Last Updated: December 6th, 2024
TitanVox has a professional information security organization, headed by a Chief Information Security Officer, that works to provide robust information security controls for TitanVox products and environments. TitanVox performs annual assessments of the compliance of TitanVox security controls with current certifications and industry standard controls. For further, and more explicit, details on the Security Organization, Risk Analysis, or Risk Management programs at TitanVox, please refer to www.titan-vox.com/trust-center.
All TitanVox personnel are subject to background checks before access to restricted data is permitted. All personnel receive regular security training. TitanVox has adopted policies and procedures to apply workforce sanctions to employees who fail to comply with TitanVox security policies and procedures.
TitanVox Data Centers - All TitanVox facilities are protected by physical security controls including perimeter controls, electronic access systems, locks and cameras. TitanVox stores all production data in Azure Cloud Data Centers.
Cloud Data Center - Microsoft Azure runs in data centers managed and operated by Microsoft. These geographically dispersed data centers comply with key industry standards, such as ISO/IEC 27001:2013 and NIST SP 800-53, for security and reliability. The data centers are managed, monitored, and administered by Microsoft operations staff. The operations staff has years of experience in delivering the world’s largest online services with 24 x 7 continuity. For additional information, please refer to https://docs.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility.
TitanVox has located all equipment that stores Personal Data in controlled access areas. TitanVox will only allow employees and contingent workers with a business purpose to have access to such controlled areas.
TitanVox’s externally-facing web servers and third-party access points are configured securely, including (but not limited to) implementing a properly constructed dedicated firewall, requiring a virus check before granting access to any third-party network, and disabling or removing routing processes to minimize access.
TitanVox has implemented and documented appropriate business continuity and disaster recovery plans to enable it to continue or resume providing Services in a timely manner after a disruptive event. TitanVox regularly tests and monitors the effectiveness of its business continuity and disaster recovery plans.
TitanVox has implemented appropriate supplementary measures to protect Personal Data against the specific risks presented by the Services. All data is protected by encryption in transit over open, public networks. Data at rest is protected either by encryption or compensating security controls, which include pseudonymization, segmented networks, tiered architecture, firewalls with intrusion protection and anti-malware protections, and limiting of port access. Personal Data is only retained for the duration required for regulatory purposes, unless otherwise outlined by the Services.
TitanVox does not store Personal Data on any portable computer devices or media (including, without limitation, laptop computers, removable hard disks, USB or flash drives, personal digital assistants (PDAs) or mobile phones, DVDs, CDs or computer tapes) unless it is encrypted with a minimum of 128-bit, or such higher bit encryption in accordance with then current industry best practice. TitanVox endpoints are provisioned with a default configuration, enforced at the organizational level.
TitanVox takes appropriate steps to monitor the security of Personal Data and (if appropriate) to identify patterns of suspect activity. TitanVox designs applications and services to suppress sensitive data being stored by TitanVox. For every identified hosted change, security and QA teams review the data mapping requirements to validate the intended fields continue to be suppressed. TitanVox also monitors security logging events which include log-on violations or attempts. Data retained from logs includes, but is not limited to, timestamp, hostname, and username for accountability.
TitanVox implements a documented process for assisting Company in responding to Data Subject Requests.
TitanVox will not disclose or provide access to Personal Data being Processed under this DPA to law enforcement, unless required to by law, and only upon service of a legally‑binding request or order from a governmental authority.
If compelled to disclose or provide access to any Company Data to law enforcement, TitanVox will promptly notify the Company and provide a copy of the demand unless legally prohibited from doing so.
Facilities hosting information systems must have appropriate security controls including but not limited to access controls, security officers and cameras. Managed facilities must implement adequate environmental safeguards to ensure availability and protection against damage. The physical and environmental safeguards are evaluated, implemented and maintained regularly.
A unique user identifier shall be created for each worker upon validation of the completion of the employment screening process. Password controls follows industry standards. Privileged is allocated on a “need to know” basis and the access is commensurate to the user’s position and duties. Access to networks and network services, and sensitive information must use multi‑factor authentication. Access is logged and monitored for unauthorized usage or malicious intent. Access is reviewed for access appropriate to role and terminations.
TitanVox ensures correct and secure operations of all of the organization’s assets.
Hardware, operating system, database and applications must be actively supported by the vendor and receive regular security updates and maintenance.
Information systems must have protection from malicious code with anti‑virus and anti‑malware with automatic updates.
Industry‑standard processes for Release, Change, Incident, and Problem management must be documented and implemented.
Information assets must have auditing enabled and retained for a minimum of 1 year. Auditing logs should be protected from unauthorized access and monitored on a regular basis.
TitanVox ensures at all times its compliance with regulatory, statutory, contractual, and security requirements by:
Maintaining policies and procedures to ensure compliance of systems with regulations and standards.
Complying with any regulatory or security standards requirements where applicable (SOX, PCI‑DSS, GDPR, etc.).
Conducting periodic reviews and audits of information processing systems for compliance with information security policies and standards.
TitanVox ensures it has the security infrastructure to protect all of its organizational assets by doing the following:
An inventory of assets with information and processing facilities. Ownership of each asset is identified with rules of acceptable use.
Following information classification policies with appropriate controls based on risk levels.
Disposing of data in a secure, protected way to ensure the inability to recover such data.
TitanVox controls access to assets based on business and security requirements.
Project documentation for new information systems, or significant enhancements includes security requirements and controls as part of the functional requirements.
Developers include secure code testing as part of the Software Development Life Cycle (SDLC) with review of the code.
Input data processed is validated for correctness and security of data.
The authenticity of messages or transactional data is ensured through digital signatures and the integrity of the data is protected through the use of industry standard encryption.
TitanVox has the ability to recover from an information security incident and has measures in place to ensure its ability to do so is maintained at all time:
Employees report incidents and follow an incident management process.
The incident management process includes identification, classification, impact analysis and an escalation process.
A post-mortem is always performed and includes follow‑ups to track the correction and correct implementation of fixes to the root cause problems identified in the incident management process.
