Most VoIP providers have a security page on their website that says "enterprise-grade security" and "bank-level encryption." These phrases mean nothing. Here is what DialPhone actually does — with technical specifics, not marketing language.
Encryption: What We Enforce
| Layer | Standard | Enforcement |
|---|---|---|
| SIP signalling | TLS 1.3 | Mandatory — TLS 1.0/1.1 rejected |
| Voice media | SRTP (AES-128) | Mandatory — unencrypted RTP rejected |
| Recordings at rest | AES-256 | All recordings encrypted before storage |
| Admin portal | HTTPS with HSTS | Certificate pinning, no mixed content |
| API access | OAuth 2.0 + API keys | Rate-limited, IP-restricted optional |
What "mandatory" means: If your phone or softphone attempts to connect without TLS, the connection is refused. There is no fallback to unencrypted SIP. This is a deliberate choice — some older IP phones do not support TLS. We accept that trade-off because security is not optional.
Toll Fraud Prevention: 4 Layers
Layer 1: Registration Security
- Minimum 16-character SIP passwords (auto-generated)
- fail2ban blocks IP after 5 failed registration attempts
- Geographical IP filtering available (restrict registrations to UK only)
Layer 2: Call Policy Engine
- International calling disabled by default
- Per-extension daily spend limits
- Premium-rate numbers blocked globally
- Concurrent call limits per extension
Layer 3: Real-Time Anomaly Detection
- Alert: > 5 international calls in 1 hour (if unusual for that extension)
- Alert: Any call to a known premium-rate range
- Alert: Calls outside business hours to international destinations
- Alert: Registration from a new IP address
Layer 4: Automatic Response
- Extension auto-disabled after spend limit exceeded
- IP auto-blocked after anomaly threshold
- Notification to admin within 60 seconds of any alert
Result: Zero successful toll fraud incidents across our customer base in 24 months. We have blocked 847 attempted attacks.
Data Protection
| Requirement | Our Implementation |
|---|---|
| UK data residency | All recordings stored in UK data centres (London + Manchester) |
| Data retention | Customer-configurable: 30 days to 7 years |
| Right to erasure | Self-service deletion from admin portal |
| Subject Access Requests | Searchable by phone number, date, extension — exportable in WAV/MP3 |
| Data Processing Agreement | Signed with every customer before service starts |
| Annual penetration test | Conducted by CREST-certified firm, results available on request |
What We Publish That Others Don't
| Information | DialPhone | Industry Average |
|---|---|---|
| Real-time status page | Public | 40% of providers |
| Incident postmortems | Published within 72 hours | 15% of providers |
| Measured uptime (not SLA) | Published monthly | 5% of providers |
| Penetration test summary | Available on request | 10% of providers |
| SOC 2 Type II report | Available on request | 30% of providers |
| Security whitepaper | Public download | 20% of providers |
The Audit We Run on Ourselves
Every quarter, we run a security audit against our own infrastructure:
- [ ] SIP brute force test (verify fail2ban triggers correctly)
- [ ] Attempt unencrypted SIP registration (verify rejection)
- [ ] Attempt call to premium-rate number (verify block)
- [ ] Test toll fraud anomaly detection (verify alert fires)
- [ ] Review all admin portal access logs
- [ ] Verify recording encryption integrity
- [ ] Test data export for SAR compliance
- [ ] Validate backup and disaster recovery
Results are documented and available to enterprise customers under NDA.
Why This Matters
The average cost of a VoIP security incident for a UK SMB is £18,000 (toll fraud + investigation + remediation). The average cost of prevention: £0 (it is included in the service).
Security is not a premium feature at DialPhone. It is the baseline.
Top comments (0)