We employ security best practices and policies to ensure that our network is secured physically and virtually, and that our customers’ data and payment information are both private and secure. Our security architecture comprises five main components:
Businesses around the world rely on Contacto to keep their data secure. Here are the measures we take to ensure physical, network, application, data, and payment security.
We guarantee infrastructure security and 99.95% uptime by deploying the latest technology and best practices to keep our platform online and performing optimally.
Our infrastructure, web applications, and APIs are penetration tested annually by external independent parties, and any vulnerabilities found are fixed.
Redundant links reroute traffic over backup networks in less than two seconds in case of backbone failover. We employ multiple instances and redundant servers with active pairs that are automatically triggered in the event a failover is required.
All of our facilities offer 100% power and HVAC functionality in any given month. Trained specialists monitor and maintain hardware components on-site at each of our points of presence.
We distribute workloads across multiple resources to optimize response times, maximize throughput, and avoid single points of failure.
We aim to connect to multiple carriers in each country. At a minimum, we connect to at least two local carriers in each country. If a carrier fails, our systems automatically load balance and divert traffic through other reliable carriers.
We use automated systems to deploy new code to clusters in real time to ensure smooth transitions between software updates with no downtime. All of our infrastructure and data is distributed across multiple AWS availability zones and will continue to work should any one of those data centers fail.
Defensive systems embedded at multiple points and layers across the infrastructure and server environment work to protect our systems from unauthorized, potentially harmful, malicious, and problematic traffic and input. These defensive systems are automated, monitored, and logged. Each system uses firewalls to restrict access to systems from external networks and between systems internally. To mitigate internal and external risk, access to systems is restricted to only the ports and protocols required for specific business needs.
Thousands of customer applications worldwide communicate securely with Plivo through our Voice and SMS APIs, which power Contacto Voice and Messaging capabilities. We utilize three primary tools for application security and authentication.
To prevent unauthorized account access, customers need to activate two-factor authentication for additional security on their accounts when utilizing SSO.
We employ unique Authentication IDs for every user to ensure that only authorized people have access to accounts.
All web session traffic between customer applications and Contacto is encrypted using TLS (transport layer security). The TLS protocol provides data encryption and authentication between your applications and our servers and prevents third parties from stealing information. All data entering or leaving Contacto infrastructure is encrypted with TLS/HTTPS.
Our APIs can log and record data so that our customers can assess platform behaviors. We recognize that user data, including account information, call logs, and recordings, is sensitive and necessitates robust protection. To address potential risks and threats, we have established stringent security measures and access controls to safeguard this sensitive information.
For customer data protection, Contacto provides logical tenant separation, encryption in transit (TLS 1.2 or greater) and encryption at rest (256-bit Advanced Encryption Standard (AES-256), one of the strongest encryption standards available for electronic data). All customer data is logically separated and not accessible to other tenants.
Administrative access privileges within the production environment are restricted to authorized personnel. Internally, only Contacto employees who require customer data access as part of their job functions — such as customer support, development, and security teams — are permitted to access customer data. Contacto’s policies and procedures limit and log all external and internal access to customer data and request management approval prior to access.
We perform regular backups on all Contacto customer data hosted on AWS’s data center infrastructure, including account information, call logs, SMS logs, and call recordings. Backed-up customer data is retained redundantly across multiple availability zones. All backups are stored redundantly and are encrypted using AES-256.
All laptop devices issued to Contacto employees come with encrypted storage partitions and MDM software that allows the IT department to monitor, manage, update, and secure the devices and the data contained on them. In addition, we have the ability to remotely wipe a device in the event of it being lost or stolen.
Payment security is a critical component for our customers. We use an industry-leading payment platform for all of our transactions.
To ensure that we deploy the highest security measures, we don’t store any credit card information on our servers. Instead, all credit card information is encrypted using AES-256 and handled by our payment platform provider.
Our payment platform provider is PCI DSS (Payment Card Industry Data Security Standard) compliant, which means that they’re validated and held to the same industry standards as all major credit cards, including Visa, Mastercard, and American Express.
Contacto adheres to high operational standards and provides policies and practices for security audits, incident response, and privacy. Contacto’s network status and incident reports are publicly available in real time.
As part of Contacto’s service-level agreements to all customers, we respond to priority 1 business-critical incidents around the clock, 365 days a year. We also monitor our infrastructure through two network operations centers (NOC) and security operations centers (SOC) and use third-party notification and alert systems to identify and manage threats.
All Contacto employees are bound by Contacto’s privacy policy.