Security Organization and Program
At SpectrumVoIP, we’re committed to securing the data and information transmitted through our services, allowing you to focus on more important things like supporting and growing your organization. Aside from the measures detailed in this information sheet, we also have dedicated teams that constantly monitor, develop, and implement new technology to ensure the security of your communications. As an enterprise-grade hosted-communications provider, SpectrumVoIP takes the security of your business communications seriously. SpectrumVoIP implements multiple security measures so you can rest easy knowing that your calls and data are secure.
All candidates must pass a stringent background check by a specialized third-party before being offered a position. These checks include, SSN trace, criminal county search (7-Year address history), multi-state instant criminal, National Sex Offenders Public Registry, OFAC, professional references, and education verification.
The SpectrumVoIP Security Team provides continuous communication on emerging threats, performs phishing awareness campaigns, and communicates with the company regularly.
Network engineers continuously perform numerous activities to ensure that our products are secure, including: Internal security reviews before products are launched or feature updates are deployed Continuously running internal and external security tests Regularly conducted threat models
SpectrumVoIP has a formal change management process where all changes are tracked and are approved. A change is reviewed before being moved into a staging environment where it is further tested before finally being deployed to production.
ENCRYPTION IN TRANSIT
SpectrumVoIP supports TLS 1.0, 1.1 and 1.2 to encrypt network traffic between the customer web browsers and SpectrumVoIP's Stratus Portal. SRTP/TLS encryption methods are available for voice traffic.
SpectrumVoIP secures your secrets using industry best practice methods to salt and repeatedly hash your credential before it is stored. Users can also add another layer of security to their account by using multi-factor authentication (MFA) for the Stratus Portal.
Cloud & Network Infrastructure Security
Direct access to infrastructure, networks, and data is minimized to the greatest extent possible. Where possible, control planes are used to manage services running in production, to reduce direct access to host infrastructure, networks, and data. Direct access to production resources is restricted to employees requiring access and requires approval and is controlled via ACL restricted to secure VPN tunnels.
SpectrumVoIP logs high risk actions and changes in the production network. We leverage automation to identify any deviation from our technical standards and raise issues within minutes of the configuration change occurring.
Continuous Monitoring & Vulnerability Management
SpectrumVoIP approaches continuous monitoring through the development of proactive and detective capabilities. Through the ongoing awareness of vulnerabilities, incidents, and threats, SpectrumVoIP is poised to respond and mitigate accordingly.
SECURITY LOG RETENTION
Security logs are retained for 180 days or longer in some cases.
Physical security is an important part of SpectrumVoIP's security strategy. We're committed to securing our facilities.
SpectrumVoIP leverages Tier III data centers for all production systems and customer data. These facilities are monitored 24/7 and certified SSAE 16 SOC 2 compliant. They are managed by highly trained, on-site engineering specialists, including experts in various aspects of security and regulatory compliance with privacy regulations such as the PCI DSS and US-EU Privacy Shield. Each data center is supported by redundant power and protected by an array of security equipment, techniques, and procedures to control, monitor, and record access to the facility.
FULL PERIMETER FENCING AND SECURED PARKING
All equipment areas are monitored and recorded using CCTV, and all access points are controlled. Every data center is staffed with security personnel on duty 24 hours a day. Dual-factor authentication (card and biometric) on exterior entry and all data center entrances. Access history is recorded for audit by customers. All employees also receive stringent background checks before gaining access to sensitive areas.
OFFICE LOCATION SECURITY
SpectrumVoIP has a security program that manages visitors, building entrances, CCTVs, and overall office security. All employees, contractors and visitors are required to wear identification badges which distinguish their respective role.
Hosting our services at multiple data centers allows SpectrumVoIP to remain resilient even if one location goes down. Our Stratus platform can provide service uninterrupted in the event of most failure modes, including system failures or natural disasters.
CUSTOMER DATA BACKUPS
SpectrumVoIP performs regular backups of account information, call records, call recordings and other critical data using multi-site replication across our data centers and Amazon S3 cloud storage. All backups are encrypted in transit and at rest using strong encryption. Backup files to AWS S3 are stored redundantly across multiple availability zones and are encrypted. Communication between SpectrumVoIP’s encrypted enabled endpoints—like a state-of-the-art handset from SpectrumVoIP and our web, mobile, and desktop applications—are secure. Communications that require connecting the call to the PSTN via a peer are not guaranteed to be secure because SpectrumVoIP has no control over other telecommunication providers
If a customer is a Covered Entity or a Business Associate as defined under the Health Insurance Portability and Accountability Act (HIPAA) and it will use SpectrumVoIP's services to create, receive, transmit, or maintain PHI, the customer must request a Business Associate Agreement (BAA). In that situation, SpectrumVoIP will act as a Business Associate, and it will manage its HIPAA obligations accordingly. The SpectrumVoIP BAA further outlines the respective HIPAA obligations of both SpectrumVoIP and the customer. Please note that the customer is ultimately responsible for determining their organization’s overall compliance with HIPAA.
SpectrumVoIP’s cloud communications security.
Communication between SpectrumVoIP’s encrypted enabled endpoints—like a state-of-the-art handset from SpectrumVoIP and our web, mobile, and desktop applications—are secure. Communications that require connecting the call to the PSTN via a peer are not guaranteed to be secure because SpectrumVoIP has no control over other telecommunication providers network security.