Security Overview

This page describes the security controls implemented by MSA Mercantile LLC, doing business as OrifoneAI ("OrifoneAI," "we," "us," or "our"), a company registered in Virginia, United States.

We apply layered controls to protect customer data and platform operations.

Tenant isolation

Customer data is scoped by organization identifiers and role-based authorization controls to reduce cross-tenant access risk.

Encryption at rest

Sensitive call artifacts such as transcripts and recordings are encrypted before storage using AES-256-GCM.

Encryption in transit

All data transmitted between browser, platform, and infrastructure is encrypted using TLS 1.2 or higher.

Webhook integrity checks

Inbound webhook traffic is validated using provider signatures before processing.

Auditability and retention controls

• Call recordings: 90 days
• Call transcripts: 365 days

For privacy operations, see Privacy Policy and Data Subject Rights. For framework mapping and subprocessors, see Trust Center.

Customers remain responsible for their own compliance programs, consent practices, and call recipient data handling under Terms of Service.

For security-related questions, trust document requests, or vendor onboarding inquiries: support@orifone.ai