Security posture for production deployments.

This is not legal advice. It’s a practical description of how Open Voice Agent is typically operated: invite-only, multi-tenant, and BYO keys per workspace.

Read deployment docs Privacy policy

Principles

Secure defaults, with explicit operator control.

Designed for running multiple client workspaces on one deployment.

Authentication + access control

Invite-only defaults, password login UI, and optional magic links + 2FA depending on your deployment settings.

Workspace-scoped secrets

Provider keys live per workspace so billing and blast radius stay isolated across clients.

Webhook verification

Verify Telnyx/Twilio webhooks using workspace-scoped verification secrets (recommended for BYO telephony).

Embed restrictions

Embed experiences are designed to be allowlisted per client domain and require explicit microphone consent in the UI.

Deployment checklist

What we recommend in production.

A small checklist that maps to common VPS runbooks.

Platform hardening

Terminate TLS at a reverse proxy (Caddy/Nginx) and enforce HTTPS.
Firewall: allow only 22, 80, 443 to the public internet.
Use separate staging + production DBs and webhook base URLs.
Set a strong backend SECRET_KEY.

Operational safety

Ensure backups for Postgres (and validate restore).
Use health checks: /health, /health/db, /health/redis.
Set retention policies and periodically purge old call media.
Review CORS: allow only the dashboard origin(s) in CORS_ORIGINS.

Contact Pricing