Your phone system carries some of the most sensitive information in your business, customer conversations, account details, sometimes protected health or financial information. Here's a straightforward rundown of what Cannon VoIP does to keep it safe, without the marketing fluff.
Encryption standards
Call setup (signaling) is encrypted using TLS, and the call audio itself is encrypted in transit using SRTP, so conversations can't be intercepted and read as they travel across the network. Data at rest, including stored recordings, voicemails, and account information, is protected with industry-standard AES-256 encryption. Encryption isn't an add-on or a premium tier here; it's simply how the system works.
Data retention policy
By default, call recordings, call detail records (CDRs), and voicemails are retained for 30 days. If your business needs a different window, shorter for day-to-day operations or longer for regulatory record-keeping, that's configurable on your account. Once a retention window passes, older records are purged automatically rather than piling up indefinitely.
SOC 2 & HIPAA alignment
Our internal security practices, access controls, change management, monitoring, and incident response, are built around SOC 2 principles. On the healthcare side, we maintain HIPAA-aligned safeguards for handling protected health information, which is one of the reasons medical practices and healthcare-adjacent businesses rely on us for both voice service and our HIPAA-compliant cloud fax service.
MFA requirements
Multi-factor authentication is available on your account, and we strongly recommend turning it on for anyone with access to the portal. A password alone isn't enough protection for a system tied to your business's phone lines, billing, and call data, MFA adds a second layer that stops most account-takeover attempts cold, even if a password gets exposed elsewhere.
Fraud prevention
A few of the ways we help keep fraudulent activity off your lines:
- Suspicious call screening: incoming calls that look like spam or spoofed robocalls face an automatic keypad challenge before they ever ring through.
- Shared spam intelligence: we partner with multiple carriers on a shared spam-reporting directory, so numbers flagged elsewhere on the network get blocked here too.
- Usage monitoring: unusual calling patterns, like a sudden spike in expensive international or premium-rate calls, are flagged early to catch toll fraud before it runs up a bill.
- Blocked and VIP number lists: you can block specific numbers outright or flag others for special handling, right from your account.
Call recording compliance
Calls are recorded by default, along with automatic transcription, so you've got a searchable record of every conversation without any extra setup. Consent laws for recording calls vary by state, some only require one party to consent, others require everyone on the line to agree, so if you operate in a two-party consent state, we can add an automatic disclosure announcement that notifies everyone on the call that it's being recorded before the conversation continues. And if you'd rather turn recording off entirely, that's just as easy to configure on your account.
STIR/SHAKEN implementation
Every call that leaves our network carries STIR/SHAKEN caller ID authentication, the framework mandated by the FCC to fight illegal robocalls and spoofed caller ID. In plain terms, it means the people and businesses you call can trust that the number showing up on their screen is genuinely yours, which helps your calls get answered instead of flagged as "Spam Likely" by carriers and call-blocking apps.
Robocall Mitigation Database & Do-Not-Originate
Beyond STIR/SHAKEN, the FCC requires every voice service provider to certify its anti-robocall practices in the Robocall Mitigation Database (RMD). We're filed and current in the database, and any carrier we work with is required to confirm that filing before carrying our traffic, so there's no gap in the chain of accountability.
We also honor Do-Not-Originate (DNO) lists, numbers used only to receive calls, like certain government agency and financial institution lines, that should never appear as an outbound caller ID. Any call attempting to spoof a DNO-listed number is blocked before it ever reaches its destination.
On top of these, we participate in the industry programs every compliant U.S. voice provider is required to: cooperating with the USTelecom Industry Traceback Group on illegal call investigations, maintaining our FCC registration (FRN) and Universal Service Fund contributions, and adhering to the National Do Not Call Registry. None of this is optional for a legitimate carrier, and we treat it as table stakes, not a bragging point.
Have a specific compliance question, an audit questionnaire to fill out, or a security review to complete for your own customers? Send it our way and we'll walk through it with you directly.
Questions about security or compliance?
Tell us what you need, an audit questionnaire, a security review, or just general questions, and we'll get you answers.
Contact us