PureCloud Security and Certifications
Delivering a quality solution while maintaining the confidentiality, integrity, availability, and privacy of sensitive data is critical to your business and ours.
PureCloud Platform and Services
PureCloud has completed a third-party Statement on Standards for Attestation Engagements (SSAE) 16 SOC 2 Type 1 examination. SSAE 16 conveys our commitment to the highest standards by providing PureCloud customers with assurance of security and privacy controls. A copy of our SSAE16 Attestation can be provided to customers upon request.
PureCloud has also achieved compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA).
The PureCloud platform achieved a PCI DSS assessment as a Level 2 Service Provider using version 3.2 of the PCI DSS standard. The Attestation of Compliance will be provided to customers under a non-disclosure agreement.
PureCloud is currently pursuing additional compliance standards.
Encryption at rest and in transit:
- PureCloud uses HTTPS and SSL to secure all connections to browsers, mobile apps, and other components bi-directionally with AES-256 encryption.
- PureCloud makes it easy to encrypt voice traffic with TLS (SIP signaling) and SRTP (IP voice).
- Call recordings are encrypted at rest and in transit over public Internet.
- AWS S3 buckets for content management and other sensitive data stores provide encryption at rest.
- Extensive use of ephemeral storage for databases removes the potential for compromised data from stolen or lost hard drives.
- Backups are encrypted in transit and at rest.
PureCloud Resource Centre
Certifications and Memberships
Amazon Web Services (AWS)
The Interactive Intelligence PureCloud suite of products is built on Amazon Web Services (AWS). AWS brings an impressive security and compliance portfolio with their cloud service.
From the earliest designs of PureCloud in 2012 we have developed our services and communications architecture to enforce separation between data requests for different organisations. PureCloud APIs and internal microservices will not respond to a request or return data with more than one organisation in a request. Organisation ID and Requester (user) ID are embedded into every secured request and are validated by the services for every call.
PureCloud Single Sign-On (SSO)
PureCloud has full authentication built-in, or you can use one of the industry-standard single sign-on solutions your organisation is using (such as Active Directory or SalesForce) to simplify access.
With SSO enabled, users log in the first time with credentials for the identity provider using the same credentials they use to log in to the network and other applications. After that initial sign-in under the single account, they can just click the identity provider link to log in.
PureCloud supports SSO with:
PureCloud Edge Telephony Appliance Product Compliance
The Edge is our on-site appliance that connects to local phone networks and external phone systems (PSTNs). It also provides security for voice data and voice recordings.
- Outbound Protocol HTTPS/SSL
- Supports Transport Layer Security (TLS) SIP signaling protocol
- Encrypted recordings (AES256 disk level encryption)
- SNMPv3 for user authentication and encrypted communications
- Encrypted customer data (AES256 disk level encryption)
- All communications between PureCloud Edge and the PureCloud service are encrypted and secure through TLS with mutual authentication
- PureCloud Edge Voice calls are, by default, encrypted through the SRTP (IP voice) protocol
- PureCloud Edge SIP signaling, by default, is protected through the TLS protocol
- Dynamic transcription of VoIP communications when different encryptions are used by both parties
- Safety Standards – UL60950-1; FCC 47 CFR part 15 Class B EN300 386, EN 55022, EN 55024
PureCloud is developed using ISO/IEC process standards.
ISO/IEC 27001:2013 Information Security Management System (ISMS) – The ISO/IEC 27001 standard specifies the requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS) designed to ensure the confidentiality, integrity, and availability of sensitive customer and corporate information.
We have maintained registration to this standard since August 2013.
ISO/IEC 9001:2008 Quality Management System (QMS) – The ISO/IEC 9001 standard specifies the requirements for establishing, implementing, maintaining, and continually improving a Quality Management System (QMS) designed to ensure that our products and services are consistently delivered to meet customer, employee and other stakeholder requirements.
We have maintained registration to this standard since December 2004.
Certifications and Memberships
EU/Swiss Safe Harbor
PureCloud self-certifies to the EU/Swiss Safe Harbor privacy framework designed to ensure the protection and appropriate handling of personal information that may be transferred to the United States from the European Union or Switzerland. Information regarding our self-certification can be found on the export.gov site.
A message to our customers about EU – US Safe Harbor
On Tuesday, October 6th, 2015, the Court of Justice of the European Union ruled that a 15-year-old Privacy Framework (EU-US Safe Harbor) was invalid. As background, the Data Protection Directive (“Directive 95/46”) provides that the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of the data. The directive also provides that the Commission may find that a third country ensures an adequate level of protection by reason of its domestic law or its international commitments. Safe Harbor was that agreement with the U.S. that, among other things, provided a framework for how companies like Interactive could securely transfer data from the European Union to the United States.
We still hold our EU-US Safe Harbor certification and follow the principles of the Safe Harbor Privacy Framework. However, in view of the above ruling, some of our European customers may wonder if they will be able to transfer data from the European Union to the United States. At this time, we expect that the Article 29 Data Protection Working Group tasked with implementing Directive 95/46 will issue guidance on how companies like Interactive can transfer customer data outside of Europe.
We have been tracking developments regarding EU Privacy for some time so this ruling was anticipated. We have been pursuing various safeguards outside the context of our EU-US Safe Harbor certification to increase protections for all of our customers. We, like many other global companies, have implemented rigorous safeguards and an annual audit cycle of these safeguards to protect customer data processed within our technology and related services.
- Our processes and services are audited annually for compliance with the following International standards: ISO27001:2013, ISO9001:2008 and SSAE16/ISAE3402 SOC2.
- Also, in recognising that many organisations would require data to be kept in region, we have deployed our cloud services in data centres in several countries and regions, including the United Kingdom and Germany. We are committed to maintaining the highest levels of security and privacy of the customer data entrusted to us. We will continue to monitor this matter and we will let you know what additional steps we may eventually need to take in response to this recent ruling.