Effective Date/Last Revised: April 1, 2019
This high level overview of DialogTech’s Information Security practices and standards is intended to explain our approach to key data security and privacy concerns that are frequently raised by our security conscious customers.
At DialogTech, we know that all customer data should be handled with the utmost care to preserve data security and customer trust. We follow industry best practices for encryption standards, physical, and logical security. We also keep up-to-date on all of the latest security threats and are quick to mitigate any potential vulnerabilities. DialogTech is fully HIPAA and HITECH compliant and we continue to expand and strengthen our security initiatives, awareness, and practices.
Our primary focus is on the confidentiality and privacy of end consumers whose personally identifiable information may be collected on behalf of our customers. In order to ensure that all of our customers’ data is secure, we have strict policies to address our technical, administrative and physical protections. To meet our customer needs, we have also adopted HIPAA oriented policies and training. We not only require all employees to attend mandatory HIPAA training, read and acknowledge the policies, but also track compliance and provide ongoing privacy trainings.
All employees and subcontractors who have access to any of our networks and data centers must undergo a thorough background check before they begin employment. Furthermore, we only employ services from third-party contractors that perform background checks as well. We also require all contractors to sign and agree to a non-disclosure agreement prior to conducting business.
To ensure that our customer information is kept confidential, all data is encrypted at rest and stored in our SSAE-16 certified data centers using AES 256-bit encryption. This includes all production data as well as our backups. Data in transit is encrypted using 2048-bit keys for all transfers between our offices and the data centers, and between our data centers and our customers. To protect the privacy and integrity of the data, we utilize the highest level of encryption standards, including a minimum requirement of TLS 1.2. All devices in our environment are “hardened,” ensuring only the necessary services are installed and running, and that all applicable security patches and updates are applied.
Our data centers implement the utmost care in regard to physical security. Both premises provide 24×7 security and monitoring, and only approved DialogTech employees are permitted to access the data centers and physical servers. We also use PayPal to process all customer payment information to avoid storing credit card or other sensitive payment data on DialogTech owned and operated servers.
DialogTech provides a number of options that our customers can enable to enhance security and privacy levels. We offer a privacy feature, DT Private, that allows our system to safely handle even the most sensitive customer data. This suite of features includes heightened security for call recordings, caller ID masking, and PII redaction. Our flexible API gives the option for our customers to download their recordings and automatically delete them from our servers.
Following the principle of least privilege, we only allow those who need access to an individual customer’s data on a need to know basis. At DialogTech, we frequently review access controls to verify that all employee accounts only have the access rights to the data necessary. Access to modify any records is severely limited, and modification can only be executed by approved users.
We provide a number of tools our customers can use to control access to their account and data by their employees. Each customer has the ability to manage their own user base as needed, and the ability to generate and revoke API key pairs as well. Additionally, our tools allow our customers to configure their own password restrictions, timeouts, and reuse policies under the condition that their custom policies are equally or stronger than our own.
DialogTech partners with industry leader, TrustWave, to perform assessments on all DialogTech networks. TrustWave provides detailed reports outlining potential vulnerabilities that may need to be addressed in cases where customer information could be compromised. We utilize a third party service to run an intensive security scan on our customer portal. In addition, we perform manual penetration tests at the application and network levels.
Our extensive telco infrastructure requires us to approach security on our telephony infrastructure as we would any other network. Every telco endpoint is behind a Session Border Controller (SBC), which serves as a firewall for our telcom networks. For our SBCs, we use a solution to analyze our telephony traffic and ensures that only legitimate traffic is being generated on that network.
Our data centers include multiple network connections to major backbone providers, battery backups, onsite diesel generators, full climate and flood control, and tornado resistance to ensure service availability during even the most severe environmental conditions. DialogTech has taken steps to ensure that our technology infrastructure has an N+2 redundancy at minimum, therefore leaving no single point of failure at any layer of our application and infrastructure in the event of a device failure.
Our 24×7 operations staff have multiple systems and monitors to detect catastrophic failures and ensure immediate action. In disaster recovery scenarios, our teams are focused on restoring our customers’ mission critical systems first, with a focus on telephony connectivity, with recovery time in some uses cases being essentially instantaneous.
At DialogTech, we know your data is critical to your business, and we place the highest priority on the privacy and security of our systems. We have a team solely dedicated to addressing security and privacy related concerns. In addition, we make proactive efforts to sign Business Associate Agreements for any business that may be a HIPAA covered entity, and complete appropriate security questionnaires for customers or prospective customers upon request.