Security Policy

Ottocal applies administrative, technical, and organizational safeguards to the web application, booking pages, account flows, payments, messaging, AI features, recordings, transcripts, and supporting infrastructure used to operate the platform.

Security controls may evolve as the product, providers, architecture, and threat environment change.

• Authentication, session controls, and account-level access restrictions.
• Transport encryption for browser and API traffic where supported.
• Request validation, rate limiting, logging, abuse detection, and fraud controls.
• Provider-backed security controls for hosting, database, payments, messaging, and call infrastructure.
• Error monitoring and operational alerts to help identify service failures and suspicious behavior.

• Use strong passwords and secure the devices and browsers used to access Ottocal.
• Restrict access to account credentials, API keys, payment accounts, and connected integrations.
• Review booking settings, payout settings, recording settings, and public links before sharing them.
• Do not upload highly sensitive or regulated data unless you have a lawful basis and suitable controls.

Ottocal is responsible for securing the core platform and its operated application environment. Hosts remain responsible for the business data they choose to collect, their own endpoint security, internal access controls, third-party accounts they connect, and legal compliance for their services.

Ottocal may investigate suspicious activity, preserve logs, suspend features, rotate credentials, or involve providers and legal counsel when necessary to contain a security incident or protect users and the service.

If a material incident affects Ottocal-controlled systems or data, Ottocal may provide notice in a manner appropriate to the incident, affected workflow, and legal requirements.

Report suspected vulnerabilities, credential exposure, abuse, or security incidents to hello@ottocal.com. Include the affected URL, a description of the issue, reproduction steps, timestamps, and any relevant screenshots or logs.

Do not exploit, exfiltrate, destroy, or publicly disclose vulnerabilities without authorization. Good-faith reports help Ottocal respond faster.

Ottocal may use backups, redundancy, and provider-level resilience features, but no service can guarantee uninterrupted availability, zero data loss, or recovery from every failure mode.

This policy is informational. It does not create a warranty, certification, or commitment that any particular control or framework will always be in place.