Legal

legal page icon
Terms
Privacy
Acceptable Use Policy
Supplemental Terms
Supplemental Terms
Subprocessors
Responsible Disclosure Policy
Guidelines
Scope
Out of Scope
Things we do not want to receive
How to report a security vulnerability
Law Enforcement Guidelines
Plivo Security Overview

Plivo Security Overview

Last Updated: August 08, 2024

This Plivo Security Overview ("Security Overview") is incorporated into and made a part of the agreement between Plivo and Customer covering Customer’s use of the Services ("Agreement").

Definitions

  • Services: For this security overview, services refer to the services and application programming interfaces provided by Plivo.
  • Customer Data: Any data provided by or collected on behalf of the customer.

Purpose

The purpose of this document is to outline Plivo’s security program, including security certifications and technical and organizational controls, aimed at protecting (a) Customer Data from unauthorized use, access, disclosure, or theft, and (b) the Services. This Security Overview does not apply to services that are not in general production, such as those labeled alpha, beta, limited release, or developer preview, nor to services provided by telecommunications providers.

Security Program

As security threats evolve, Plivo enhances its security program and strategy to protect Customer Data and Services. Plivo reserves the right to revise this Security Overview as needed; however, any changes will not significantly diminish the overall protections detailed herein. This Security Overview forms part of Plivo's Terms and Conditions, available at Plivo Terms and Conditions [https://www.plivo.com/legal/tos/].

Confidentiality

Plivo has implemented controls to ensure the confidentiality of Customer Data by the Agreement. All Plivo employees and personnel are bound by Plivo’s internal policies on maintaining the confidentiality of Customer Data and are contractually obligated to adhere to these requirements.

People Security

Employee Background Checks: Plivo conducts background checks on all new employees at the time of hire, in compliance with applicable local laws. Plivo verifies a new employee’s education, previous employment, and references. Where permitted by law, Plivo may also conduct criminal, credit, immigration, and security checks based on the nature and scope of the new employee’s role.

Security and Privacy Training: At least once per year, Plivo employees are required to complete security and privacy training that covers Plivo’s security policies, best practices, and privacy principles.

Product Security

  • Intrinsic Defenses: Our platform incorporates defenses against the OWASP Top 10 web application vulnerabilities and the SANS Top 25 errors.
  • Secure Communication: Our applications operate exclusively under HTTPS (TLS 1.2 or greater).
  • Two-Factor Authentication (2FA): We offer 2FA to enhance user account security. Refer to Plivo Account Security Best Practices at the support page [https://support.plivo.com/hc/en-us/articles/360041827751-Plivo-Security-Best-Practices]
  • Continuous Integration (CI): We use Jenkins for CI tooling. Each merged pull request undergoes rigorous tests and analysis.
  • Unit Testing: Robust unit testing is conducted on all application components before release.
  • System Updates: Our status pages (Plivo status [https://status.plivo.com/] and PlivoCX [https://status-cx.plivo.com/]) provide real-time updates.

Data Security

  • Encryption: We use industry-standard encryption (AES-256) for all connections between our customers and our applications.
  • Data Governance: Our commitment to data governance ensures secure and appropriate handling, storage, and processing of data.

Security by Design

  • Proactive Security Measures: Security is embedded throughout our product lifecycle, ensuring that security is a foundational element from the outset.

Access Controls

  • Identity and Access Management: Robust controls ensure that only authorized personnel can access sensitive information, with continuous monitoring and updates to adapt to emerging security challenges.

Password Controls

Enhanced Authentication: Plivo offers 2FA to ensure unauthorized access is prevented, even if a password is compromised.

Customized Security Features

  • Tailored Security Options: Plivo offers customizable security features such as Message Redaction and Voice Recording Encryption, enabling customers to meet specific compliance and privacy needs.

Continuous Improvement and Innovation

  • Regular Assessments: Security assessments, penetration testing, and audits are regularly conducted, with a bug bounty program to encourage security researchers to report potential issues.

Customer Support and Collaboration

  • Shared Responsibility: Comprehensive documentation, support resources, and best practices help customers implement and maintain robust security measures.

Transparency and Accountability

  • Security Updates: Plivo regularly publishes security updates, incident reports, and audit results to keep customers informed.

Technical Security Controls

  • Logical Access Control: Infrastructure is designed to logically isolate customer data, with access restricted based on job function and role.
  • Data Segregation: Multi-tenant architecture with logical separation ensures robust data segregation.
  • Data Backup and Availability: Regular backups and a 99.99% uptime for API suite and 99.95% uptime for CX suite SLA guarantee data availability.
  • Business Continuity Planning (BCP) and Disaster Recovery (DR): Comprehensive BCP and DR strategies minimize downtime and ensure service resilience.
  • Penetration Testing: Regular penetration tests are conducted, with third-party entities performing application-level testing and a Bug Bounty Program in place.
  • Encryption: End-to-end encryption using AES-256 for data in transit and at rest, with all API requests made using HTTPS/TLS.
  • Monitoring and Alerting: 24/7 monitoring by SRE and SOC teams, with the use of AWS tools to ensure cloud resource integrity.

Physical Security

Corporate Security

  • Internal Security Controls: Comprehensive controls, including VPN usage, password management, access control enforcement, access reviews, and Mobile Device Management (MDM) software.

Security Development Lifecycle

  • Structured Process: A documented Software Development Life Cycle (SDLC) Standard ensures consistent and secure software development.
  • Change Management: All changes are managed through a change and release management procedure, with rigorous quality assurance testing.

Incident Management

  • 24/7 Response: A dedicated security team is available 24/7 to respond to security incidents, with established protocols and regular drills.

Data Breach Notification

As part of our security and data protection measures, Plivo has implemented processes to manage any suspected data breaches. In the event of a breach, we will notify you and any applicable regulator within 72 hours where we are legally required to do so.

If we learn of a security breach affecting your data, whether personal or non-personal, we will inform you to explain the potential impact and provide advice on how to protect yourself. Notifications will be sent through appropriate channels, including email or by posting a notice on our website. This notification will include details about the nature of the breach, its potential impact, and any recommended steps customers should take to mitigate risks.

You have the right to be notified about a data breach that may impact the integrity, availability, or confidentiality of your data.

Threat Modeling and Bug Bounty Program

  • Risk Assessment: Threat modeling is used to assess risks in new features, with a public bug bounty program encouraging continuous security improvements.

Vendor Management

  • Vendor Assessments: Internal assessments and evaluations of vendors ensure compliance with security standards.

Governance

  • Security Policies: Regularly reviewed and updated based on industry best practices and regulatory requirements, overseen by an internal security committee.
  • Certifications: Compliance with SOC 2 Type 2, HIPAA, PCI DSS, ISO 27001, and Data Privacy Framework certifications, among others.
  • Legal Review: Collaboration with legal counsel ensures compliance with data privacy laws and regulations.

For further details on Plivo's security policies, certifications, and updates, please refer to the following resources: