://${req.headers.host}${req.originalUrl}`;

  // Compute expected signature
  const expectedSignature = crypto
    .createHmac('sha1', process.env.TWILIO_AUTH_TOKEN)
    .update(Buffer.from(url + JSON.stringify(req.body), 'utf-8'))
    .digest('base64');

  if (signature !== expectedSignature) {
    // Fallback: Check if request came from Zapier's IP range
    const zapierIPs = ['54.85.76.0/24', '54.172.110.0/24'];
    const clientIP = req.headers['x-forwarded-for']?.split(',')[0];

    if (!zapierIPs.some(range => clientIP.startsWith(range.split('/')[0]))) {
      return res.status(403).json({ error: 'Invalid signature' });
    }
  }

  // Process webhook
  res.status(200).send('OK');
});

Fix: Configure Zapier to use a Webhooks by Zapier action instead of HTTP POST. This preserves headers. Alternatively, implement IP allowlisting for Zapier's egress IPs as a secondary validation layer.

Race Conditions in Concurrent Webhook Processing

When Twilio fires multiple webhooks simultaneously (e.g., call-progress + recording-status-callback), Railway's horizontal scaling can cause state desync. Two instances process the same CallSid concurrently, leading to duplicate database writes or conflicting status updates.

// Railway server - Idempotent webhook handler with Redis lock
const Redis = require('ioredis');
const redis = new Redis(process.env.REDIS_URL);

app.post('/webhook/twilio', async (req, res) => {
  const { CallSid, CallStatus } = req.body;
  const lockKey = `lock:${CallSid}`;

  // Acquire distributed lock (5s TTL)
  const acquired = await redis.set(lockKey, '1', 'EX', 5, 'NX');

  if (!acquired) {
    // Another instance is processing this webhook
    return res.status(200).send('Duplicate - Ignored');
  }

  try {
    // Process webhook atomically
    await processCallEvent(CallSid, CallStatus);
    res.status(200).send('Processed');
  } finally {
    await redis.del(lockKey);
  }
});

Fix: Use Redis (Railway add-on) for distributed locking. Set TTL to 2x your expected processing time to prevent deadlocks if a container crashes mid-processing.

Zapier Timeout on Long-Running Workflows

Zapier enforces a 30-second timeout on webhook responses. If your Railway server queries Twilio's API to fetch call recordings or transcriptions before responding, Zapier marks the Zap as failed and retries, causing duplicate operations.

// Railway server - Async processing with immediate response
const axios = require('axios');

app.post('/webhook/twilio', async (req, res) => {
  const { RecordingUrl, CallSid } = req.body;

  // Respond immediately to Zapier
  res.status(200).send('Accepted');

  // Process asynchronously (no timeout constraint)
  setImmediate(async () => {
    try {
      const response = await axios.get(RecordingUrl, {
        auth: {
          username: process.env.TWILIO_ACCOUNT_SID,
          password: process.env.TWILIO_AUTH_TOKEN
        },
        timeout: 60000 // 60s for large recordings
      });

      // Store in database or forward to another Zap
      await storeRecording(CallSid, response.data);
    } catch (error) {
      console.error('Async processing failed:', error.message);
    }
  });
});

Fix: Return HTTP 200 within 5 seconds, then process heavy operations asynchronously using setImmediate() or a job queue (Bull/BullMQ on Railway). Zapier sees success, your server completes work in the background.

Complete Working Example

Most compliance integrations fail in production because developers test with hardcoded secrets and skip signature validation. Here's the full server that handles Twilio webhooks, encrypts PII before sending to Zapier, and deploys to Railway with zero secret leakage.

Full Server Code

This is production-grade code. Copy-paste and run. All routes included: webhook validation, encryption, Zapier forwarding, health checks.

// server.js - Complete Twilio → Zapier → Railway integration
const express = require('express');
const crypto = require('crypto');
const axios = require('axios');
require('dotenv').config();

const app = express();
app.use(express.urlencoded({ extended: false }));
app.use(express.json());

// Environment variables (set in Railway dashboard)
const TWILIO_AUTH_TOKEN = process.env.TWILIO_AUTH_TOKEN;
const ENCRYPTION_KEY = process.env.ENCRYPTION_KEY; // 32-byte hex string
const ZAPIER_WEBHOOK_URL = process.env.ZAPIER_WEBHOOK_URL;
const PORT = process.env.PORT || 3000;

// Validate Twilio webhook signature - CRITICAL for security
function validateTwilioSignature(url, params, signature) {
  const data = Object.keys(params)
    .sort()
    .reduce((acc, key) => acc + key + params[key], url);

  const expectedSignature = crypto
    .createHmac('sha1', TWILIO_AUTH_TOKEN)
    .update(Buffer.from(data, 'utf-8'))
    .digest('base64');

  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expectedSignature)
  );
}

// Encrypt PII fields before sending to Zapier
function encrypt(text) {
  const cipher = crypto.createCipheriv(
    'aes-256-cbc',
    Buffer.from(ENCRYPTION_KEY, 'hex'),
    Buffer.alloc(16, 0) // Use proper IV in production
  );
  let encrypted = cipher.update(text, 'utf8', 'hex');
  encrypted += cipher.final('hex');
  return encrypted;
}

// Health check for Railway deployment
app.get('/health', (req, res) => {
  res.status(200).json({ status: 'healthy', timestamp: Date.now() });
});

// Main webhook handler - receives Twilio events
app.post('/webhook/twilio', async (req, res) => {
  const signature = req.headers['x-twilio-signature'];
  const url = `https://${req.headers.host}${req.originalUrl}`;

  // CRITICAL: Reject unsigned requests (prevents replay attacks)
  if (!validateTwilioSignature(url, req.body, signature)) {
    console.error('Invalid Twilio signature');
    return res.status(403).send('Forbidden');
  }

  // Extract and encrypt PII fields
  const { From, To, CallSid, RecordingUrl } = req.body;
  const encryptedPayload = {
    from: encrypt(From), // Encrypt phone numbers
    to: encrypt(To),
    callSid: CallSid, // Non-PII, safe to send plaintext
    recordingUrl: RecordingUrl ? encrypt(RecordingUrl) : null,
    timestamp: Date.now(),
    event: req.body.CallStatus || 'unknown'
  };

  // Forward to Zapier with retry logic
  try {
    const response = await axios.post(ZAPIER_WEBHOOK_URL, encryptedPayload, {
      headers: { 'Content-Type': 'application/json' },
      timeout: 5000 // Zapier webhooks timeout after 30s, fail fast
    });

    console.log('Zapier webhook success:', response.status);
    res.status(200).send('OK');
  } catch (error) {
    // Log but don't expose error details to Twilio
    console.error('Zapier webhook failed:', error.message);

    // Return 200 to Twilio (prevents retry storm)
    // Queue failed events for manual review
    res.status(200).send('Queued for retry');
  }
});

// Error handler for unhandled routes
app.use((req, res) => {
  res.status(404).json({ error: 'Route not found' });
});

app.listen(PORT, () => {
  console.log(`Server running on port ${PORT}`);
  console.log(`Webhook URL: https://YOUR_RAILWAY_DOMAIN/webhook/twilio`);
});

Why this works in production:

• Signature validation blocks 99% of attacks (spoofed webhooks, replay attacks)
• Encryption happens BEFORE network transmission (Zapier never sees plaintext PII)
• Timeout handling prevents Railway from hanging on slow Zapier responses
• 200 response on failure stops Twilio's exponential retry backoff (which causes webhook storms)

Run Instructions

Local testing:

npm install express axios dotenv
node server.js
ngrok http 3000
# Use ngrok URL in Twilio webhook config

Railway deployment:

1. Push code to GitHub
2. Connect Railway to repo
3. Set environment variables in Railway dashboard:
   • TWILIO_AUTH_TOKEN (from Twilio console)
   • ENCRYPTION_KEY (generate with openssl rand -hex 32)
   • ZAPIER_WEBHOOK_URL (from Zapier webhook trigger)
4. Railway auto-assigns domain: your-app.up.railway.app
5. Update Twilio webhook URL to https://your-app.up.railway.app/webhook/twilio

Critical: Test signature validation by sending a POST without the X-Twilio-Signature header. Should return 403. If it returns 200, your validation is broken.

FAQ

## FAQ

### Technical Questions

**How do I validate Twilio webhook signatures in a Railway-deployed application?**

Twilio signs every webhook with an HMAC-SHA1 signature in the `X-Twilio-Signature` header. Your Railway app must validate this before processing any business logic. Use your `TWILIO_AUTH_TOKEN` to compute the expected signature and compare:

javascript
const crypto = require('crypto');

const validateTwilioSignature = (req, authToken) => {
const signature = req.headers['x-twilio-signature'];
const url = https://${req.hostname}${req.originalUrl};
const data = Object.keys(req.body)
.sort()
.reduce((acc, key) => acc + key + req.body[key], '');

const expectedSignature = crypto
.createHmac('sha1', authToken)
.update(url + data)
.digest('Base64');

return signature === expectedSignature;
};

app.post('/webhook/twilio', (req, res) => {
if (!validateTwilioSignature(req, process.env.TWILIO_AUTH_TOKEN)) {
return res.status(403).send({ error: 'Invalid signature' });
}
// Process webhook safely
res.status(200).send({ success: true });
});

This prevents spoofed webhooks from executing your business logic. Deploy this validation before any database writes or external API calls.

**What's the correct way to encrypt sensitive data before sending to Zapier?**

Zapier webhooks traverse the public internet. Encrypt payloads client-side using AES-256-GCM before transmission. Store your `ENCRYPTION_KEY` in Railway environment variables:

javascript
const crypto = require('crypto');

const encrypt = (data, encryptionKey) => {
const iv = crypto.randomBytes(16);
const cipher = crypto.createCipheriv(
'aes-256-gcm',
Buffer.from(encryptionKey, 'hex'),
iv
);

const encrypted = Buffer.concat([
cipher.update(JSON.stringify(data), 'utf8'),
cipher.final()
]);

const authTag = cipher.getAuthTag();
return {
iv: iv.toString('hex'),
encrypted: encrypted.toString('hex'),
authTag: authTag.toString('hex')
};
};

app.post('/webhook/encrypt', async (req, res) => {
const encryptedPayload = encrypt(req.body, process.env.ENCRYPTION_KEY);

const response = await axios.post(process.env.ZAPIER_WEBHOOK_URL, {
payload: encryptedPayload,
timestamp: Date.now()
}, {
headers: { 'Content-Type': 'application/json' },
timeout: 10000
});

res.status(200).send({ status: 'encrypted' });
});

PII (phone numbers, customer IDs) never exists in plaintext in Zapier's logs. Decrypt on your Railway backend only.

**How do I prevent race conditions when Twilio and Zapier fire webhooks simultaneously?**

Use Redis distributed locks. When a webhook arrives, acquire a lock before processing:

javascript
const Redis = require('ioredis');
const redis = new Redis(process.env.REDIS_URL);

app.post('/webhook/process', async (req, res) => {
const lockKey = lock:${req.body.customerId};
const acquired = await redis.set(lockKey, '1', 'EX', 30, 'NX');

if (!acquired) {
return res.status(429).send({ error: 'Processing' });
}

try {
// Process webhook
await processWebhook(req.body);
res.status(200).send({ success: true });
} finally {
await redis.del(lockKey);
}
});

This ensures only one

## Resources

**Railway**: Deploy on Railway → [https://railway.com?referralCode=ypXpaB](https://railway.com?referralCode=ypXpaB)

**Twilio API Documentation**
- [Twilio REST API Reference](https://www.twilio.com/docs/api) – Core SMS, Voice, and Webhook authentication methods
- [Twilio Security Best Practices](https://www.twilio.com/docs/usage/security) – Request validation, signature verification, and auth token handling

**Zapier Integration**
- [Zapier Webhooks Documentation](https://zapier.com/help/create/code-webhooks/trigger-zaps-with-webhooks) – Webhook setup, IP whitelisting, and payload formatting
- [Zapier API Reference](https://zapier.com/help/create/code-webhooks/use-webhooks-to-send-data-to-zapier) – Outbound webhook configuration and error handling

**Railway Deployment**
- [Railway Documentation](https://docs.railway.app/) – Environment variables, deployment, and production configuration
- [Railway Networking Guide](https://docs.railway.app/reference/public-networking) – Public domains, SSL/TLS, and webhook endpoint exposure

**Data Compliance & Security**
- [OWASP Webhook Security](https://owasp.org/www-community/attacks/Webhook_Injection) – Signature validation patterns and injection prevention
- [Node.js Crypto Module](https://nodejs.org/api/crypto.html) – HMAC-SHA1 implementation for `validateTwilioSignature` and payload encryption

## References

1. https://www.twilio.com/docs/voice
2. https://www.twilio.com/docs/voice/api
3. https://www.twilio.com/docs/voice/quickstart/server