Skip to main content

Overview

Telepath implements enterprise-grade security for your Voice AI infrastructure. Understand and implement these best practices to keep your system secure.

Credential Management

API Key Security

Your API keys are sensitive credentials that grant full access to your account. Best Practices:
  1. Never Commit Keys: 
    ❌ github_secret = "sk_live_abc123def456..."  # DON'T
✅ github_secret = os.environ['TELEPATH_API_KEY']  # DO
  2. Use Environment Variables: 
    export TELEPATH_API_KEY="sk_live_abc123def456..."
  3. Rotate Regularly:
    • Rotate every 90 days
    • Immediately if exposed
    • When team members leave
  4. Scope Keys Appropriately:
    • Create separate keys for different services
    • Use read-only keys where possible
    • Revoke unused keys

SIP Credentials

Your SIP username and password authenticate calls with carriers. Best Practices:
  1. Strong Passwords:
    • Minimum 12 characters
    • Mix uppercase, lowercase, numbers, symbols
    • Avoid dictionary words
    • Don’t reuse across connections
  2. Rotate Passwords:
    • Use dashboard to rotate
    • Update carrier configuration immediately
    • Test before discarding old password
  3. Limit Distribution:
    • Share only with authorized team members
    • Use separate credentials per environment
    • Never share in chat or email

AI Provider Credentials

OpenAI, ElevenLabs, and custom endpoints require credentials. Best Practices:
  1. Separate Service Accounts:
    • Create dedicated accounts per integration
    • Don’t use personal API keys
    • Enable IP whitelisting if available
  2. API Key Scoping:
    • Limit permissions to minimum needed
    • Use read-only keys where possible
    • Set spending limits/quotas
  3. Audit Access:
    • Review API key usage regularly
    • Monitor for unusual activity
    • Set up provider-side alerts

Data Encryption

In Transit

HTTPS/TLS: All API communications use TLS 1.2+
  • Encrypted between your application and Telepath
  • Encrypted between Telepath and carriers (SIP TLS)
  • Encrypted between Telepath and AI providers
SIP Security: TLS or UDP available
  • TLS recommended for sensitive deployments
  • UDP acceptable for controlled networks

At Rest

Credential Storage: AES-256 encryption
  • API keys encrypted with AES-256
  • SIP passwords encrypted with AES-256
  • AI provider credentials encrypted
  • Stored in secure database with access controls
Call Logs: Encrypted storage
  • Call metadata encrypted
  • Audio not stored by default
  • PII handled per compliance needs

Access Control

Dashboard Authentication

  1. Strong Passwords:
    • Enforce minimum 12 characters
    • Regular password changes recommended
    • No password sharing
  2. Two-Factor Authentication (if available):
    • Enable for all accounts
    • Use authenticator app or hardware key
    • Never use SMS when possible
  3. Session Management:
    • Automatic logout after 30 minutes of inactivity
    • Concurrent session limits
    • Session invalidation on logout

API Key Management

Create Keys:
  1. Go to Settings → API Keys
  2. Click Create New Key
  3. Give it a descriptive name
  4. Copy immediately (you won’t see it again)
Revoke Keys:
  1. Go to Settings → API Keys
  2. Click Revoke next to the key
  3. Confirm the action
  4. Any apps using the key will immediately break
View Usage:
  1. Each key shows last used timestamp
  2. View request count per day
  3. Set up alerts for unusual activity

Team Permissions

If available in your plan:
  • Admin: Full access, can manage team
  • Editor: Create/modify connections, view logs
  • Viewer: Read-only access to logs and settings
  • Billing: Manage billing and payment methods
Best Practice: Use least-privilege access
  • Give team members minimum required permissions
  • Create role-specific API keys
  • Regularly audit permission assignments

Network Security

IP Whitelisting

If your provider supports it, whitelist Telepath IPs: Telepath IP Ranges: 
Check dashboard or contact support for current ranges
Configure with Carrier:
  1. Add Telepath IPs to whitelist
  2. Test calls from other IPs to verify blocking
  3. Keep list updated

VPC/Network Isolation

For enterprise deployments:
  • Use VPC for internal systems
  • Restrict access to authorized networks only
  • Monitor all inbound/outbound connections

Compliance & Regulations

PCI DSS

If handling payment card data:
  • Don’t store card data in call logs
  • Ensure PCI compliance with AI providers
  • Audit access to sensitive calls

HIPAA

For healthcare applications:
  • Enable encryption for all data
  • Implement access controls
  • Maintain audit logs
  • Use Business Associate Agreement with providers

GDPR

For European users:
  • Implement right to deletion
  • Get explicit consent before recording
  • Keep privacy policy updated
  • Comply with data residency requirements

CCPA

For California residents:
  • Disclose data collection practices
  • Honor deletion requests
  • Provide data access
  • Implement non-discrimination

Call Recording & Privacy

Recording Considerations

Legal Requirements:
  • Consent: Most jurisdictions require all-party consent
  • Notification: Announce recording at call start
  • Retention: Store only as long as needed
  • Security: Encrypt all recordings
Best Practice: 
"This call may be recorded for quality and training purposes.
Continuing means you consent to recording."

Audio Storage

By default, Telepath does NOT store audio:
  • Carrier audio not stored
  • AI agent responses not stored
  • Only metadata and transcripts available
  • Reduces privacy concerns
If You Need Recordings:
  • Use custom WebSocket endpoint to capture audio
  • Implement secure storage
  • Comply with legal requirements
  • Provide deletion mechanisms

Audit & Logging

Dashboard Audit Log

Track all account activities:
  • API key creation/deletion
  • Connection modifications
  • Settings changes
  • Team member changes
Access:
  1. Go to Settings → Audit Log
  2. View all actions with timestamps
  3. Export for compliance

API Access Logging

Monitor API usage:
  • Every API call logged
  • Source IP recorded
  • Timestamp and duration
  • Error messages captured
Review Patterns:
  • Unusual access times
  • Spike in API calls
  • Errors or failed attempts
  • Access from unexpected locations

Incident Response

Suspected Compromise

If you suspect credentials are compromised:
  1. Immediately:
    • Revoke compromised API keys
    • Rotate SIP passwords
    • Change dashboard password
    • Enable 2FA if not already enabled
  2. Within 1 Hour:
    • Review audit logs for unauthorized access
    • Check call logs for suspicious activity
    • Contact support
  3. Document:
    • Note timestamp of discovery
    • List potentially affected API keys
    • Identify any unusual calls

Security Incident

Report security issues to: security@telepathvoice.com Include:
  • Description of issue
  • Affected components
  • When you discovered it
  • Any steps you’ve taken

Best Practices Summary

Development

  • ✅ Use environment variables for secrets
  • ✅ Never commit keys to version control
  • ✅ Use .gitignore for .env files
  • ✅ Use separate keys for dev/staging/production
  • ✅ Test with read-only keys when possible

Deployment

  • ✅ Use secrets management (HashiCorp Vault, AWS Secrets Manager)
  • ✅ Rotate credentials regularly
  • ✅ Monitor for suspicious API usage
  • ✅ Log all access attempts
  • ✅ Use TLS for all connections

Team

  • ✅ Limit credential distribution
  • ✅ Use principle of least privilege
  • ✅ Audit team access regularly
  • ✅ Have exit procedures for leaving team members
  • ✅ Train team on security practices

Monitoring

  • ✅ Review audit logs weekly
  • ✅ Set up alerts for unusual activity
  • ✅ Monitor API quota usage
  • ✅ Check error rates for anomalies
  • ✅ Review carrier-side alerts

Support

For security concerns: See the Privacy Policy and Terms of Service for more information.