Security and compliance
This Security and Compliance policy describes the minimum requirements for information security and data protection provided by us to you in connection with the performance of the PureCloud suite of products (“PureCloud”) under your agreement with us. Capitalized terms used herein not otherwise defined shall have the meaning set forth in your agreement.
- Security Program
We have implemented and will maintain an information security program that follows generally accepted system security principles embodied in the ISO 27001 standard designed to protect the Customer Data as appropriate to the nature and scope of the Services provided. Interactive’s Security & Compliance Team maintaining the information security program includes experienced professionals holding a wide range of certifications in both security and privacy. The information security program includes at least the following elements:
- Security Awareness and Training
We have implemented and maintain an information security and awareness program that is delivered to employees and appropriate contractors at the time of hire or contract commencement and annually thereafter. The awareness program is delivered electronically and includes a testing aspect with minimum requirements to pass. Additionally, development staff members are provided with secure code development training.
- Policies and Procedures
We maintain policies and procedures to support the information security program. Policies and procedures are reviewed annually and updated as necessary.
- Change Management
We utilize a change management process based on industry standards to ensure that all changes to the PureCloud production environment are appropriately reviewed, tested, and approved.
PureCloud does not patch. The strategy is to destroy and rebuild all server instances at least every 30 days on new “gold images” that have current patch levels. Gold images are updated at least every two weeks with up-to-date security patches.
- Data Storage and Backup
We create backups of critical Customer Data according to documented backup procedures. Backup data will not be stored on portable media. Customer Data stored on backup media will be encrypted using server-side encryption as provided by Amazon Web Services (“AWS”).
- Vulnerability Scanning and Penetration Testing
We conduct internal vulnerability scanning on a regular basis with automated scans and notifications. The scan results are analyzed to confirm identified vulnerabilities, and remediation is scheduled within a timeframe commensurate with the relative risk.
On at least an annual basis, we conduct a vulnerability assessment and penetration testing engagement with an independent qualified vendor. Issues identified during the engagement are appropriately addressed within a reasonable time frame commensurate with the identified risk level of the issue. A cleansed version of the executive summary test results shall be made available to you upon written request and will be subject to non-disclosure and confidentiality agreements.
- Data Destruction
We follow AWS standard practices for the destruction of Customer Data that becomes obsolete or is no longer required under the Agreement.
- Anti-Virus and Anti-Malware Protection
We will utilize industry standard anti-virus and anti-malware protection solutions designed to protect the infrastructure that supports PureCloud against malicious software such as Trojan horses, viruses, and worms. The solution will be centrally managed and configured to ensure updates are applied in a timely manner.
Applications running within PureCloud were developed and are maintained utilizing industry standard secure coding practices, including peer coding review, security and unit testing, and adherence to secure coding techniques. We use industry standard practices to avoid the inclusion of any program, routine, subroutine, or data (including malicious software or “malware,” viruses, worms, and Trojan Horses) in applications running within PureCloud.
- Security Awareness and Training
- Network Security
AWS provides a strong foundation of security and compliance which we supplement by employing industry standard network security controls designed to protect Customer Data, including, but not limited to, the following:
- Intrusion Detection Systems
We have implemented and maintain a host-based intrusion detection system and network-based instruction detection system designed to alert us in the event of suspicious activity.
- Data Connections between You and PureCloud
We use HTTPS/TLS with AES-256 encryption to secure connections between browsers, mobile apps, and other components to PureCloud.
- Data Connections between PureCloud and Third Parties
Transmission or exchange of Customer Data with you and any third parties authorized by you to receive the Customer Data will be conducted using secure methods (e.g., TLS, HTTPS, SFTP).
- Encrypted Recordings
We encrypt call recordings by default. PureCloud generates customer specific encryption keys used to secure call recordings. Chat sessions are encrypted in transit.
- Encryption Protection
We use industry standard methods to support encryption. We use a minimum of RSA 2048 bits for asymmetric key encryption. For symmetric key encryption, we use AES 128 bits. For hashing, we use SHA1 and SHA2.
- Intrusion Detection Systems
- User Access Control
We have implemented and maintain appropriate access controls and the concept of least privilege designed to ensure only authorized users have access to Customer Data within PureCloud. User access is logged for audit purposes.
- Your User Access
You are responsible for managing user access controls within the application. You define the usernames, roles, and password characteristics (length, complexity, and expiration timeframe) for your users. You are entirely responsible for any failure by you, your agents, contractors or employees (including without limitation all of your users) to maintain the security of all usernames, passwords and other account information under your control. Except in the event of a security lapse caused by our gross negligence or willful action or inaction, you are entirely responsible for all use of PureCloud through your usernames and passwords whether or not authorized by you and all charges resulting from such use. You will immediately notify us if you become aware of any unauthorized use of the PureCloud production environment.
- Our User Access
We will create individual user accounts for each of our employees or contractors that have a business need to access the PureCloud production environment. The following guidelines will be followed with regard to our user account management:
- User accounts are requested and authorized by our management.
- User accounts follow the concept of least privilege.
- Access to the PureCloud Production environment requires multifactor authentication.
- SSH keys are utilized instead of passwords within PureCloud.
- Dormant or unused accounts are disabled after 90 days of non-use.
- Session time-outs are systematically enforced.
- User accounts are promptly disabled upon employee termination or role transfer, eliminating a valid business need for access.
- Your User Access
- Business Continuity and Disaster Recovery
PureCloud is deployed and configured in a redundant infrastructure through AWS. Services provided by PureCloud follow a stateless architecture. Data repositories in PureCloud use redundancy and replication designed to maintain availability and avoid data loss in the event of a lost data node. The PureCloud environment is physically separated from our corporate network environment so that a disruption event involving the corporate environment does not impact the availability of the PureCloud Services.
- Business Continuity
We will maintain a corporate business continuity plan designed to ensure that ongoing monitoring and support services will continue in the event of a disruption event involving the corporate environment.
- High Availability
PureCloud utilizes AWS services to provide highly available environments, including, but not limited to, the following:
- Availability Zones (AZs) which consist of one or more discrete data centers, each with redundant power, networking and connectivity, and housed in separate facilities;
- Auto Scaling Groups (ASGs) to dynamically scale clusters based on demand and automatically launch replacement instances in the event of a failure.
- AWS Elastic Load Balancers (ELBs) to route internal and external traffic to healthy infrastructure and automatically reroute traffic away from unhealthy infrastructure;
- Durable message queueing systems that support request queuing and point-to-multipoint notifications. Message queues allow us to both load-balance requests/events and handle load bursts without data loss; and
- Amazon Simple Storage Service (S3). S3 stores objects redundantly on multiple devices across multiple facilities in an Amazon S3 Region. Amazon aims to deliver eleven 9’s of durability.
- Business Continuity
- Security Incident Response
We maintain a Security Incident response program based on industry standards designed to identify and respond to suspected and actual Security Incidents involving Customer Data. The program will be reviewed, tested and, if necessary, updated on at least an annual basis. “Security Incident” means a confirmed event resulting in the unauthorized use, deletion, modification, disclosure, or access to Customer Data.
In the event of a confirmed Security Incident involving the unauthorized release or disclosure of Customer Data or other security event requiring notification under applicable law, we will notify you within seventy-two (72) hours and will reasonably cooperate so that you can make any required notifications in connection with such event, unless we are specifically requested by law enforcement or a court order not to do so.
- Notification Details
We will provide the following details regarding the confirmed Security Incident to you: (i) date that the Security Incident was identified and confirmed; (ii) the nature and impact of the Security Incident; (iii) actions already taken by us; (iv) corrective measures to be taken; and (v) evaluation of alternatives and next steps.
- Ongoing Communications
We will continue providing appropriate status reports to you regarding the resolution of the Security Incident, continually work in good faith to correct the Security Incident and to prevent future such Security Incidents. We will cooperate, as reasonably requested by you, in order to further investigate and resolve the Security Incident.
We have developed and will maintain a privacy program designed to respect and protect Customer Data under our control, and this is located at https://help.mypurecloud.com/articles/purecloud-privacy-policy/. We will not rent, sell or otherwise share any Customer Data with outside parties. Customer Data will only be used or accessed for the purpose of providing PureCloud Services.
Industry Specific Certifications
Our security and operational controls are based on industry standard practices and are certified to meet ISO 27001, ISO 9001, HIPAA, PCI Service Provider Level 2, and SSAE16 Service Organization Control (SOC) guidelines. PureCloud utilizes infrastructure deployed on Amazon Web Services (AWS). AWS provides the following letters of compliance and/or certification: ISM, ASD, ISO 9001:2008, ISO 27001:2013, ISO 27018:2014, ISO 27017:2015, Multi-Tier Cloud Security Standard Level-3 (CSP) Certification. AWS also undergoes frequent SOC 3 audits. A copy of the certifications and audit reports for AWS are available on the AWS website at http://aws.amazon.com/compliance/published-certifications.
Nevertheless, you are solely responsible for achieving and maintaining any industry specific certifications required for your business (e.g., PCI DSS, HIPAA, GLBA, NIST 800-53, FedRAMP, etc.).