Security

Security is fundamental to SentriCall. This page outlines our security practices, compliance certifications, and how we protect your sensitive 911 data.

🛡️ CJIS Security Policy 5.9 Compliant

SentriCall meets the FBI's Criminal Justice Information Services (CJIS) Security Policy requirements, mandatory for systems processing law enforcement and emergency services data.

  • Advanced authentication and access control
  • Personnel security and background checks
  • Audit logging and monitoring
  • Encryption in transit and at rest
  • Physical security measures
  • Security awareness training

🔐 Encryption

In Transit

All data transmitted between clients and servers is encrypted using:

  • TLS 1.3 - Latest encryption protocol
  • Perfect Forward Secrecy - Session keys cannot be compromised
  • Strong cipher suites - Industry-leading algorithms

At Rest

Stored data is protected using:

  • AES-256-GCM - Military-grade encryption
  • Encrypted database - PostgreSQL with encryption
  • Encrypted backups - All backups are encrypted

👥 Access Control

Role-Based Access Control (RBAC)

Users are granted minimum necessary permissions based on their role:

  • Operators: Limited to their own call history
  • Supervisors: Monitor and review team calls
  • Administrators: System configuration and user management
  • Auditors: Read-only access to logs and reports

Multi-Factor Authentication (MFA)

Optional MFA support using:

  • Time-based one-time passwords (TOTP)
  • SMS verification
  • Hardware security keys (FIDO2/WebAuthn)

📋 Audit Logging

Comprehensive audit trail captures all system activity:

  • 7-year retention - Meets compliance requirements
  • Tamper-evident - Blockchain-like hash chain prevents modification
  • Complete activity tracking - Who did what, when, and from where
  • Automated monitoring - Real-time alerts for suspicious activity
  • Exportable logs - For external SIEM systems

🏗️ Infrastructure Security

Cloud Deployments

  • AWS GovCloud or Azure Government
  • FedRAMP authorized cloud services
  • Network isolation and VPCs
  • DDoS protection
  • Web application firewall (WAF)

On-Premise Deployments

  • Air-gapped configuration support
  • Containerized deployment (Docker)
  • Network segmentation best practices
  • Hardened OS configurations
  • Regular security updates

🔍 Vulnerability Management

We maintain a proactive security posture:

  • Regular security assessments - Quarterly penetration testing
  • Dependency scanning - Automated vulnerability detection
  • Security patches - Rapid response to critical vulnerabilities
  • Code reviews - Security-focused code review process
  • Static analysis - Automated security scanning

🚨 Incident Response

In the event of a security incident:

  1. Detection: 24/7 monitoring and alerting
  2. Containment: Immediate isolation of affected systems
  3. Investigation: Root cause analysis and forensics
  4. Remediation: Fix vulnerabilities and restore service
  5. Notification: Timely notification to affected customers
  6. Post-mortem: Document lessons learned and improve processes

✓ Compliance & Certifications

CJIS Compliant

Security Policy 5.9

SOC 2 Type II

In progress

ISO 27001

Planned

🔒 Responsible Disclosure

We welcome reports of security vulnerabilities. If you discover a security issue:

  • Email: security@sentricall.com
  • Use PGP encryption for sensitive details (key available on request)
  • Include steps to reproduce the vulnerability
  • Allow reasonable time for us to address the issue before public disclosure

We commit to:

  • Acknowledge receipt within 24 hours
  • Provide regular updates on remediation progress
  • Credit researchers (unless anonymity is preferred)

Questions About Security?

Our security team is available to answer questions about our security practices and compliance.

Security Team: security@sentricall.com

General Inquiries: info@sentricall.com