Headland
Communications
Legal

Trust

Effective Date: May 20, 2026  ·  Last Updated: May 20, 2026  ·  Version: 1.0

1. Overview

This page is Headland Communications' trust center. It consolidates, in one place, the security, privacy, compliance, and operational practices we apply to the hosted voice, managed connectivity, and managed IT services we deliver to our customers.

It is intended for three audiences:

  • Prospective customers and their procurement or compliance teams, performing pre-contract due diligence
  • Existing customers who need to answer questions from their own auditors, insurers, or regulators about how their data is handled
  • Partners and subprocessors who need to understand the obligations that flow through to them

This page is updated whenever our practices, attestations, or subprocessor roster materially change. The "Last Updated" date above reflects the most recent change. We do not send proactive notifications. Customers who require change notifications for contractual reasons should contact compliance@hcvoip.com to discuss an addendum.

Where this page summarizes obligations addressed in greater detail elsewhere, the authoritative documents are the Privacy Policy, the Acceptable Use Policy, and the executed Master Services Agreement (MSA) or applicable order form between Headland and the customer. In any conflict, those documents control.

2. Regulatory & legal posture

Headland Communications is a U.S.-based telecommunications carrier. The Services are operated from and intended for use in the United States. Our compliance posture reflects that scope.

2.1 Federal

  • FCC oversight. Headland is subject to the jurisdiction of the Federal Communications Commission as a provider of interconnected VoIP and related telecommunications services.
  • CPNI (47 U.S.C. § 222; 47 C.F.R. Part 64, Subpart U). We maintain customer-proprietary network information protections, including authentication for account access, annual CPNI compliance certification, and the breach notification procedures required by 47 C.F.R. § 64.2011.
  • CALEA. We comply with lawful intercept obligations under the Communications Assistance for Law Enforcement Act.
  • E911 / RAY BAUM'S Act / Kari's Law. Our hosted voice platform supports dispatchable-location E911 and notification-on-911 functionality consistent with these requirements.
  • STIR/SHAKEN. Outbound calls originated on Headland's platform are signed in accordance with the FCC's caller-ID authentication framework.
  • TCPA. Customers using messaging or auto-dial features are required by our Acceptable Use Policy to comply with the Telephone Consumer Protection Act and applicable consent rules.

2.2 State

  • State public utility commissions. Headland holds the registrations and authorizations required to operate as a telecommunications provider in the states in which it serves customers.
  • California Consumer Privacy Act (CCPA/CPRA). See the Privacy Policy, Section 14.2 for the full California disclosures, including categories of personal information collected, sources, business purposes, and recipients.
  • Other state privacy laws. Where applicable, we honor consumer rights under Virginia, Colorado, Connecticut, Utah, and other state privacy statutes consistent with the Privacy Policy.
  • Breach notification. Our incident response procedures include notification to affected individuals, regulators, and law enforcement as required by applicable state statutes.

2.3 Payment processing

Headland does not store, process, or transmit full primary account numbers (PANs) on its own systems. Payment card and ACH transactions are handled by Intuit, Inc. through QuickBooks Payments (see subprocessor entry). Cardholder data is captured and processed entirely within Intuit's environment; Headland's PCI DSS scope is correspondingly limited (SAQ A).

3. Security program & governance

Headland maintains a written information security program that includes administrative, technical, and physical safeguards designed to protect personal information and customer data. The program is reviewed annually and updated in response to changes in our services, the threat landscape, and applicable law.

Structure of the operating team

Headland is operated by a small team in which every member of the operating group holds an equity interest in the business. There is no separation between a leadership tier that does not touch customer data and an employee tier that does. Every member is a principal with direct legal, financial, and reputational accountability for how customer data is handled. Responsibility for the security program sits with that group rather than being delegated to a separate security function.

Because the operating team is small, Headland places deliberate weight on documented procedures for production-system administration and incident response, so that any operating member can execute critical procedures.

Operating principles

The security program is built on three principles that are applied as defaults across the business:

  • Least privilege. Access to data, systems, and tooling is granted only where it is needed to perform a defined function, and only for as long as it is needed. This is the default across processes and practices — not only RBAC on production systems, but also administrative access to vendor portals, financial systems, customer-facing tooling, and shared credentials.
  • Defense in depth. Controls are layered so that no single failure — a leaked credential, a misconfigured firewall rule, a compromised endpoint — exposes customer data on its own.
  • Honest disclosure. Where a control is partial, a process is informal, or an attestation is absent, this page says so plainly rather than papering over it.

Policies

Internal policies governing the security program cover — at a minimum — information security, access control, change management, vendor management, incident response, business continuity, data retention, and breach notification. Policies are documented in writing and reviewed on the same cadence as the broader program.

4. Data protection

4.1 Encryption in transit

  • Web and API traffic: TLS 1.2 or higher, with modern cipher suites. Legacy SSL and TLS 1.0/1.1 are disabled on customer-facing endpoints.
  • Signaling: SIP over TLS supported on the hosted voice platform for endpoints and trunks that negotiate it.
  • Media: Secure RTP (SRTP) supported for media streams between Headland's platform and endpoints that negotiate it. Where an endpoint or upstream carrier does not support SRTP, media falls back to RTP. Customers should assume that voice media in transit across the PSTN is not encrypted end-to-end.
  • Administrative access: SSH with key-based authentication; HTTPS for management interfaces; VPN for back-of-house operational access.

4.2 Encryption at rest

  • AES-256 (or equivalent) for at-rest encryption of sensitive data on Headland-operated storage.
  • Backups are encrypted at rest using equivalent algorithms.
  • Encryption keys are managed separately from the data they protect, with access restricted to authorized personnel.

4.3 Sensitive credentials

  • End-user account passwords are stored as salted hashes using a modern password-hashing function. Plaintext passwords are not retained.
  • Payment card numbers are not stored on Headland systems; they are tokenized by our payment processor.
  • API keys and SIP credentials are treated as sensitive and may be rotated by the customer on request.

5. Identity & access management

  • Least privilege as default. Access to data, systems, and tooling is granted only where it is needed for a defined function, and only for as long as it is needed. This applies to every system Headland operates or administers, including third-party portals (carrier, payment processor, cloud storage, email).
  • Role-based access control. Administrative permissions on production systems are scoped by function rather than by individual, so that access can be granted, modified, or revoked by changing role assignment rather than by editing per-user permissions.
  • Single sign-on. SSO is used wherever practicable. Headland operates an in-house identity management solution as the primary identity provider for internal tooling and federated vendor access. Where a vendor does not support SSO, credentials are managed in a shared secret manager (1Password) with MFA on the vault itself and access logged.
  • Multi-factor authentication. MFA is required for all Headland administrative access to production systems, the customer billing platform, the identity provider, and any vendor portal that supports it.
  • Access reviews. Privileged access and group membership are reviewed promptly on any change in personnel or role, and at least annually as a standing review.
  • Onboarding and offboarding. Access is provisioned when a defined role begins, modified on role change, and revoked promptly on departure or change of relationship. Because the operating team is small and stable, formal onboarding/offboarding events are infrequent; the same access-control discipline applies when they do occur, and applies to any non-owner contractors engaged for specific work.
  • Customer-side authentication. Customers are responsible for managing their own end-user identities within the services we provide (e.g., user extensions, voicemail PINs, portal users). Where supported, we recommend customers enable MFA on portal accounts and rotate voicemail PINs from defaults.

6. Network & infrastructure security

  • Segmentation. Production environments are network-segmented from corporate/operational environments. Customer-facing voice signaling, media, web, and management planes are separated by firewall and ACL controls.
  • Perimeter controls. Stateful firewalls and access control lists at network boundaries. Inbound services are limited to those required to deliver the relevant service.
  • SIP-specific protections. Rate limiting, registration brute-force protection, and known-bad source blocking on the session border controllers. Toll-fraud detection thresholds are configured on the hosted voice platform and trigger automated containment when exceeded.
  • DDoS posture. Upstream connectivity at the colocation facility includes carrier-level DDoS mitigation.
  • Intrusion detection. Network and host-based monitoring is in place on production systems with alerting to operations on anomalous events.
  • Hardening. Production hosts are built from controlled images with non-essential services disabled and secured baseline configurations.

7. Application & change management

  • Change control. Production changes follow a documented change-management process that includes peer review, a rollback plan, and a maintenance window for customer-impacting changes. Emergency changes are permitted with post-hoc review.
  • Separation of environments. Development, staging, and production environments are separated. Production customer data is not copied into development or staging environments.
  • Source control and code review. Internal automation, integrations, and configuration are maintained in version-controlled repositories with peer review for changes that affect production.
  • Dependency management. Third-party software and libraries used in Headland-operated components are tracked, and security advisories are reviewed as part of vulnerability management.
  • Maintenance notifications. Planned maintenance is notified to affected customers through the support portal or by email. Emergency maintenance may occur without advance notice.

8. Physical security

The hosted voice platform and supporting back-office infrastructure operate on Headland-owned equipment colocated at the iBridge Cloud Technologies facility in Rancho Cordova, California (see subprocessor entry).

  • Facility controls. The colocation facility provides 24/7 staffed security, multi-factor physical access controls (badge plus biometric or PIN), CCTV coverage, and visitor logging. Current facility attestations are published by the operator and available on request.
  • Environmental controls. Redundant power (UPS and generator), redundant cooling, and fire detection/suppression are provided by the facility operator.
  • Cage and rack access. Physical access to Headland-owned equipment is limited to authorized Headland personnel and any escorted vendors performing approved work.
  • Media disposal. Decommissioned storage media containing customer or operational data is sanitized or physically destroyed before disposal.

9. Personnel security

As described in Section 3, Headland is operated by a small team in which all members of the operating group hold an equity interest in the business. Personnel-security controls reflect that structure: there is no separation between an "employee" tier that handles customer data and a leadership tier that does not. Every operating member is a principal with direct legal and financial accountability for how customer data is handled.

  • Ownership-aligned confidentiality. All operating members are bound by Headland's operating agreement and applicable written confidentiality obligations covering customer information, CPNI, and proprietary information. These obligations survive departure from the business.
  • Background checks. Background checks are performed on any non-owner personnel (contractors, future hires) granted production or customer-data access, where lawful and appropriate to the role.
  • CPNI training. All personnel with access to CPNI — owners and any non-owner personnel alike — are trained on the FCC CPNI obligations applicable to Headland, consistent with our annual CPNI compliance certification under 47 C.F.R. § 64.2009(e).
  • Ongoing security awareness. Operating members track changes in FCC rules, state privacy law, and material threats relevant to telecommunications and managed-services operators, and apply those changes to Headland's practices.
  • Accountability for policy violations. Material breaches of security or confidentiality obligations by any operating member or contractor are addressed through the mechanisms available under Headland's operating agreement and applicable contracts, up to and including separation from the business.

10. Logging, monitoring & detection

  • What is logged. Authentication events on production systems and administrative interfaces; privileged command execution where supported; SIP registration and call signaling events; firewall and SBC events; system and application errors.
  • Retention. Security and authentication logs are retained for 2 years (see Privacy Policy, Section 11). Call detail records are retained for at least 18 months consistent with 47 C.F.R. § 42.6.
  • Aggregation. Production logs are aggregated to a central log destination separate from the systems generating them.
  • Alerting. Operationally significant and security-relevant events generate alerts to the on-call rotation.
  • Time synchronization. Production systems synchronize time against trusted NTP sources to support log correlation and forensic accuracy.

11. Vulnerability management

  • Patching. Security patches for operating systems, hypervisors, network devices, and platform software are applied on a risk-prioritized schedule. Critical patches are expedited.
  • Vulnerability scanning. Internal vulnerability scans are performed at least quarterly. Findings are triaged and remediated based on severity and exploitability.
  • Threat intelligence. Public vulnerability advisories (CISA KEV, vendor PSIRT, US-CERT) relevant to deployed components are monitored.

12. Incident response & breach notification

Headland maintains a written incident response plan covering identification, containment, eradication, recovery, and post-incident review. Roles, responsibilities, and escalation paths are defined for on-call operations, leadership, legal/compliance, and external counsel.

12.1 Incident response process

  • Identification. Events of interest are surfaced through monitoring, customer reports, partner notifications, and personnel observation.
  • Triage and classification. Confirmed incidents are classified by severity and scope. Suspected incidents are investigated promptly.
  • Containment and eradication. Containment actions are taken to limit further impact while preserving evidence for forensic review where appropriate.
  • Recovery. Affected services are restored from clean state using documented procedures.
  • Post-incident review. Material incidents are subject to written post-incident review with identified corrective actions tracked to closure.

12.2 Breach notification

If we determine that a security incident has resulted in unauthorized access to or acquisition of personal information, we will notify affected individuals, regulators, and law enforcement as required by applicable law, including:

  • FCC CPNI breach rules — 47 C.F.R. § 64.2011. Notification to the United States Secret Service and the FBI within the timelines specified in the rule, and to affected customers thereafter.
  • State breach notification statutes. Notification to affected individuals and state attorneys general (and consumer-reporting agencies where applicable) within the timelines specified by each applicable state law.
  • Contractual notification. Customers will be notified consistent with the timelines and channels set forth in their MSA or applicable data processing terms. Headland's default contractual commitment is to notify affected customers without undue delay, and in any event within 72 hours of confirmation.

12.3 Reporting an incident

To report a suspected security incident affecting your account or our services, contact security@hcvoip.com and open a priority ticket through the support portal. Out-of-band escalation is available via the support number on your account.

13. Business continuity & disaster recovery

  • Platform redundancy. The hosted voice platform is deployed with redundancy at the component level within the colocation facility. Critical signaling and database functions are configured for failover.
  • Transport diversity. Multiple upstream transport carriers are provisioned at the colocation facility, so that an outage on any single transport path does not isolate Headland's platform from the public internet.
  • Voice carrier posture. Voice origination is delivered through Bandwidth, which holds the customer's telephone numbers. Telephone number portability is constrained by the originating carrier, and a full carrier-level migration would require number porting rather than instantaneous cutover. To limit single-carrier exposure on the termination path, Headland maintains alternate termination providers and can re-route outbound traffic away from Bandwidth in the event of a Bandwidth-side termination outage. Inbound calls remain dependent on Bandwidth for the duration of any such event.
  • Backups. Configuration and customer-affecting data is backed up daily, with 7 daily backups retained, and weekly backups retained for 28 days. Backups are encrypted and stored separately from production systems.
  • Status communications. During an active incident, customer-facing updates are issued through the support portal and, where appropriate, by direct email or phone to designated customer contacts.

14. Data retention & deletion

Retention periods are set out in Privacy Policy, Section 11. Headlines:

CategoryRetention
Toll records / CDRsAt least 18 months (47 C.F.R. § 42.6)
Call recordingsPer customer configuration; default 30 days
VoicemailsUntil deleted by the user, or on account closure
SMS/MMS contentNot retained beyond delivery (typically < 72 hours)
SMS/MMS metadata18 months
Account & billing recordsAccount term + 10 years, or as required by tax/accounting law
Security & authentication logs2 years

Deletion on termination. Following termination of service, customer-controlled data is deleted or de-identified once any contractual return period has elapsed and absent a legal retention obligation or legal hold. Customers may request export of their data prior to termination as set forth in their MSA.

Legal hold. Data subject to litigation hold or regulatory preservation obligation is retained until the hold is released.

15. Shared responsibility

Security of a hosted communications service is a shared effort. Headland is responsible for the security of the platform we operate; customers are responsible for how they use it.

Headland is responsible for

  • Security of the underlying platform, network, and facilities described above
  • Patching of the platform and supporting infrastructure
  • Backups of platform configuration and customer-affecting data
  • Monitoring of the platform and response to platform-level incidents
  • Compliance with the regulatory obligations applicable to us as a carrier

Customers are responsible for

  • Choosing strong passwords and PINs, enabling MFA on portal accounts where supported, and rotating credentials on personnel changes
  • Configuring features such as call recording, voicemail-to-email, SMS, and integrations consistent with applicable law (consent, notice, recording-jurisdiction rules) and with Headland's Acceptable Use Policy
  • Keeping registered E911 addresses current for each device or extension that may dial 911
  • Managing access to their own end-user identities and any integrations they configure with third parties
  • Responding to privacy-rights requests from their own end users where Headland is acting as a service provider/processor (see Privacy Policy, Section 14)
  • Securing the customer-premises equipment, LAN, and any internet connectivity that connects to our service, except to the extent Headland has been engaged under a managed-services agreement covering those components

16. Vendor & subprocessor management

Third parties that may process customer personal data on our behalf are reviewed before engagement and reassessed periodically. Material factors in our review include the vendor's stated security practices, their public attestations (where available), their data-handling commitments, and their suitability for the specific function.

The following is the authoritative list of subprocessors that may process customer personal data on Headland's behalf. We do not send proactive notifications when this list changes. Customers who require contractual change notifications should contact compliance@hcvoip.com.

Bandwidth Inc.

Voice · Carrier

Origination and termination of customer voice traffic, SMS/MMS messaging, DID provisioning, and E911 location routing for hosted voice and SIP trunking services.

Data processed
Call detail records, signaling metadata, voice media in transit, SMS/MMS content and metadata, registered E911 addresses, 10DLC campaign data
Data subjects
Customer end users; calling, called, and messaging parties
Processing location
United States (Raleigh, NC)
Transfer mechanism
N/A — US-based processing

Neustar, Inc.

Voice · Caller ID

Outbound Caller ID (CNAM) registration for Headland-managed numbers and inbound CNAM database lookups. Operated as a subsidiary of TransUnion.

Data processed
Telephone numbers, registered Caller ID display names, branded-calling metadata
Data subjects
Customer businesses and their listed numbers; calling and called parties
Processing location
United States
Transfer mechanism
N/A — US-based processing

CounterPath Corporation

Voice · Softphone

Bria softphone provisioning, registration, and license management for customer end users. A wholly-owned subsidiary of Alianza, Inc.

Data processed
SIP credentials, device registration metadata, account identifiers, license entitlements
Data subjects
Customer end users
Processing location
United States (Alianza, Pleasant Grove, UT)
Transfer mechanism
If processed in Canada: Canada adequacy decision (EU/UK)

Google LLC

Voice · Transcription

Google Cloud Speech-to-Text transcription of customer voicemail messages, delivered back to the mailbox owner. Live or recorded call audio is not transmitted to Google.

Data processed
Voicemail audio content, resulting transcription text, associated metadata
Data subjects
Customer end users; any party leaving a voicemail
Processing location
United States
Transfer mechanism
EU-U.S. Data Privacy Framework (Google LLC is DPF-certified) for any non-US data subjects

Dropbox, Inc.

Storage

Cloud file storage and sharing for Headland operational documents and any customer-shared artifacts (configurations, recordings, documentation).

Data processed
Files uploaded to Headland's account, file metadata, sharing recipients
Data subjects
Customer contacts and end users, to the extent referenced in stored files
Processing location
United States (Dropbox Business default)
Transfer mechanism
EU-U.S. Data Privacy Framework (Dropbox is DPF-certified) for any non-US data subjects

Microsoft Corporation

Operations · Email

Hosted email, calendar, and document services used by Headland to correspond with customers and operate the business.

Data processed
Email message content and metadata, calendar entries, contacts, attachments
Data subjects
Customer contacts in correspondence with Headland
Processing location
United States (Microsoft 365 commercial)
Transfer mechanism
EU-U.S. Data Privacy Framework (Microsoft Corporation is DPF-certified) for any non-US data subjects

Intuit Inc.

Operations · Billing & Payments

QuickBooks Online for invoice generation, accounts receivable, and customer payment processing (card and ACH) via QuickBooks Payments. Headland does not store card numbers; payment instruments are tokenized by Intuit.

Data processed
Billing contact and address, invoice line items, tokenized payment instruments, transaction history
Data subjects
Customer billing contacts and authorized payers
Processing location
United States (Mountain View, CA)
Transfer mechanism
EU-U.S. Data Privacy Framework (Intuit Inc. is DPF-certified) for any non-US data subjects

iBridge Cloud Technologies, Inc.

Infrastructure · Colocation

Colocation facility hosting Headland-operated equipment, including the hosted voice platform and supporting back-office infrastructure.

Data processed
All data at rest on Headland-owned hardware located in the iBridge facility
Data subjects
All
Processing location
Rancho Cordova, California, United States
Transfer mechanism
N/A — US-based processing

17. Audits & attestations

Headland's attestations

Headland files an annual CPNI compliance certification with the Federal Communications Commission under 47 C.F.R. § 64.2009(e). The certification, signed by an officer of the company, attests under penalty of perjury that Headland has operating procedures in place to ensure compliance with the FCC's customer proprietary network information rules (47 C.F.R. Part 64, Subpart U). It is filed in FCC Docket 06-36 and is publicly available in the FCC's Electronic Comment Filing System.

Headland does not currently hold its own third-party security attestations such as SOC 2, ISO 27001, or HITRUST. Customers requiring an attested report from their telecommunications provider should weigh this in their selection. The security program described on this page is operated in good faith and is grounded in the regulatory obligations applicable to us as a carrier (CPNI, CALEA, E911, state PUC requirements) and in customary practices for a U.S. telecommunications operator of our size.

Subprocessor attestations

Where customers require attested controls for systems that host our infrastructure, those attestations are held by the relevant subprocessors. In particular:

  • Colocation (iBridge Cloud Technologies) — facility attestations available from the operator on request
  • Payments (Intuit / QuickBooks Payments) — PCI DSS attestations published by Intuit
  • Cloud subprocessors (Google, Microsoft, Dropbox) — SOC 2 / ISO 27001 / DPF attestations published by each provider

18. Responsible disclosure

We welcome reports of security vulnerabilities in our public-facing services from researchers and the public. To report a vulnerability:

What to include

  • A description of the vulnerability and its potential impact
  • Steps to reproduce, including any URLs, requests, or sample payloads
  • Your contact information (so we can follow up); pseudonymous reports are accepted

What we ask

  • Give us a reasonable opportunity to investigate and remediate before public disclosure
  • Do not access, modify, or exfiltrate data belonging to anyone other than yourself; do not degrade service for other customers; do not run automated scans against our production systems without prior coordination
  • Do not engage in social engineering of Headland personnel, customers, or vendors

What we will do

  • Acknowledge receipt within a reasonable period
  • Triage the report and provide an initial assessment
  • Keep you informed of remediation progress for confirmed issues
  • Credit you in any public communications about the issue, if you wish

Headland does not currently operate a paid bug-bounty program.

19. Due-diligence requests

For prospective and existing customers conducting vendor due diligence:

  • Standardized questionnaires. We respond to common security questionnaires (SIG, CAIQ, customer-specific) on a reasonable-effort basis. Where this trust page already answers a question, we will reference the relevant section.
  • Data Processing Addendum. A DPA is available on request from compliance@hcvoip.com.
  • Insurance. Certificates of insurance are available on request from compliance@hcvoip.com.
  • Subprocessor disclosures. See Section 16 above.
  • BAA (HIPAA). Headland will consider executing Business Associate Agreements on a case-by-case basis, subject to caveats specific to certain voice features (for example, customer use of voicemail transcription, which routes voicemail audio to Google Cloud Speech-to-Text, and call recording). Customers with HIPAA requirements should contact compliance@hcvoip.com before configuring those features.

20. Contact

Questions about this trust center, our security practices, or subprocessor changes:

↑ Back to top ← Return to Headland Communications