CommBox Trust Center

Welcome to our Trust Center! Here you can find all the information about our product security, data privacy, compliance and more – to understand and trust our commitment to safeguarding your information.

About our Trust Center

CommBox is dedicated to ensuring a secure and reliable environment for its customers, please see for yourself how we maintain Security and Data Protection and feel free to contact our Security team for any questions.

In the course of the last 10 years we have established a multi-layered security program based on ISO 27001 standards as the foundation of our Information Security Management System. We emphasize regular training, risk assessments, vulnerability scanning, and compliance audits to maintain this secure environment.

Our Security Trust Center is dedicated to providing you with comprehensive information and resources to understand and trust our commitment to safeguarding your information. Explore our robust security measures, from industry-leading encryption and access controls to proactive threat detection and incident response protocols. Whether you’re a customer, partner, or visitor, we’re committed to transparency and ensuring your peace of mind regarding the protection of your valuable assets. Welcome to a trusted environment where security is our top priority.

Product Security

Our robust security measures ensure the safe transfer of data, along with the automatic detection and obfuscation of sensitive information. Features such as IP whitelisting, advanced data filtering, and versatile deployment options (including cloud, private cloud, and on-premise solutions) further enhance our comprehensive security framework.

Single sign-on (SSO)

Permits user authentication in the system without forcing them to type in additional sign-in credentials. Additionally, within the SSO we support SAML, LDAP, and AD.

Two factor authentication (2FA)

Two-step verification and authentication process used as an extra layer of security. It will send an SMS message to the stored phone number of the user with a one-time code after password typed in to verify the user identity.

Password storage

CommBox uses a password complexity standard and credentials are stored using a PBKDF2 function. PBKDF2 are key derivation functions with a sliding computational rate, used to reduce vulnerabilities to brute force attacks.

Permissions

CommBox allows permission levels within the platform to be set for system admins and managers. Each agent can assign with multiple permissions such as: channels, modules, general settings, and more.

Access restriction

Access to the system can only be restricted through authorized IP addresses. Additionally, user actions can be tracked in the system.

Integration

The integration process is done in REST. The integration between CommBox and the customer is done through a unique token and HTTPS secure server.

Privacy

The Commbox privacy program is established on a robust base of globally recognized privacy principles, embodying the core values of Commbox in practice. Our commitment lies in the constant improvement and refinement of our privacy program, maintaining our tradition of upholding high standards in the collection and processing of personal data across all business practices, products, and services.

Commbox is committed to protecting the privacy of all individuals in respect of whom we collect, receive, hold and process any personal data. Our privacy policy is designed to be compliant with the laws and regulations of where we conduct our business.

Read our privacy policy.

For any question regarding privacy and security please email us at: [email protected]

For a product demo, click here

EULA

Read CommBox’s full End-User License Agreement

DPA

See CommBox’s Data Processing Addendum – DPA.

Sub-processors

Download Sub-processors list

Information Security

Commbox understands the critical need for robust security practices to protect customer data and meet statutory and regulatory requirements in today’s competitive global market.

We have adopted international standards and guidelines as the foundation of our Information Security Management System, ensuring comprehensive security across our technology, programs, and processes. Our security framework includes, access management, endpoint and antivirus protection, patch management, incident response, secure development and testing, security compliance reviews, asset management, business continuity, retention and disposal, network management, media handling, operations security, logging and monitoring, malware and vulnerability management, internal organization and risk assessment, equipment, personnel security, physical security, and third-party vendor management.

Information Security Program

In an increasingly competitive global market where cloud services for information management are rapidly being adopted, maintaining robust security practices is crucial. Protecting company, customer, and employee data against evolving cybersecurity threats and demonstrating compliance with statutory and regulatory requirements are essential for all companies.

Our security measures are integrated into all our technologies, programs, and processes. Commbox has adopted the International Standards Organization (ISO) 27000 family of standards, specifically ISO/ 27001, as the foundation for our Information Security Management System. We have established, documented, and implemented policies, standards, and controls that conform to ISO 27001 requirements.

Our security framework is built on leading information security standards and is maintained by an in-house team of experts in cloud, application, and information security. Discover the measures outlined in our Information Security Program that we use to identify and protect against emerging threats. Full policies for each subject are available per request.

Data Hosting and Storage

CommBox platform and data are hosted in Amazon Web Services (AWS) facilities in Ireland.

Access Management

Commbox has established a well-defined process for granting access to all information assets. Privileges and access rights are allocated to employees based on our management approved role based access control which relies on the “need-to-know” and “least-privilege” principles to safeguard information assets from unauthorized access and disclosure. Our password policy is enforced uniformly across all information assets, ensuring compliance with minimum length, complexity, password expiry, history, and account lockout requirements in the event of failed attempts.

Endpoint and Antivirus protection

In accordance with our policies, all operating systems owned and supported by Commbox, must be configured with our antivirus solution. We also encrypt computers so their data is not accessible even in the case of loss or theft.

Patch Management

We collect and analyze security threat intelligence from our internal vulnerability management tools, vendors, and other third-party security organizations. Our patch management standard outlines appropriate patching practices for our technology teams. Additionally, we may implement extra security controls to mitigate known threats when necessary.

Incident Response

An incident response process is established to address incidents as they arise. Managed by a dedicated incident response team, this process follows a documented procedure for mitigation and communication. The plan adheres to various recognized standards and industry best practices and we conduct an annual exercise of an incident response scenario.

Commbox’s incident response process mandates that incidents are promptly reported, investigated, and monitored to ensure timely corrective actions are taken to control and remediate security incidents.

Secure Development and Testing

At Commbox, we prioritize security in every aspect of our development and testing processes. Our commitment to secure development begins with a comprehensive security-first approach, ensuring that all software is built with robust protection mechanisms from the ground up. Our development team adheres to industry best practices, such as secure coding standards and regular code reviews, to identify and mitigate potential vulnerabilities early in the development cycle. Additionally, we have system change control procedures, restrictions on changes to software packages, system security and acceptance testing and other measures to reduce risk.

Security Compliance Reviews

Our security compliance reviews are an integral part of our operational framework, ensuring that all our processes, systems, and applications meet or exceed industry regulations and best practices. We conduct regular audits and assessments to verify our compliance with international standards such as GDPR, ISO 27001, SOC2, PCI and other relevant certifications and regulations. Our dedicated compliance team works diligently to stay up-to-date with the latest security requirements and regulatory changes, implementing necessary adjustments to our policies and procedures. Through comprehensive documentation, continuous monitoring, and stringent enforcement of compliance measures, Commbox guarantees a secure and compliant environment, delivering reliable and trustworthy solutions to our clients.

Asset Management

We maintain a detailed inventory of all our hardware, software, and digital assets to ensure they are properly tracked, maintained, and secured. Our asset management processes include regular audits, lifecycle management, and stringent access controls to protect against unauthorized use and potential vulnerabilities.

Business Continuity Plan

CommBox has a well-planned Business Continuity plan. All the information is in a formal document that we can provide by demand. The plan is updated and tested annually. All data is stored on two separate servers (production + backups) on AWS server farm. All information is backed up on the backup server up to two weeks back. In case the production server is unavailable, the backup server is available with the entire data.

Retention and Disposal

We have established comprehensive retention and disposal policies to manage data and assets securely and responsibly. Our retention policies ensure that data is stored only as long as necessary to meet regulatory requirements, business needs, and client agreements. We classify and regularly review our data to ensure compliance with legal and organizational guidelines. When data or assets are no longer needed, our disposal processes ensure secure elimination. This includes using certified data destruction methods and proper disposal of physical assets to prevent unauthorized access or data breaches.

Network Management

Our network management strategy encompasses a comprehensive set of practices to ensure optimal performance, security, and scalability of our network infrastructure. We employ advanced monitoring tools and techniques to oversee network activity, detect anomalies, and prevent potential threats in real-time. Our network is designed with redundancy and failover mechanisms to maintain continuous operations and minimize downtime. We implement strict access controls and encryption protocols to safeguard data in transit and prevent unauthorized access. Regular audits and updates to our network configurations ensure that we stay ahead of emerging threats and maintain compliance with industry standards.

Media Handling

Change Management\Operations

Commbox ensures that all changes to the operating information systems environment, including modifications to servers, network equipment, and software, are subject to a formal change management process.

Additionally, Commbox maintains backup copies of information and software to facilitate data recovery in the event of incidents such as system crashes or accidental data deletion.

Logging and Monitoring

Automated and systematic centralized security logging and monitoring of the operating environment is continuously conducted through our Security Operations Center (SOC). This ensures real-time awareness, event correlation, and swift incident response. We use a SIEM system to centralize and monitor all alerts and relevant data from different logs. All logs are protected from change or tampering and are kept at least for 24 months. We monitor systems, services, and operations to ensure the health of our operating environments. Management tools are employed to monitor and maintain a well-scaled and highly available environment.

Malware and Vulnerability Management

Our comprehensive malware and vulnerability management program includes proactive measures to detect, prevent, and respond to threats. We utilize advanced anti-malware tools and continuous monitoring systems to identify and neutralize potential threats in real-time. Quarterly vulnerability assessments and an annual penetration test are conducted to uncover and address security weaknesses in our infrastructure and applications. Our dedicated security team stays informed about the latest threat intelligence and applies timely patches and updates to mitigate risks. Through rigorous training and awareness programs, we ensure that our staff is equipped to recognize and respond to potential threats. By maintaining a robust malware and vulnerability management framework, Commbox ensures the ongoing security and resilience of our services, protecting our clients’ data and maintaining their trust.

Internal Organization and Risk Management

We conduct an external risk assessment annually with its result displayed to management and discussed as a part of a formal annual risk review. After completing risk assessment activities, our Security team collaborates with product and technology teams to formulate remediation plans and roadmaps aimed at addressing compliance gaps and identified risks.

We also conduct internal and external audits to assess adherence to policies, standards, and regulatory requirements. Findings from these audits are recorded for review and subsequent remediation efforts within the organization.

Personnel Security

All our staff adhere to our code of conduct and AUP, which reflects our company’s values and mission. They are informed of their responsibilities, our policies, and standards, and receive regular guidance and support from our Information Security team on best practices for data security.

To comply with relevant laws and regulations, we conduct thorough background verification checks when hiring permanent staff. This ensures the authenticity of the individuals and minimizes the risk to critical information assets.

We provide mandatory ongoing information security training and offer additional training to specific groups and individuals as needed. Our staff are bound by confidentiality obligations and are aware of the consequences of failing to comply with our policies and their responsibilities.

At Commbox, we follow a structured employee exit process that includes the timely revocation of system permissions/access rights and the return of company assets.

Physical security

All strategic data centers adhere to the standards and industry best practices in the fields of physical security, building maintenance, fire suppression, air conditioning, UPS with generator backup, and access to diverse power and communications infrastructures.

Commbox regularly reviews assurance reports from third-party vendors and data centers as part of our Vendor Risk Management program.

Access to our facilities as well as the cloud provider is tightly controlled using a variety of secure methods, ensuring access is granted strictly based on operational needs. Depending on the facility’s sensitivity, these methods may include security staff, ID cards, electronic access control with proximity card readers, physical locks, and PIN numbers.

Third-party vendor management

We have a third party vendor acceptance process to ensure that all third-party partners meet our security and compliance standards. We conduct a risk assessment before working with a certain supplier and establish clear contractual agreements that outline security and privacy requirements, compliance obligations, and performance expectations. We also conduct supplier reviews and audits.

Infrastructure Security

Secure channels and strong encryption. Intrusion Prevention Systems (IPS), Application Firewalls, and Network-based Firewalls. All data traffic passed through CommBox is encrypted in transit using 256-bit encryption. Our API and application endpoints are TLS/SSL and score an “A” rating. Additionally, CommBox encrypts data at rest using an industry-standard AES-256 encryption algorithm for maximum security.

We employ tiered controls, including network segmentation, to ensure appropriate levels of protection for systems and data. Additionally, Data Loss Prevention controls are implemented to enhance security.

Disclosure

To report a security issue to Commbox, a leader in driving innovation solutions, we prioritize the security of our IT environment and customer data. We encourage responsible disclosure of any vulnerabilities discovered in our sites or applications to enhance our security practices continuously. Commbox values the contribution of external security researchers and is committed to collaborating with them to verify and address potential vulnerabilities.

If you believe you have identified a security issue in one of our products or services, please partner with us and report it through our HackerOne Responsible Vulnerability Disclosure Program at [email protected]. When submitting your report, please include the following details:

Description of the issue and its location
Steps required to reproduce the issue

Your collaboration helps us maintain a secure environment and improve our security posture.

KEEPING OUR DATA SAFE

Please be aware that the following activities are strictly prohibited:

Hacking, penetrating, or attempting to gain unauthorized access to Commbox applications, systems, or data, which is a violation of applicable laws.
Engaging in actions that could adversely impact Commbox or disrupt the operation of our applications or systems (e.g., spamming, brute-force attacks, denial-of-service attacks).
Downloading, copying, disclosing, or using any proprietary or confidential data belonging to Commbox, including customer data.
Conducting any physical or electronic attacks targeting Commbox personnel, property, or data centers.

We encourage you to review our Vulnerability Disclosure Policy before conducting any testing or reporting vulnerabilities. If you responsibly report a vulnerability, Commbox will make every effort to respond promptly. Thank you for assisting us in safeguarding Commbox and our customers’ data.

Compliance

CommBox is GDPR and ISO compliant, and acts under the privacy protection law. Each CommBox customer signs an NDA to ensure confidentiality across all touchpoints. Our commitment to integrity and transparency is reflected in our comprehensive compliance program, which adheres to the highest industry standards and regulatory requirements. At Commbox, we prioritize ethical business practices and the protection of personal data, ensuring that all our operations, products, and services are conducted with the utmost respect for legal and ethical guidelines. Explore this page to learn more about our compliance policies and initiatives.

GDPR Compliance

CommBox complies with the EU GDPR (European Union General Data Protection Regulation) framework as set forth by the European Union regarding the collection, use, and retention of personal data from European Union member countries. CommBox has certified that it adheres to the requirements of notice, choice, onward transfer, security, data integrity, access and enforcement. Official documents are available by demand.