Trust · Security

Security & Trust

Last updated April 23, 2026. Dialplane is the control plane for telecom provisioning. We treat the credentials and configuration you hand us as the most sensitive thing we hold.

Our posture

Dialplane is a multi-tenant platform for telecom provisioning. Our customers are service providers; their customers are the subscribers whose configuration moves through our API. We design and operate the service with defense in depth and with the assumption that the most sensitive object in the system is a customer credential.

This page describes the controls that are in place today. We will update it when the controls change.

How we handle your BroadWorks credentials

BroadWorks user passwords are the highest-value secret you can give us. We treat them accordingly.

  • Never in our primary database. Passwords are not written to Postgres — not in any column, not in any table.
  • Encrypted at rest during an active session. The credential a session needs is stored encrypted with AES-256-GCM and exists only for the lifetime of that session.
  • Redacted in logs and audit records. Password, passcode, and similar fields are replaced with a redaction marker before any record is written. Operators cannot read them internally.
  • Never returned in API responses. No endpoint, MCP tool, or diagnostic surface returns a plaintext password.

Encryption

In transit

TLS 1.2 or higher is used between customers and Dialplane and between Dialplane and BroadWorks. Certificates are managed and renewed automatically.

At rest

Stored credentials are encrypted with AES-256-GCM using a key that is validated at service start.

Key management

Signing and encryption keys are required at process start. There are no fallback secrets or default keys in the codebase. A missing or misconfigured key stops the service from starting rather than allowing it to run without protection.

Tenant isolation

Every request is bound to a tenant at authentication time. All reads and writes are scoped to that tenant. Cross-tenant access is not a configuration choice — it is prevented by construction.

Access control

  • Programmatic access uses prefixed, revocable API keys compared in constant time to resist timing attacks.
  • Tenant admins can issue API tokens with operation scopes and optional service-provider or group bounds. A token can be full tenant access, read-only, CDR-only, or limited to one BroadWorks slice.
  • Scope policies can cap access by BroadWorks login type. The runtime intersects the login-type policy with the token or OAuth scopes, so the most restrictive side wins.
  • Scope denials are recorded for review, making it possible to tune policies without guessing which route or tool was blocked.
  • Browser-based and agent-based access uses OAuth 2.1 with PKCE.
  • Access tokens are short-lived. Refresh tokens rotate on every use, and reuse of a consumed refresh token invalidates the session.
  • CSRF protection is enforced on the login surface.

Auditability

Every state-changing operation is recorded with before-and-after snapshots, the tenant, the actor, and the outcome. Sensitive fields are redacted in that record. This supports customer-visible audit trails and forensic replay if they are ever needed.

Connected systems

Dialplane can coordinate adjacent systems, such as SurgeMail voicemail. Those integration actions use the same tenant scoping and audit model as BroadWorks workflows.

  • SurgeMail admin credentials are stored as encrypted integration credentials, not plaintext configuration.
  • Mailbox passwords used for provisioning or callback updates are redacted before operation records are written.
  • If an integration side effect fails after the BroadWorks action succeeds, the failure is recorded as an integration audit result instead of hiding the partial state.

Guardrails

  • Destructive operations against tenant containers — service providers, groups, and resellers — are permanently disallowed through the API.
  • Rate limits apply per tenant and per source IP on authentication surfaces.
  • Every command sent to BroadWorks is validated against a typed schema before it is rendered. Raw client-supplied XML is never forwarded.

Compliance

Dialplane is pursuing SOC 2 Type II. The observation window is underway. When the audit concludes, the report will be available to customers under NDA on request.

Our controls are aligned today with the SOC 2 Trust Services Criteria for security and confidentiality.

A Data Processing Addendum (DPA) is available on request from legal@dialplane.com.

Sub-processors

Dialplane relies on the following vendors to deliver the service. This list is current as of the effective date above and will be updated when it changes.

VendorPurposeLocation
DigitalOceanApplication and database hostingUnited States (NYC3)
StripeBilling and paymentsUnited States
ResendTransactional emailUnited States
Let's EncryptTLS certificate issuanceUnited States

Responsible disclosure

If you believe you have found a security issue in Dialplane, please email security@dialplane.com.

  • We will acknowledge receipt within three business days.
  • We will not pursue legal action against good-faith researchers who follow a coordinated-disclosure process.
  • We will credit reporters on request once an issue is resolved.
  • Dialplane does not currently operate a paid bug bounty program.

Contact