Secure Cloud Communications

We employ security best practices and policies to ensure that our network is secured physically and virtually, and that our customers’ data and payment information are both private and secure. Our security architecture comprises five main components:

Physical security: State-of-the-art on-premises security for all of our distributed computing and storage networks worldwide.

Network security: All data entering and leaving Sellular is encrypted with TLS/HTTPS.

Application security: Encryption and authentication for secure and efficient access of Sellular’s APIs.

Data security and privacy: Backup encryption and account access limitations to mitigate risk and threats to our customer data.

Payment security: Use of leading industry transaction processing vendors to protect all transactions and payment information.

SOC 2 Certified

Contacto is SOC 2 certified. Our SOC 3 report provides more details, including our Independent Service Auditor’s Report and Contacto Management’s Assertion.

Read Report

HIPAA/HITECH Compliant

Contacto is willing to sign a Business Associate Agreement for customers who handle protected health information (PHI) and have a signed contract with us. We’re audited annually by an independent auditor to demonstrate HIPAA compliance.

PCI DSS Compliant

Contacto is certified compliant with PCI DSS Level 1. We’re audited annually by an independent auditor to demonstrate PCI DSS compliance.

ISO 27001:2022 Certified

Contacto is certified to ISO/IEC 27001:2022, the premier standard for an Information Security Management System (ISMS). This certifies our commitment to the highest level of data security and privacy, ensuring trust and protection for our customers' sensitive information.

How Contacto keeps your data secure and available

Businesses around the world rely on Contacto to keep their data secure. Here are the measures we take to ensure physical, network, application, data, and payment security.

Physical on-premises security

Learn More

Infrastructure security and availability

Learn More

Application
security

Learn More

Data security and privacy

Learn More

Payment
security

Learn More

Operational transparency

Learn More

Physical on-premises security

All of our data centers and hosting partners are housed in state-of-the-art facilities with industry-standard access controls and physical security measures.

24/7 surveillance

AWS provides dedicated 24/7 state-of-the-art electronic surveillance and physical security measures at all of our server locations, including foot patrols, security logs, and perimeter inspections.

Personnel authorization

Only authorized Contacto personnel are granted access credentials to our data centers. Every access is also logged and reviewed to ensure that our systems are not breached by internal threats.

Security logs

All activity on our servers are logged, and we review historical reports for system change tracking, security analysis, and compliance auditing.

Infrastructure “Security of the Cloud”

Contacto uses cloud storage and compute services from Amazon Web Services (AWS). We do not own or maintain hardware located in the AWS data centers; we operate under a shared security responsibility model, where AWS is responsible for the security of the underlying cloud infrastructure (i.e. physical infrastructure, geographical regions, availability zones, edge locations, operating, managing and controlling the components from the host operating system, virtualization layer and storage) and Contacto is responsible for securing the application platform deployed in AWS (i.e. applications, identity access management, operating system and network virtual security groups configuration, network traffic, server-side encryption).

Infrastructure security and availability

We guarantee infrastructure security and 99.95% uptime by deploying the latest technology and best practices to keep our platform online and performing optimally.

Annual penetration tests

Our infrastructure, web applications, and APIs are penetration tested annually by external independent parties, and any vulnerabilities found are fixed.

Full redundancy

Redundant links reroute traffic over backup networks in less than two seconds in case of backbone failover. We employ multiple instances and redundant servers with active pairs that are automatically triggered in the event a failover is required.

HVAC and power stability

All of our facilities offer 100% power and HVAC functionality in any given month. Trained specialists monitor and maintain hardware components on-site at each of our points of presence.

Optimized load balancing

We distribute workloads across multiple resources to optimize response times, maximize throughput, and avoid single points of failure.

Carrier redundancy

We aim to connect to multiple carriers in each country. At a minimum, we connect to at least two local carriers in each country. If a carrier fails, our systems automatically load balance and divert traffic through other reliable carriers.

Clustered and distributed infrastructure

We use automated systems to deploy new code to clusters in real time to ensure smooth transitions between software updates with no downtime. All of our infrastructure and data is distributed across multiple AWS availability zones and will continue to work should any one of those data centers fail.

Network firewalls

Defensive systems embedded at multiple points and layers across the infrastructure and server environment work to protect our systems from unauthorized, potentially harmful, malicious, and problematic traffic and input. These defensive systems are automated, monitored, and logged. Each system uses firewalls to restrict access to systems from external networks and between systems internally. To mitigate internal and external risk, access to systems is restricted to only the ports and protocols required for specific business needs.

Application security

Thousands of customer applications worldwide communicate securely with Plivo through our Voice and SMS APIs, which power Contacto Voice and Messaging capabilities. We utilize three primary tools for application security and authentication.

Multifactor authentication (MFA)

To prevent unauthorized account access, customers need to activate two-factor authentication for additional security on their accounts when utilizing SSO.

Authentication IDs

We employ unique Authentication IDs for every user to ensure that only authorized people have access to accounts.

TLS encryption

All web session traffic between customer applications and Contacto is encrypted using TLS (transport layer security). The TLS protocol provides data encryption and authentication between your applications and our servers and prevents third parties from stealing information. All data entering or leaving Contacto infrastructure is encrypted with TLS/HTTPS.

Data security and privacy

Our APIs can log and record data so that our customers can assess platform behaviors. We recognize that user data, including account information, call logs, and recordings, is sensitive and necessitates robust protection. To address potential risks and threats, we have established stringent security measures and access controls to safeguard this sensitive information.

Customer data protection

For customer data protection, Contacto provides logical tenant separation, encryption in transit (TLS 1.2 or greater) and encryption at rest (256-bit Advanced Encryption Standard (AES-256), one of the strongest encryption standards available for electronic data). All customer data is logically separated and not accessible to other tenants.

Limited data access

Administrative access privileges within the production environment are restricted to authorized personnel. Internally, only Contacto employees who require customer data access as part of their job functions — such as customer support, development, and security teams — are permitted to access customer data. Contacto’s policies and procedures limit and log all external and internal access to customer data and request management approval prior to access.

Backup encryption

We perform regular backups on all Contacto customer data hosted on AWS’s data center infrastructure, including account information, call logs, SMS logs, and call recordings. Backed-up customer data is retained redundantly across multiple availability zones. All backups are stored redundantly and are encrypted using AES-256.

Mobile device management (MDM)

All laptop devices issued to Contacto employees come with encrypted storage partitions and MDM software that allows the IT department to monitor, manage, update, and secure the devices and the data contained on them. In addition, we have the ability to remotely wipe a device in the event of it being lost or stolen.

Payment security

Payment security is a critical component for our customers. We use an industry-leading payment platform for all of our transactions.

Payment encryption

To ensure that we deploy the highest security measures, we don’t store any credit card information on our servers. Instead, all credit card information is encrypted using AES-256 and handled by our payment platform provider.

PCI compliance

Our payment platform provider is PCI DSS (Payment Card Industry Data Security Standard) compliant, which means that they’re validated and held to the same industry standards as all major credit cards, including Visa, Mastercard, and American Express.

Operational transparency

Contacto adheres to high operational standards and provides policies and practices for security audits, incident response, and privacy. Contacto’s network status and incident reports are publicly available in real time.

Transparent incident response

As part of Contacto’s service-level agreements to all customers, we respond to priority 1 business-critical incidents around the clock, 365 days a year. We also monitor our infrastructure through two network operations centers (NOC) and security operations centers (SOC) and use third-party notification and alert systems to identify and manage threats.