Information Security

Uniphore is committed to excellence in protecting your data and builds security process and controls into all areas of the business.

 

Compliance Certifications

We use best practices and industry standards to achieve compliance with industry-accepted general security and privacy frameworks, which in turn helps our customers meet their own compliance standards.

ISO/IEC 27001:2013 

The International Organization for Standardization 27001 Standard (ISO 27001) is an information security standard that ensures office sites, development centers, support centers and data centers are securely managed. These certifications run for 3 years (renewal audits) and have annual touch point audits (surveillance audits).

Uniphore is ISO/IEC 27001:2013 certified and will be periodically audited by an independent certification body to confirm that Uniphore continues to meet the requirements of this standard. 

Payment Card Industry Data Security Standard (PCI DSS) 

The Payment Card Industry Data Security Standards (PCI DSS) is a proprietary information security standard designed to ensure that companies processing, storing or transmitting payment card information maintain a secure environment.  A third-party PCI Qualified Security Assessor (QSA) assesses company systems and processes on an annual basis and issues an Attestation of Compliance (AOC).

Uniphore is a Level 1 PCI DSS Service Provider that engages an Independent Qualified Security Auditor (QSA) to perform an annual assessment of Uniphore’s control environment covering all 12 PCI DSS requirements for the design, implementation, and continuous improvement of controls for safeguarding cardholder data and sensitive information.

Uniphore has received our annual Certificate of Compliance (CoC) and an associated Attestation of Compliance (AoC) for Level 1 PCI certification and will be periodically audited by a Qualified Security Assessor (QSA) to assess whether the organisation conforms to the PCI DSS requirements.

SOC2 

The American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) reports give assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data. The reports cover IT General controls and controls around availability, confidentiality and security of customer data. The SOC 2 reports cover controls around security, availability, and confidentiality of customer data.

Uniphore is SOC2 TypeII certified.

 

Cloud Security

Data Center Physical Security

Facilities 

Uniphore hosts Service Data primarily in AWS data centers that have been certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant. Learn more about Compliance at AWS here: https://aws.amazon.com/compliance/

AWS infrastructure services include backup power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data. Learn more about Data Center Controls at AWS here: https://aws.amazon.com/compliance/data-center/controls/

On-Site Security 

AWS on-site security includes a number of features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures.

Data Hosting Location 

Uniphore leverages AWS data centers in the United States and Europe. Customers can choose to locate their Service Data in the US-only or EEA

Infrastructure / Network Security

Dedicated Security Team 

Our globally distributed Security Team is on call 24/7 to respond to security alerts and events. 

Protection 

Our network is protected through the use of key AWS security services, integration with our Cloudflare edge protection networks, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks. 

Architecture 

Our network security architecture consists of multiple security zones. More sensitive systems, like database servers, are protected in our most trusted zones. Other systems are housed in zones commensurate with their sensitivity, depending on function, information classification, and risk. Depending on the zone, additional security monitoring and access controls will apply. DMZs are utilized between the Internet, and internally between the different zones of trust. 

Network Vulnerability Scanning 

Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems. 

Third-Party Penetration Tests 

In addition to our extensive internal scanning and testing program, each year, Uniphore employs third-party security experts to perform a broad penetration test across the Uniphore Production and Corporate Networks. 

Vulnerability and patch management 

Systems are scanned regularly for common vulnerabilities. Servers are patched on a regular schedule, with critical and high severity patches applied with the highest priority. 

Security Incident Event Management 

Our Security Incident Event Management (SIEM) system gathers extensive logs from important network devices and host systems. The SIEM alerts on triggers that notify the Security team based on correlated events for investigation and response. 

Intrusion Detection and Prevention 

Service ingress and egress points are instrumented and monitored to detect anomalous behavior. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats. This includes 24/7 system monitoring. 

DDoS Mitigation 

Uniphore has architected a multi-layer approach to DDoS mitigation. A core technology AWS shield provides network edge defenses, while the use of AWS scaling and protection tools provide deeper protection along with our use of AWS DDoS specific services. 

Logical Access 

Access to the Uniphore Production Network is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the Uniphore Production Network are required to use multiple factors of authentication. 

Security Incident Response 

In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths. 

Encryption

Encryption in Transit 

All communications with Uniphore UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and Uniphore is secure during transit.

Encryption at Rest 

Service Data is encrypted at rest in AWS using AES-256 key encryption. 

Availability & Continuity

Redundancy 

Uniphore employs service clustering and network redundancies to eliminate single points of failure. Our strict backup regime and/or our Enhanced Disaster Recovery service offering allows us to deliver a high level of service availability, as Service Data is replicated across availability zones. 

Disaster Recovery 

Our Disaster Recovery (DR) program ensures that our services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities. 

 

Application Security

Secure development (SDLC)

Secure Code Training 

At least annually, engineers participate in secure code training covering OWASP Top 10 security risks, common attack vectors, andUniphore controls. 

Framework Security Controls 

Uniphore leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others. 

Quality Assurance 

Our Quality Assurance (QA) department reviews and tests our code base. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code. 

Separate Environments 

Testing and staging environments are logically separated from the Production environment. No Service Data is used in our development or test environments. 

Vulnerability Management

Dynamic Vulnerability Scanning 

We employ third-party security tooling to continuously and dynamically scan our core applications against the OWASP Top 10 security risks. We maintain a dedicated in-house product security team to test and work with engineering teams to remediate any discovered issues. 

Static Code Analysis 

The source code repositories for both our platform and mobile applications are scanned for security issues via our integrated static analysis tooling. 

Third-Party Penetration Testing 

In addition to our extensive internal scanning and testing program, Uniphore employs third-party security experts to perform detailed penetration tests on different applications within our products.

 

Corporate Security

Security Awareness Training 

All employees participate in annual Information security Awareness and are assessed periodically.

Information security policies & procedures 

Uniphore maintains a documented set of policies that regulate the use of information, including its receipt, transmission, processing, storage, controls, distribution, retrieval, access, and presentation. This includes the laws, regulations, and practices that regulate how Uniphore manages, protects, and disseminates confidential information.  In addition, Information Security policies are published and communicated to all employees and all Employees acknowledge their responsibilities in protecting customer data as a condition of employment. 

Risk Management

Uniphore performs Risk management through detailed methodology to identify information security risks, conduct risk assessment, risk evaluation and risk treatment of the identified risk.

Risk management process includes systematic application of management policies, procedures, and practices to the activities of communicating, consulting, establishing the context and identifying, analysing, evaluating, treating, monitoring, and reviewing risk.

Endpoint devices 

Endpoint devices are secured with hard drive encryption, endpoint detection and remediation (EDR) and advanced malware detection with central management and control.

All devices are managed via a central, cloud based Mobile Device Management (MDM) system. 

 

Physical Security 

Uniphore offices are secured by keycard access and 24/7/365 monitoring via video cameras and alarms.