SignalWire’s security and compliance posture is designed for teams building communications solutions that handle sensitive data across voice, messaging, video, and AI. This article explains core frameworks SignalWire highlights, System and Organization Controls 2 Type 2 (SOC 2 Type 2), Payment Card Industry Data Security Standard (PCI DSS), and the Health Insurance Portability and Accountability Act (HIPAA), and how they map to common requirements like operational security controls, payment data protections, and safeguarding Protected Health Information (PHI).

SignalWire Security Measures

At SignalWire, your security is our top priority. We understand that safeguarding sensitive data is a requirement for businesses across all industries. That's why our innovative Programmable Unified Communications platform for voice, messaging, video, and AI is built with stringent security standards in mind, so that you can build the most secure communications solutions for your customers.

Businesses across industries, from healthcare to finance, rely on trusted platforms to keep sensitive data safe. Our robust security systems and commitment to compliance allow you to innovate with the newest technologies without compromising security.

We believe that our security is your security. Our mission is to provide the tools to build cutting-edge communications while maintaining the highest security standards for every customer. We take a proactive approach to compliance, ensuring that our systems adhere to some of the toughest standards in the industry.

In this post, we’ll explore three key compliance frameworks that SignalWire meets and explain how they contribute to a secure and trustworthy environment for your communications.

SOC 2 Type 2

Full name: System and Organization Controls 2 Type 2

Regulatory authority: The American Institute of Certified Public Accountants (AICPA)

SOC 2 Type 2 is an independent attestation of data security controls across a company’s technical system and day-to-day operations. A third-party auditor conducts an extensive audit of the security controls to ensure that they operate as anticipated.

The auditor evaluates the company based on established security, availability, confidentiality, processing integrity, and privacy standards. At the end of the audit period, a company whose controls meet the standards of the AICPA receives a certificate that is valid for one year.

SOC 2 Type 2 is one of the most recognized and respected compliance standards for cloud-based technology companies, especially those handling sensitive data. The audit process involves an in-depth review of a company's security controls, operational processes, and governance.

SignalWire's SOC 2 Type 2 attestation demonstrates our commitment to maintaining a secure and reliable environment for all your communications. The audit, performed annually, ensures that the protective measures we have in place are consistently monitored, tested, and improved as needed to protect against data breaches. By ensuring that our security controls meet SOC 2 Type 2 standards, we provide a solid foundation for data integrity and privacy.

PCI-DSS

Full name: Payment Card Industry Data Security Standard

Regulatory authority: PCI Security Standards Council (PCI SSC)

PCI-DSS is focused on security for payment card transaction environments, covering both technical and operational system components. Generally, to comply with the PCI SSC’s rules, a company must assess all locations and access points to payment data, repair any observed vulnerabilities, and report assessment and remediation details to any requesting entities.

This process involves building and maintaining a secure network, protecting the access to and transmission of transaction data, building and maintaining vulnerability management systems, regularly tracking and testing the network, and maintaining security policies for all employees.

The rise of digital payments has brought with it heightened security risks, making PCI-DSS compliance a critical requirement for companies involved in payment processing. This comprehensive set of security standards is designed to protect cardholder data during transactions, preventing fraud, data breaches, and theft.

SignalWire takes PCI-DSS compliance seriously to ensure that your payment information is always secure. Compliance involves assessing all touchpoints where payment data is collected, transmitted, or stored. To meet PCI-DSS standards, we continually update our security protocols, maintain a secure network, and perform regular system testing and monitoring.

When a customer makes a purchase with SignalWire, all customer payment data is used, stored, and transmitted in a safe and secure manner. SignalWire ensures that all payment data is handled safely, protecting both your customers and your business.

HIPAA

Full name: Health Insurance Portability and Accountability Act

Regulatory authority: United States federal government

The federal government passed HIPAA to ensure the security of medical patients’ protected health information (PHI) and limit third-party access to it. HIPAA establishes security and administrative requirements for entities that handle PHI. In part, those entities must implement appropriate security measures, perform ongoing risk assessments, and institute access and audit controls. These rules are designed to ensure the privacy, integrity, and transmission security of PHI.

For businesses in the healthcare industry, securing protected health information is legally required for any organization that handles medical records or patient data. SignalWire is fully HIPAA-compliant, which means that healthcare providers, insurance companies, and related entities can trust our platform to protect patient privacy.

HIPAA regulations mandate that any entity handling PHI must implement strict administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of sensitive health information. This includes encrypting PHI, restricting access to authorized personnel, and performing ongoing risk assessments.

SignalWire’s commitment to HIPAA compliance means that if you’re working with sensitive patient data, you can build communication solutions on our platform with complete confidence. Whether you're using voice, messaging, or video communication, your PHI is secure.

Many of SignalWire’s customers operate in the healthcare sector, and if a customer brings PHI to SignalWire, that PHI is safeguarded. SignalWire meets the rigorous security and privacy requirements established by HIPAA, making it a trusted choice for organizations in healthcare. By using SignalWire, you can ensure that patient data is protected at all times.

ISO/IEC 27001:2022

Full name: ISO/IEC 27001:2022 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements.

Regulatory authority: No single regulatory authority. It is an international standard published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC)

SignalWire is certified to ISO/IEC 27001:2022, the international standard for an Information Security Management System (ISMS). The certification indicates that SignalWire operates a formal, audited security program designed to identify, assess, and reduce information security risk across people, processes, and technology, with ongoing continuous improvement. For teams building voice, messaging, video, and AI communications, ISO/IEC 27001:2022 provides additional assurance that security controls are governed through a structured management system, not treated as a one-time checklist.

Build with confidence on SignalWire

Whether you're developing applications for healthcare, retail, or any other sector, your data is protected by some of the most comprehensive compliance standards in the industry when you build with SignalWire.

Our SOC 2 Type 2 attestation ensures operational and data security, PCI-DSS compliance guarantees safe payment transactions, and HIPAA compliance secures patient health data. If you’re ready to build secure, scalable communication solutions, SignalWire is here to support your journey.

Our focus at SignalWire is providing our customers with the solutions they need to thrive. Our goal is to not only equip our customers with developer-friendly tools but to do so in a secure ecosystem. When you build with SignalWire, you can rest assured that your data and systems, and those of your own customers, are protected. Learn more about our security measures at the SignalWire Trust Center.

If you have questions or issues about SignalWire security, bring them to our community on Discord.

Frequently asked questions

What is System and Organization Controls 2 Type 2 (SOC 2 Type 2)?

System and Organization Controls 2 Type 2 (SOC 2 Type 2) is an independent attestation of a company’s security controls and operational processes over an audit period, evaluated against criteria such as security, availability, confidentiality, processing integrity, and privacy.

What does Payment Card Industry Data Security Standard (PCI DSS) cover?

Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements for payment card environments, including building and maintaining secure networks, protecting cardholder data in transit and at rest, managing vulnerabilities, monitoring and testing systems, and maintaining security policies.

What is the Health Insurance Portability and Accountability Act (HIPAA) in communications use cases?

The Health Insurance Portability and Accountability Act (HIPAA) is a United States federal law that establishes requirements to protect Protected Health Information (PHI), including safeguards for confidentiality, integrity, and transmission security, plus access controls and ongoing risk assessments for entities that handle PHI.

When do you need HIPAA protections for voice or messaging workflows?

You need HIPAA-grade protections when your workflow involves Protected Health Information (PHI), for example appointment details tied to a patient, clinical communications, or any messaging or calling that includes identifiable health data. The key is whether PHI is handled, not which channel is used.

How do these frameworks map to building secure communications features?

SOC 2 Type 2 focuses on how security controls operate across systems and day-to-day operations, PCI DSS focuses on protecting payment card transaction environments, and HIPAA focuses on safeguarding PHI with administrative, physical, and technical safeguards. Together they map to common product requirements like access control, secure handling of sensitive data, auditability, and risk management.