Security and Compliance
A contact center solution that’s obsessively secure
PureCloud delivers a quality solution while maintaining the confidentiality, integrity, availability and privacy of sensitive data that’s critical to your business and ours.
After achieving compliance requirements for SSAE 16, HIPAA and PCI DSS, PureCloud is pursuing compliance of additional security standards.
SSAE 16 Compliance
PureCloud has completed a third-party Statement on Standards for Attestation Engagements (SSAE) 16/ISAE 3402 SOC 2 Type II examination. SSAE 16 conveys our commitment to the highest standards by providing you with assurance of security and privacy controls. A copy of our SSAE16 Attestation can be provided upon request.
About SSAE 16
SSAE 16 is an improvement to the former standard for Reporting on Controls at a Service Organization, the SAS70, with some changes designed to bring companies in the US up to date with new international service organization regulations. SSAE 16 introduces new reporting requirements for service organizations while also illustrating an adoption and convergence of accounting standards between the U.S. based framework and the globally accepted principle (ISAE 3402) for reporting on controls at service organizations.
Encryption at rest and in transit
- PureCloud uses HTTPS and TLS to secure all connections to browsers, mobile apps, and other components bi-directionally with AES-256 encryption.
- PureCloud makes it easy to encrypt voice traffic with TLS (SIP signaling) and SRTP (IP voice).
- Call recordings are encrypted at rest and in transit over public Internet.
- AWS S3 buckets for content management and other sensitive data stores provide encryption at rest.
- Extensive use of ephemeral storage for databases removes the potential for compromised data from stolen or lost hard drives.
- Backups are encrypted in transit and at rest.
PureCloud Resource Center
PureCloud has also achieved compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA) and third-party compliance verification.
The PureCloud platform achieved a PCI DSS assessment as a Level 1 Service Provider using version 3.2 of the PCI DSS standard. The Attestation of Compliance will be provided to customers under a non-disclosure agreement.
From the earliest designs of PureCloud in 2012 we have developed our services and communications architecture to enforce separation between data requests for different organizations. PureCloud APIs and internal microservices will not respond to a request or return data with more than one organization in a request. Organization ID and Requester (user) ID are embedded into every secured request and are validated by the services for every call. Read more about multi-tenant security.
Single sign-on (SSO)
PureCloud has full authentication built-in, or you can use one of the industry-standard single sign-on solutions your organization is using (such as Active Directory or SalesForce) to simplify access.
With SSO enabled, users log in the first time with credentials for the identity provider using the same credentials they use to log in to the network and other applications. After that initial sign-in under the single account, they can just click the identity provider link to log in.
PureCloud Edge telephony appliance product compliance
The Edge is our on-site appliance that connects to local phone networks and external phone systems (PSTNs). It also provides security for voice data and voice recordings.
PureCloud is developed using ISO/IEC process standards.
EU-U.S. Privacy Shield
EU General Data Protection Regulation (GDPR)
We understand our customers will be affected by the GDPR and we are actively taking steps to make it easier for our customers to be compliant with all terms of the GDPR.