Your phone system handles donor financial conversations, beneficiary intake calls, sometimes protected health information, and almost always personal contact details. Treating it as a low-stakes utility is a mistake that becomes very expensive in a breach. Here is the security baseline to enforce.
The non-negotiables
- Encryption everywhere. Voice traffic encrypted with SRTP. Signaling encrypted with TLS 1.2 or higher. Data at rest (recordings, voicemails, messages) encrypted with AES-256.
- Single sign-on. Your provider should integrate with Microsoft Entra, Google Workspace, or Okta so staff use one set of credentials.
- Multi-factor authentication. Required for admin accounts at minimum. Strongly recommended for every user.
- Role-based access control. Volunteers see what they need. Admins see what they need. The full audit log is locked behind a separate role.
- Audit logging. Who logged in, when, from where. Who changed what setting. Who accessed which call recording. Retain at least 90 days.
Compliance attestations to request
Ask for current copies of these. A serious provider has them at hand and can email within a day:
- SOC 2 Type II report (covers operational security)
- ISO 27001 certification (international security management standard)
- HIPAA Business Associate Agreement (if your work touches health data)
- PCI DSS attestation (if any payment data flows through phone calls)
- State-specific privacy compliance documentation (CCPA, etc.) where relevant
Recording and consent
If you record calls, you must comply with state laws. About a third of US states require all parties to consent ("two-party consent" or "all-party consent"). The rest require only one party. A good provider gives you tools for this:
- Configurable announcements at the start of recorded calls
- The ability to disable recording per extension or per queue
- Searchable, deletable records with retention policies you set
Data residency and access
Where does your data physically live? Who can subpoena it? If your nonprofit operates internationally or works with cross-border populations, this matters. Ask the provider for:
- Specific data center regions where calls and recordings reside
- A documented sub-processor list (which third parties they share data with)
- A data deletion policy you can invoke at end of contract
Volunteer-specific considerations
Volunteers are often your largest pool of "users" who handle sensitive information. Make sure:
- Volunteer extensions can be disabled instantly when someone steps away
- Volunteers cannot access call recordings of staff conversations
- SMS history is appropriately scoped (volunteers should not see donor SMS history with other volunteers)
The annual security review
Once a year, do this:
- Pull the audit log. Review who accessed what.
- Audit your active users. Disable everyone who should not be there anymore.
- Re-confirm your provider's compliance attestations are current.
- Test your recovery: can you actually restore deleted voicemails or messages within retention?
None of this is exotic. It is the same posture you would apply to any other system handling sensitive data. The mistake is treating phones as exempt because they used to be "just phones." They are not anymore.
