Secure Cloud Communications

We employ security best practices and policies to ensure that our network is secured physically and virtually, and that our customers’ data and payment information are both private and secure. Our security architecture comprises five main components:
L

Physical security: State-of-the-art on-premises security for all of our distributed computing and storage networks worldwide.

L

Network security: All data entering and leaving Plivo is encrypted with TLS/HTTPS.

L

Application security: Encryption and authentication for secure and efficient access of Plivo’s APIs.

L

Data security and privacy: Backup encryption and account access limitations to mitigate risk and threats to our customer data.

L

Payment security: Use of leading industry transaction processing vendors to protect all transactions and payment information.

Data Security for Voice and SMS communications | Plivo

GDPR

Plivo systems are compliant with the data protection principles of the European Union’s General Data Protection Regulation.

SOC 2 Certified

Plivo is SOC 2 certified. Our SOC 3 report provides more details, including our Independent Service Auditor’s Report and Plivo Management’s Assertion.
READ REPORT

HIPAA/HITECH Compliant

Plivo is willing to sign a Business Associate Agreement for customers who handle protected health information (PHI) and have a signed contract with us. We’re audited annually by an independent auditor to demonstrate HIPAA compliance.

PCI DSS Compliant

Plivo is certified compliant with PCI DSS Level 1. We’re audited annually by an independent auditor to demonstrate PCI DSS compliance.

ISO 27001:2022 Certified

Plivo is certified to ISO/IEC 27001:2022, the premier standard for an Information Security Management System (ISMS). This certifies our commitment to the highest level of data security and privacy, ensuring trust and protection for our customers' sensitive information.

CSA STAR Level 1

Plivo has completed the CSA STAR Level 1 self-assessment, demonstrating transparency and adherence to cloud security controls as outlined in the CAIQ v4.
View Listing

How Plivo keeps your data secure and available

Businesses around the world rely on Plivo to keep their data secure. Here are the measures we take to
ensure physical, network, application, data, and payment security.

Physical on-premises security

All of our data centers and hosting partners are housed in state-of-the-art facilities with industry-standard access controls and physical security measures.
surveillance
24/7 surveillance
AWS provides dedicated 24/7 state-of-the-art electronic surveillance and physical security measures at all of our server locations, including foot patrols, security logs, and perimeter inspections.
personnel-authorization
Personnel authorization
Only authorized Plivo personnel are granted access credentials to our data centers. Every access is also logged and reviewed to ensure that our systems are not breached by internal threats.
security-logs
Security logs
All activity on our servers are logged, and we review historical reports for system change tracking, security analysis, and compliance auditing.
infrastructure-security-of-cloud
Infrastructure “Security of the Cloud”
Plivo uses cloud storage and compute services from Amazon Web Services (AWS). We do not own or maintain hardware located in the AWS data centers; we operate under a shared security responsibility model, where AWS is responsible for the security of the underlying cloud infrastructure (i.e. physical infrastructure, geographical regions, availability zones, edge locations, operating, managing and controlling the components from the host operating system, virtualization layer and storage) and Plivo is responsible for securing the application platform deployed in AWS (i.e. applications, identity access management, operating system and network virtual security groups configuration, network traffic, server-side encryption).

Infrastructure security and availability

We guarantee infrastructure security and 99.99% uptime by deploying the latest technology and best practices to keep our platform online and performing optimally.
annual-penetration-test
Annual penetration tests
Our infrastructure, web applications, and APIs are penetration tested annually by external independent parties, and any vulnerabilities found are fixed.
full-redundancy
Full redundancy
Redundant links reroute traffic over backup networks in less than two seconds in case of backbone failover. We employ multiple instances and redundant servers with active pairs that are automatically triggered in the event a failover is required.
hvac
HVAC and power stability
All of our facilities offer 100% power and HVAC functionality in any given month. Trained specialists monitor and maintain hardware components on-site at each of our six global points of presence.
optimized-load-balance
Optimized load balancing
We distribute workloads across multiple resources to optimize response times, maximize throughput, and avoid single points of failure.
carrier-redundancy
Carrier redundancy
We aim to connect to multiple carriers in each country. At a minimum, we connect to at least two local carriers in each country. If a carrier fails, our systems automatically load balance and divert traffic through other reliable carriers.
clustered-and-distributed
Clustered and distributed infrastructure
We use automated systems to deploy new code to clusters in real time to ensure smooth transitions between software updates with no downtime. All of our infrastructure and data is distributed across multiple AWS availability zones and will continue to work should any one of those data centers fail.
network-firewalls
Network firewalls
Defensive systems embedded at multiple points and layers across the infrastructure and server environment work to protect our systems from unauthorized, potentially harmful, malicious, and problematic traffic and input. These defensive systems are automated, monitored, and logged. Each system uses firewalls to restrict access to systems from external networks and between systems internally. To mitigate internal and external risk, access to systems is restricted to only the ports and protocols required for specific business needs.

Application security

Thousands of customer applications across the globe communicate securely with Plivo through our Voice and SMS APIs. We use three primary tools for application security and authentication.
multifactor-auth-mfa
Multifactor authentication (MFA)
To prevent unauthorized account access, each session requires the account username and a strong passphrase for access to each Plivo account. We also require phone number verification delivered through an SMS text message or a voice call to the user’s phone to activate new accounts.
authentication-i-ds-tokens
Authentication IDs and tokens
We employ unique Authentication IDs and Authentication tokens for every user to ensure that only authorized people have access to accounts. Organizations can renew token-based service authentication at any time by generating a new authentication token through the Plivo console.
tls-encryption
TLS encryption
All web session traffic between customer applications and Plivo is encrypted using TLS (transport layer security). The TLS protocol provides data encryption and authentication between your applications and our servers and prevents third parties from stealing information. All data entering or leaving Plivo infrastructure is encrypted with TLS/HTTPS.

Data security and privacy

Our APIs can log and record data so that our customers can assess platform behaviors. Because user data such as account information and call logs and recordings can be sensitive, we take precautions to mitigate risks and threats to it. We also offer customers with sensitive data a no-log option, where SMS messages and DTMF actions are not saved on our systems at any point.
customer-data-protection
Customer data protection
For customer data protection, Plivo provides logical tenant separation, encryption in transit (TLS 1.2 or greater) and encryption at rest (256-bit Advanced Encryption Standard (AES-256), one of the strongest encryption standards available for electronic data). All customer data is logically separated and not accessible to other tenants.
limited-data-access
Limited data access
Administrative access privileges within the production environment are restricted to authorized personnel. Internally, only Plivo employees who require customer data access as part of their job functions — such as customer support, development, and security teams — are permitted to access customer data. Plivo’s policies and procedures limit and log all external and internal access to customer data and request management approval prior to access.
backup-encryption
Backup encryption
We perform regular backups on all Plivo customer data hosted on AWS’s data center infrastructure, including account information, call logs, SMS logs, and call recordings. Backed-up customer data is retained redundantly across multiple availability zones. All backups are stored redundantly and are encrypted using AES-256.
mobile-device-management
Mobile device management (MDM)
All laptop devices issued to Plivo employees come with encrypted storage partitions and MDM software that allows the IT department to monitor, manage, update, and secure the devices and the data contained on them. In addition, we have the ability to remotely wipe a device in the event of it being lost or stolen.

Payment security

Payment security is a critical component for our customers. We use an industry-leading payment platform for all of our transactions.
payment-encryption
Payment encryption
To ensure that we deploy the highest security measures, we don’t store any credit card information on our servers. Instead, all credit card information is encrypted using AES-256 and handled by our payment platform provider.
pci-complaince
PCI compliance
Our payment platform provider is PCI DSS (Payment Card Industry Data Security Standard) compliant, which means that they’re validated and held to the same industry standards as all major credit cards, including Visa, Mastercard, and American Express.

Operational transparency

Plivo adheres to high operational standards and provides policies and practices for security audits, incident response, and privacy. Plivo’s network status and incident reports are publicly available in real time.
transparent-incident-response
Transparent incident response
As part of Plivo’s service-level agreements to all customers, we respond to priority 1 business-critical incidents around the clock, 365 days a year. We also monitor our infrastructure through two network operations centers (NOC) and security operations centers (SOC) and use third-party notification and alert systems to identify and manage threats.
privacy-policy
Privacy policy
All Plivo employees are bound by Plivo’s privacy policy.