Store your call recordings and voicemails in your own AWS S3 bucket instead of Twilio's servers. This gives you full ownership of your audio data, faster playback, and enables HIPAA-compliant workflows for healthcare organizations.
{% hint style="info" %}
**Your Data, Your Bucket:** When you enable S3 storage, Ring Tonic migrates recordings from Twilio to your S3 bucket and then removes them from Twilio. Once migrated, audio streams directly from your bucket via secure signed URLs.
{% endhint %}
***
### Why Use Your Own S3 Bucket?
| Benefit | Description |
| ----------------------- | ------------------------------------------------------------------------------ |
| **Faster Playback** | Audio streams directly from S3 to your browser via signed URLs—no middleman |
| **Lower Storage Costs** | S3 costs $0.023/GB vs Twilio's $0.0005/min ($0.03/GB at typical bitrates) |
| **Data Ownership** | You own the raw audio files in your own AWS account |
| **HIPAA Compliance** | Required for healthcare—keeps PHI off third-party servers |
| **Flexible Archival** | Use S3 Lifecycle Rules to automatically move old recordings to cheaper storage |
{% hint style="success" %}
**Performance Boost:** With S3, the audio player loads recordings directly from your bucket using signed URLs. This is faster than streaming through Twilio's servers because it eliminates an extra network hop.
{% endhint %}
***
### How It Works
```
┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Caller │──────│ Twilio │──────│ Ring Tonic │──────│ Your S3 │
│ calls your │ │ records │ │ downloads │ │ bucket │
│ tracking # │ │ the call │ │ & uploads │ │ (you own) │
└─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘
│
▼
┌─────────────┐
│ Twilio │
│ recording │
│ deleted │
└─────────────┘
```
1. **Call comes in** → Twilio records the conversation
2. **Recording ready** → Twilio notifies Ring Tonic when recording is available
3. **Migration** → Ring Tonic downloads from Twilio and uploads to your S3 bucket
4. **Cleanup** → After successful upload, Twilio recording is deleted to avoid double storage costs
5. **You play recordings** → Audio streams directly from S3 via secure signed URLs
***
### Setup Guide
{% stepper %}
{% step %}
**Create an S3 Bucket**
Create a S3 bucket
1. Log in to [AWS Console](https://console.aws.amazon.com/)
2. Go to **S3** → **Create bucket** (If you cannot find S3, search using the header search bar)
3. Enter a bucket name (e.g., `yourcompany-call-recordings`)
4. Select your preferred region (e.g., `us-east-1`)
5. Keep **Block all public access** enabled
6. Click **Create bucket**
{% hint style="warning" %}
**Keep it private.** Your bucket should NOT be public. Ring Tonic uses secure signed URLs that expire after 60 minutes.
{% endhint %}
{% endstep %}
{% step %}
**Create an IAM Policy**
First, create a policy that grants access to your bucket.
1. Go to **IAM** → **Policies** → **Create policy**
2. **Select a service:** S3
3. Click the **JSON** tab and paste:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::YOUR-BUCKET-NAME",
"arn:aws:s3:::YOUR-BUCKET-NAME/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketCors",
"s3:PutBucketCors"
],
"Resource": "arn:aws:s3:::YOUR-BUCKET-NAME"
}
]
}
```
{% hint style="info" %}
**DeleteObject Permission:** This allows Ring Tonic to clean up S3 recordings when call logs are deleted (if enabled in workspace settings).
{% endhint %}
4. Replace `YOUR-BUCKET-NAME` with your actual bucket name that you created in step 1
5. Click **Next** → Name it `RingTonicS3Access` → **Create policy**
{% endstep %}
{% step %}
**Create an IAM User**
Now create a user and attach the policy.
1. Go to **IAM** → **Users** → **Create user**
2. Enter a name: `ringtonic-s3-access` → Click **Next**
3. Select **Attach policies directly**
4. Search for `RingTonicS3Access` and check the box
5. Click **Next** → **Create user**
6. Open the user → **Security credentials** tab
7. Click **Create access key** → Select **Third-party service**
8. Click **Create access key** → **Save both keys**
{% hint style="warning" %}
**Save your keys now.** The Secret Access Key is only shown once. Store it in a password manager.
{% endhint %}
{% endstep %}
{% step %}
**Configure Ring Tonic**
Setup Storage in Ring Tonic
1. Go to **Workspace Settings** → **Storage** tab
2. Enable **S3 External Storage**
3. Enter your credentials:
* **Access Key ID:** From IAM user
* **Secret Access Key:** From IAM user
* **Bucket Name:** Your S3 bucket name
* **Region:** Must match your bucket (e.g., `us-east-1`)
4\. Click **Test Connection**
5\. Click **Save**
{% hint style="info" %}
**Automatic Setup:** When you test the connection, Ring Tonic automatically configures CORS on your bucket so recordings can play in the browser.
{% endhint %}
{% endstep %}
{% step %}
**Migrate Existing Recordings (Optional)**
If you have existing recordings stored in Twilio:
1. Go to **Workspace Settings** → **Storage** tab
2. Click **Migrate Existing Recordings**
3. Migration runs in the background—large accounts may take several hours
{% endstep %}
{% endstepper %}
***
### HIPAA Compliance
For healthcare organizations handling Protected Health Information (PHI), Ring Tonic's architecture supports HIPAA-compliant workflows.
#### How We Handle Compliance
| Area | How It's Protected |
| -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- |
| **Telephony (BAA)** | You connect your own Twilio account and execute a BAA directly with Twilio. The transmission layer stays under your legal umbrella. |
| **Call Recordings & Voicemails** | With S3 External Storage, recordings are migrated from Twilio to your bucket. After migration, audio is stored only in your S3 bucket. |
| **Database** | All call logs and metadata are encrypted at rest. |
{% hint style="success" %}
**The Key Difference:** Because of our "Bring Your Own Key" architecture, you retain full legal ownership of raw call data. After migration, we only store metadata and references—recordings live exclusively in your S3 bucket.
{% endhint %}
{% hint style="info" %}
**Need a BAA?** Contact [Twilio Sales](https://www.twilio.com/en-us/hipaa) and [AWS](https://aws.amazon.com/compliance/hipaa-compliance/) to execute Business Associate Agreements if you handle PHI.
{% endhint %}
***
### Storage Costs & Lifecycle Rules
S3 storage is billed directly by AWS.
| Storage Class | Cost | Retrieval | Best For |
| --------------------------- | ------------------- | ----------- | ----------------------------- |
| **S3 Standard** | \~$0.023/GB/month | Instant | Recent recordings (< 90 days) |
| **S3 Glacier Instant** | \~$0.004/GB/month | Instant | Older recordings (90+ days) |
| **S3 Glacier Deep Archive** | \~$0.00099/GB/month | 12-48 hours | Long-term archival (1+ years) |
#### What Are Lifecycle Rules?
S3 Lifecycle Rules automatically move files to cheaper storage classes as they age. For example:
* **Day 0-90:** Recording stays in S3 Standard (fast access)
* **Day 91-365:** Automatically moves to Glacier Instant (80% cheaper, still instant access)
* **After 1 year:** Moves to Deep Archive (95% cheaper, slower retrieval)
This saves money without manual intervention—old recordings you rarely access cost almost nothing to store.
{% hint style="success" %}
**Example:** 1,000 calls/month × 3 min average × 1 MB/min = 3 GB/month. With lifecycle rules, annual storage costs under $5.
{% endhint %}
***
### Common Questions
Do I need S3 for Ring Tonic to work?
No. S3 storage is optional. By default, recordings and voicemails are stored in Twilio. S3 is recommended for faster playback, HIPAA compliance, or cost optimization at scale.
How long does Twilio store recordings?
Twilio stores recordings indefinitely unless you delete them. The first 10,000 minutes are free; after that, Twilio charges $0.0005 per minute per month. With S3, you pay AWS directly at typically lower rates.
Are recordings encrypted in S3?
Yes. Enable S3 Server-Side Encryption (SSE-S3 or SSE-KMS) on your bucket. Data in transit is always encrypted via HTTPS.
How long are signed URLs valid?
60 minutes. Each time you play a recording, a fresh signed URL is generated. This prevents sharing via leaked URLs.
Can I use other S3-compatible storage?
Yes. Enter the custom endpoint URL in the **Endpoint** field. Ring Tonic supports MinIO, DigitalOcean Spaces, and other S3-compatible providers.
What happens if I disable S3 storage later?
Existing S3 recordings remain accessible. New recordings will be stored in Twilio. You can re-enable S3 anytime.
Are S3 recordings deleted when I delete call logs?
Yes, if enabled. In **Workspace Settings** → **Storage**, you can enable "Delete S3 recordings when call logs are deleted." When enabled, deleting a call log (individually, via campaign deletion, or workspace deletion) will also remove the corresponding recording from your S3 bucket. If disabled, recordings remain in S3 even after call log deletion.
What happens to Twilio recordings after migration?
After a recording is successfully uploaded to your S3 bucket, Ring Tonic automatically deletes the original recording from Twilio. This prevents paying for duplicate storage. If the Twilio deletion fails, the migration still completes successfully—your recording is safely in S3.
