Risk management and IT governance

Telavox has implemented appropriate risk management strategies to assess and mitigate security threats related to confidentiality, integrity, and availability. Key actions include:

• Conducting periodic reviews and risk assessments related to information systems, data processing, storage, and transmission.
• Maintaining a centralized IT policy covering guidelines for information security and cybersecurity topics.
• Conducting regular reporting and compliance assessments to keep senior management informed of security conditions.
• Implementing a framework for continuous monitoring and adaptation to evolving cybersecurity threats.
• Maintaining the Telavox Information Security Management System (ISMS) and ISO 27001 certification.

Data protection measures

Telavox has undertaken appropriate technical and organisational measures to ensure the security and confidentiality of Customer data, including:

• Pseudonymization and encryption of personal data.
• Measures to maintain the confidentiality, integrity, availability, and resilience of processing systems and services.
• Systems for timely restoration of access to personal data following a physical or technical incident.
• Regular testing, assessing, and evaluating technical and organisational security measures.
• The Data Protection measures are aligned with the Telavox ISO 27001 certification, demonstrating adherence to internationally recognized best practices for ISMS.

Access control

To ensure strict control over data access, Telavox has established a defined access control policy covering:

4.1 Premises and Physical Security

• Limited and supervised access to secure physical locations.
• Security monitoring, including alarms, video surveillance, and/or physical monitoring.

4.2 Systems and Network Security

• Implementation of firewall protections and secure network architecture.
• Role-based access control (RBAC) for service and system access.
• Audit logging and monitoring for system integrity and service tracking.
• Encryption of physical storage drives to protect stored data.

4.3 Data Access and Authentication

• Prohibition of guest or anonymous accounts.
• Use of multi-factor authentication (MFA) for system and data access.
• Automated logging of user activity to track data interactions.
• Strong password policies and centralized authentication for system access.

User access rights shall be assigned based on need-to-know and least privilege principles, with defined processes for regular access review and revocations.

Data security and integrity

Telavox has ensured the security of stored and transmitted personal data by implementing:

• Encryption protocols for data in transit and at rest, using industry best practices.
• Protection of cryptographic keys within secure digital vaults.
• Maintenance of audit trails for all data access and modifications.
• Prevention of unauthorized data removal, alteration, or interception, using VPNs and private networks.
• Backup and disaster recovery mechanisms ensuring availability and restoration capabilities.

Any storage and processing of personal data must occur within EU/ECC member states, in compliance with GDPR. Any data transfer beyond these territories must be explicitly approved by the Controller.

Personnel security

Telavox has implemented measures to ensure that employees handling personal data meet strict security and confidentiality requirements, including:

• Background checks, including references and/or criminal record evaluations where necessary.
• Written confidentiality agreements and adherence to defined security policies.
• Mandatory training programs on data security and compliance.

Defined security roles, including a dedicated Data Protection Officer (DPO).

Operations security

Changes to infrastructure, business processes, and IT systems shall follow a formalized change management process, which includes:

• Testing and approval before deployment.
• Rollback procedures to mitigate potential failures.
• Documented incident response protocols for remediating technical or security incidents.
• Strict segregation of development, testing, and production environments.
• The change management and incident response processes are established and maintained within its ISO 27001 certified ISMS.

Data breach response

In the event of a data breach affecting personal data, Telavox will:

• Notify the Controller within 24 hours of breach detection.
• Provide continuous updates on incident resolution and remediation efforts.
• Report to regulatory authorities as legally required.
• Deliver a comprehensive breach report, detailing:
  • The nature and classification of the breach.
  • Timeline and scope of the data affected.
  • Impact analysis, including risks to impacted data subjects.
  • Corrective measures taken to mitigate breaches and prevent recurrence.
• The data breach response procedures are aligned with the Telavox ISO 27001 certified ISMS.

Customer's security responsibilities

Without prejudice to Telavox’s responsibilities under the agreement, the Customer is responsible for its own technical and organisational measures, including:

• Securing authentication credentials, devices, and accounts used to access Telavox’s services.
• Implementing additional security measures for any external storage of Customer Data.

Conducting their own security assessments and compliance reviews in coordination with Telavox.