Security Policy

Effective date: May 25, 2025 · Last updated: May 25, 2025

Vulnerability reporting

We take security seriously. If you discover a vulnerability in IntakeAI, please report it responsibly to security@getintake.ai. Do not disclose publicly until we have had a chance to address it.

Response timelines

CriticalAcknowledgment within 24 hours
HighAcknowledgment within 24 hours
MediumAcknowledgment within 3 business days
LowAcknowledgment within 30 days

Security practices

  • HTTPS everywhere
    All traffic encrypted in transit via TLS 1.2+. Enforced on both Vercel (web) and Railway (WebSocket server). No HTTP fallback.
  • Secrets management
    All API keys, OAuth secrets, and database credentials stored in platform environment variables. Never in source code or version control.
  • Database security
    Parameterized queries via Prisma ORM eliminate SQL injection. Database credentials rotate regularly. Neon PostgreSQL encrypted at rest.
  • Authentication
    Firm login via NextAuth magic-link email with CSRF protection. Admin access via API key with rate limiting. No passwords stored.
  • Input validation
    All user-facing inputs validated server-side. Phone numbers validated to E.164. Time formats validated to HH:MM. HTML output escaped to prevent XSS.
  • Rate limiting
    Authentication endpoints rate-limited to prevent brute force. Twilio webhooks validated via HMAC signature on every request.
  • Least privilege
    Internal APIs return only the fields each consumer needs. OAuth tokens excluded from all client-facing API responses.
  • Security headers
    X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin on all responses.

Infrastructure certifications

IntakeAI is built exclusively on SOC 2 Type II certified infrastructure providers:

ProviderRoleCertifications
AssemblyAIVoice AI processingSOC 2 Type II
TwilioTelephony & SMSSOC 2 Type II · ISO 27001
VercelWeb hostingSOC 2 Type II
Neon PostgreSQLDatabaseSOC 2 Type II
RailwayWebSocket serverSOC 2 Type II

Note: IntakeAI as a company is currently pursuing SOC 2 certification (beta phase). All underlying infrastructure providers listed above hold current SOC 2 Type II certification.

Incident response

  • Breach notification: Affected subscribing firms notified within 72 hours of a confirmed data breach, including nature of data affected and remediation steps taken.
  • Incident log: All security incidents logged with root cause analysis and remediation timeline.
  • Contact: security@getintake.ai

Penetration testing

Annual third-party penetration testing is planned. Last test: Pending (beta phase). Results are available to subscribing firms under NDA upon request.

Data processing agreement

IntakeAI executes a Data Processing Agreement (DPA) with each subscribing firm before go-live. The DPA defines processor/controller responsibilities, data retention limits, breach notification timelines, and sub-processor obligations.

To request a DPA: legal@getintake.ai

Contact

Security reports: security@getintake.ai
Legal / DPA: legal@getintake.ai
IntakeAI · Morris County, NJ