List of sub-processors
Amazon Web Services
Infrastructure as a Service
Storage as a Service
Database as a Service
Last updated: September 2021
Playvox uses standard best security practices to protect personal information in its possession to ensure a level of security appropriate to the risk of loss, misuse, unauthorized access, disclosure, alteration, and destruction. These measures take into account the nature of the personal information and the risks involved in its processing, as well as best practices in the industry for security and data protection.
Types of Data Shared and Stored on Playvox
Data that resides on the Playvox platform is typically restricted to operational statistics of employees or contracted personnel. As a practice and recommendation, sensitive data specific to customer information is not delivered to or stored on the Playvox platform. Furthermore, as a general practice, recorded customer interactions (voice, chat, email, tickets) are not stored on the Playvox platform. Customer interactions are obtained on demand via API endpoints from our customers’ CRM or telephony platforms (e.g., Zendesk, Talkdesk).
Use case 1: Agent Quality Evaluations based on review of customer interactions. Where sensitive customer information is shared in customer interactions such as email, chat, or recorded calls, those customer interactions remain on our third-party vendor platforms and are obtained on demand for review by quality analysts. The quality scorecard and the results of these quality evaluations are stored on Playvox and feedback is shared with agents on Playvox. As a best practice no sensitive customer/patient data is included in the quality evaluations.
Use case 2: Performance data is strictly employee-based data specific to performance metrics on which they are being managed. For example, average call handle time statistics for each agent.
Customers have access to any data generated on the Playvox site for export as csv/excel files to other systems for reporting and archiving purposes.Customer Service
Customer service interactions between agents and customers, recordings of phone, email, chat, or other interactions are not stored on the Playvox platform.
Employee Performance Data Upload to Playvox servers
In the case of agent-performance data, customers consolidate and upload employee-performance data from other platform sources such as data warehouses, CRM applications, telephony platforms. A consolidated data file is uploaded to a secure FTP site. This data upload can be manual or automated. The SFTP site is provided by Playvox. Upload of data is by the customer’s personnel and through the typical SFTP methodology.
Production data is stored encrypted and is only accessible within the production environment. File uploads are stored on secure object containers on a worldwide CDN and are not directly available over the internet.
Production data is regularly backed up. Backup procedures are documented and reviewed periodically. All backups are encrypted and only authorized individuals of Playvox have access to them. Verification procedures are in place to ensure integrity and they are recoverable.
Access to systems and protected information is restricted to authorized individuals using role-based access controls and the principle of least privilege. Infrastructure is operated by designated and trained system administrators, access to management dashboards and interfaces require multi-factor authentication. Customers can configure application level controls to set security and access settings.
We use industry-accepted encryption technologies to protect data in transit using encrypted connections such as TLSv1.2, for data at rest we use Amazon EBS Encrypted Volumes. Backup data is also encrypted. No production data is transmitted or stored unencrypted.
A set of approved security policies aligned with our business processes and the shared responsibility model are in place to provide the security baseline for employees and contractors.
Application and infrastructure changes are identified, tracked, documented, authorized, developed, tested and approved before they are implemented in production. CI/CD pipelines are used to guarantee the process is repeatable, auditable and secure. Updates to software, applications and program libraries are performed by designated and trained personnel on immutable hardened and security audited images. Once they are tested and approved new instances are provisioned with the updated images.
Playvox has a security incident response process in place to handle problems impacting our service and the prompt notification of impacted customers.
Security Awareness and Training
Playvox provides information security and data protection training to employees such as officers, engineers and support personnel. We also hold two annual security talks to all staff with the goal of making employees aware and engage in information security and best practices. Employees at all levels are aware of their roles and responsibilities to efficiently support the Information Security Program. Developers and engineers receive continuous training in Secure Code Development based on best industry-practice guidelines and OWASP guides for Secure Web Development. We also use a communication channel with the main purpose of sharing tips related to information security to our employees.
We apply secure design patterns and best programming and OWASP practices at every stage of application development using a SecDevOps approach. All code is developed in-house.
Separate environments are maintained for production, staging and development. Customer data is only available within Playvox’s production environment and is never used on a different environment or employee machines. Only authorized system administrators have access to the production environment. Test environments emulate the production environment as closely as possible.
Application servers can be accessed only via HTTPS over TLSv1.2. Logins are protected from brute force attacks. Passwords must be longer than 10 alphanumeric characters, containing both upper and lowercase letters and at least 1 number. Passwords are stored as salted one-way hashes.
Logging & Monitoring
Logs from systems and applications are collected, analyzed and audited. Monitoring services proactively check systems, computer and network components to ensure service availability and performance. Both logging and monitoring are used to identify security incidents and to prevent abuse.
Security testing is integrated in image creation and code deployment, continuous vulnerability assessments are performed against the web stack and the software libraries we use. A third-party penetration test is performed annually to identify and remediate detected vulnerabilities.
Authentication, Privileges and Roles
Playvox is a cloud-based service. Users log in through a web browser of their choice. Playvox supports standard practices for cloud-based applications to limit access through secured password name and login.
Named user license: Each user requires a unique login name. User names are created and uploaded only by system administrators.
Password protection by user: Each user creates a unique passcode in association with their username. Users can change pass codes. Complex password conventions are required.
Single Sign On (SSO): The platform can be configured to restrict login access through third-party applications such as Google Sign On, Salesforce Sign On, Zendesk Sign On, Okta, Onelogin, Azure AD and other Identity providers supporting SAML 2.0. Single sign-on allows you to authenticate users in your own systems without requiring them to enter additional login credentials for your Playvox instance.
Site level partitioning: As a cloud-based platform, multiple customer sites can be set up and configured as discrete, partitioned sites from other site or location teams.
User privileges: There are four levels of users – agent, team leader, quality analyst, system administrator. Each has access to a defined set of capabilities and features. Access privileges are set by system administrators.
Platform Configuration Options
At the discretion of customers, the platform and applications can be configured at the user level to restrict/assign access to information, features, and privileges. Specific options include but are not limited to the following:
IP restrictions: At the discretion of customers, access to the platform can be restricted by specific IP addresses.
User status: There is a complete set of user management tools for platform administrators to manage the status of users which determines access to the platform. Administrators can activate and inactivate users to accommodate seasonality of business and hiring.
Application Restrictions: In addition to user level restrictions, each application can be configured for user privileges.
The platform has the option for an administrator to configure who can receive notifications and announcements on the platform.
The platform has the option for an administrator to set privileges for several functions on the community wall.
All payments for Playvox’s service go through Chargebee. Details about Chargebee’s security and PCI compliance can be found here.
Contact Playvox security team at firstname.lastname@example.org
Playvox delivers and supports its services through cloud service provider, Amazon Web Services, that use widely accepted practices and infrastructure to secure customer data. Network services include a combination of dedicated servers and distributed resources.