Why Enterprises Trust Our Security
The Spoken platform is designed from the outset to operate with heightened security in multitenant cloud.
Our safeguards come baked in, not added on. End-to-end encryption of all communications regardless of channel and including
data in motion and at rest, full PCI and HIPAA compliance, dual factor authentication and secure desktop technology
are just a few of the many security measures you get with our platform.
- Physical infrastructure. Data center operations consist of a strong physical infrastructure, including secure facilities, located in major metropolitan areas, featuring N+1 redundancy for both power and cooling, along with fire protection and system monitoring.
- Facility standards. We enforce facility and environmental standards that ensure maximum uptime through redundancy and environmental safeguards designed to prevent outages in the event of mechanical or electrical failures.
- Production network. Our production network is protected by multiple firewalls and a state-of-the-art security information and event management (SIEM) system that supports the network security architecture design. As part of the high-security standard, each server host is secured using host-based intrusion detection (HIDS) agents. By monitoring and reporting on the system configuration and application activity, the agents enable Spoken to prevent malicious or anomalous activity on the host system.
The core security focus is the application code and customer data that resides within the system, especially involving PII (Personally Identifiable Information, like address and social security numbers) and payment data. Spoken uses HTTPS encryption for all data in transit from the application production network.
All sensitive data is encrypted using AES-256 bit encryption. Application development aligns with industry standards such as OWASP. Spoken works hard to ensure that applications are developed and tested free of high-risk vulnerabilities.
Spoken Communications regularly scans its internal and external network using a scan appliance and network testing services.
- Review and testing. We review and test all systems for security vulnerabilities before we roll them out. Newly identified vulnerabilities trigger an investigation and tracking for remediation.
- Code inspection. We scrupulously inspect platform and application code for common application vulnerabilities ranging from SQL injection and cross-site scripting to Denial of Service (DoS) susceptibility for web application services.
- Third-party testing. We also employ third parties to independently test and monitor our solutions for compliance. Third parties also conduct penetration testing on an annual basis.
- Risk assessments. Our security architecture requires that we conduct risk assessments to identify risks that may adversely affect our customers’ data and businesses. We prioritize high-risk issues to resolve them in a time frame appropriate for the level of risk they represent.
We comply with a broad range of industry security and privacy standards.
- PCI-DSS. The Payment Card Industry Data Security Standard (PCI-DSS) has 12 main requirements, which in turn are supported by close to 300 detailed and very specific requirements. We comply with all of them. And we continue to evaluate and maintain PCI compliance on an annual basis.
- Additional controls. We also employ a broad range of standard and advanced controls in addition to PCI-DSS, including:
- Organization and Administration
- Physical Access Controls
- Logical Access Controls
- System Availability and Performance
- Infrastructure Systems Development
- Application Software Development
- Customer Implementation and Setup
- Data Classification, Integration, and Exchange
- System Backup and Recovery
- HIPAA. We also comply with the Health Insurance Portability and Accountability Act (HIPAA). As with the annual PCI audit, we contract with a third party to conduct audit as to HIPAA compliance on an annual basis.