Security Certifications and Trust
Deliberately Innovative – Deliberately Secure
Interactive Intelligence Group Inc. (Nasdaq: ININ) is a global provider of contact center, unified communications, and business process automation software and services designed to improve the customer experience. Our solutions, which can be deployed via the cloud or on-premises, are ideal for industries such as financial services, insurance, outsourcers, collections and utilities.
We understand that delivering a quality solution while maintaining the confidentiality, integrity, availability, and privacy, of sensitive data is critical to your business and ours. Therefore, we have established and maintain the following programs to meet these important needs:
ISO/IEC 27001:2013 Information Security Management System (ISMS) –
The ISO/IEC 27001 standard specifies the requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS) designed to ensure the confidentiality, integrity, and availability of sensitive customer and corporate information. Interactive Intelligence has maintained registration to this standard since August 2013.
ISO/IEC 9001:2008 Quality Management System (QMS) –
The ISO/IEC 9001 standard specifies the requirements for establishing, implementing, maintaining, and continually improving a Quality Management System (QMS) designed to ensure that our products and services are consistently delivered to meet customer, employee and other stakeholder requirements. Interactive Intelligence has maintained registration to this standard since December 2004.
Interactive Intelligence self-certifies to the EU/Swiss Safe Harbor privacy framework designed to ensure the protection and appropriate handling of personal information that may be transferred to the United States from the European Union or Switzerland. Information regarding our self-certification can be found on the export.gov site.
A message to our customers about EU – US Safe Harbor
On Tuesday, October 6th, 2015, the Court of Justice of the European Union ruled that a 15-year-old Privacy Framework (EU-US Safe Harbor) was invalid. As background, the Data Protection Directive ("Directive 95/46") provides that the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of the data. The directive also provides that the Commission may find that a third country ensures an adequate level of protection by reason of its domestic law or its international commitments. Safe Harbor was that agreement with the U.S. that, among other things, provided a framework for how companies like Interactive could securely transfer data from the European Union to the United States.
We still hold our EU-US Safe Harbor certification and follow the principles of the Safe Harbor Privacy Framework. However, in view of the above ruling, some of our European customers may wonder if they will be able to transfer data from the European Union to the United States. At this time, we expect that the Article 29 Data Protection Working Group tasked with implementing Directive 95/46 will issue guidance on how companies like Interactive can transfer customer data outside of Europe.
We have been tracking developments regarding EU Privacy for some time so this ruling was anticipated. We have been pursuing various safeguards outside the context of our EU-US Safe Harbor certification to increase protections for all of our customers. We, like many other global companies, have implemented rigorous safeguards and an annual audit cycle of these safeguards to protect customer data processed within our technology and related services.
Our processes and services are audited annually for compliance with the following International standards: ISO27001:2013, ISO9001:2008 and SSAE16/ISAE3402 SOC2. Also, in recognizing that many organizations would require data to be kept in region, we have deployed our cloud services in data centers in several countries and regions, including the United Kingdom and Germany. We are committed to maintaining the highest levels of security and privacy of the customer data entrusted to us. We will continue to monitor this matter and we will let you know what additional steps we may eventually need to take in response to this recent ruling.
As a publicly traded organization, our technical and administrative controls for ensuring the accuracy and integrity of our public financial reports and fraud prevention controls are independently reviewed on an annual basis. Results of this audit are included in our annual report which is available on our Investor Relations site. Click here.
PureCloud Platform and Services
The Interactive Intelligence PureCloud suite of products is built on Amazon Web Services (AWS). AWS brings an impressive security and compliance portfolio with their cloud service. PureCloud has completed a third-party Statement on Standards for Attestation Engagements (SSAE) 16 SOC 2 Type II examination. SSAE 16 conveys our commitment to the highest standards by providing PureCloud customers with assurance of security and privacy controls. A copy of our SSAE16 Attestation can be provided to customers upon request.
PureCloud is currently pursuing additional compliance standards including the Health Insurance Portability and Accounting Act (HIPAA) & Payment Card Industry (PCI) Data Security Standard 3.1 for Service Providers.
Encryption at rest and in transit
- PureCloud uses HTTPS and SSL to secure all connections to browsers, mobile apps, and other components bi-directionally with AES-256 encryption.
- PureCloud makes it easy to encrypt voice traffic with TLS (SIP signaling) and SRTP (IP voice).
- Call recordings are encrypted at rest and in transit over public Internet.
- AWS S3 buckets for content management and other sensitive data stores provide encryption at rest.
- Extensive use of ephemeral storage for databases removes the potential for compromised data from stolen or lost hard drives.
- Backups are encrypted in transit and at rest.
PureCloud Resource Center
Communications as a Service (CaaS) Cloud Services – SSAE16, ISAE, PCI, & HIPAA
Statement on Standards for Attestation Engagements (SSAE16) No. 16 and International Standards for Assurance Engagements (ISAE) No. 3402 –
Our CaaS Cloud Services organization controls are reviewed annually and an SSAE16/ISAE3402 SOC2 Type II auditors’ attestation report is created. SSAE16, which replaced the former SAS70 in January 2010 as the authoritative guidance for reporting on the design and effectiveness of a Service Organizations’ controls. ISAE 3402 was developed to provide an international assurance standard for allowing Service Organizations to provide a report for use by user organizations and their auditors on the design and effectiveness of controls at a service organization. The SSAE16/ISAE3402 Service Organization Controls 2 (SOC 2) report is performed in accordance with the attestation standard, AT 101, and is based upon the Trust Services Principles of Security, Availability, Processing Integrity, Confidentiality, and Privacy. A Type II report evaluates the design and effectiveness of controls over a period of time.
Our current SSAE16 SOC2 Type II report describing the controls for our global CaaS Cloud Services offering is available upon request and requires the execution of a non-disclosure agreement. Please contact your local Sales Representative for additional information.
Payment Card Industry Data Security Standard (PCI DSS) –
Customers who are concerned with the transmission, processing, or storage of credit card data may choose to be deployed into a PCI DSS compliant environment within our CaaS Data Centers within the United States and Europe (Slough/Frankfurt). A copy of our current PCI DSS Attestation of Compliance (AoC) report for these two environments is available upon request and requires the execution of a non-disclosure agreement. PCI compliant services for CaaS Cloud Services in other regions (Canada, Australia, Japan) may be available utilizing a third-party partner, however, certain restrictions apply. Please contact your Sales Representative for additional information.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
is a set of regulations designed to ensure the proper handling of Protected Health Information (PHI) that health care related organizations in the United States are required to follow. A HIPAA compliance assessment of our CaaS Cloud Services environment is performed by an external vendor on an annual basis. An executive summary of the report is available upon request and requires the execution of a non-disclosure agreement. Please contact your Sales Representative for additional information.
Customer Interaction Center Product Compliance
The Customer Interaction Center® (CIC) versions 3.0 and 4.0 have been reviewed and certified by the Joint Interoperability Testing Command (JITC), which ensures compliance with information assurance and interoperability requirements for the U.S. Department of Defense Private Branch Exchange 2 classification. With this level of security built in, you can be assured that our products can be configured and deployed so that you can achieve and maintain compliance with whatever industry regulations or standards that apply to your organization.
Certifications and Memberships
We self-certify compliance with Safe Harbor Export
Edge Telephony Appliance Product Compliance
- Outbound Protocol HTTPS/SSL
- Supports Transport Layer Security (TLS) SIP signaling protocol
- Encrypted recordings (AES256 disk level encryption)
- SNMPv3 for user authentication and encrypted communications
- Encrypted customer data (AES256 disk level encryption)
- All communications between PureCloud Edge and the PureCloud service are encrypted and secure through TLS with mutual authentication
- PureCloud Edge Voice calls are, by default, encrypted through the SRTP (IP voice) protocol
- PureCloud Edge SIP signaling, by default, is protected through the TLS protocol
- Dynamic transcription of VoIP communications when different encryptions are used by both parties
- Safety Standards - UL60950-1; FCC 47 CFR part 15 Class B EN300 386, EN 55022, EN 55024