At Plivo, we're dedicated to offering a trustworthy, robust Cloud Communication Platform as a Service (CPaaS). We continuously implement stringent security measures; and, as a result, we’re pleased to share that we’ve renewed our SOC 2 Type 2 certification, which includes HIPAA controls.

Maintaining a Strong Security Culture

Security is at the core of our operations and deeply integrated into our services. Our security team continuously enhances our security controls, threat mitigation processes, and monitoring systems. Every Plivo employee understands that safeguarding your data is our highest priority; we've built our culture around this value.

Our SOC 2 Type 2 Commitment

In 2022, we obtained our initial SOC 2 Type 2 report, demonstrating our capabilities in handling, storing, and processing user data. The report not only validated the strength of our security systems and procedures but also evaluated our operational effectiveness in adhering to these controls over time. 

Our SOC 2 Type 2 certification renewal this year reaffirms our dedication to managing our clients’ critical data. It verifies our stringent controls across several critical areas:

• Regular communication: We ensure consistent updates and changes are communicated to our customers.
• Access controls: We prevent unauthorized access by maintaining robust internal access controls to production environments.
• System monitoring: We conduct thorough system monitoring and ongoing risk assessments to identify and mitigate potential threats.
• Disaster recovery: Our reliable disaster recovery and data backup measures ensure system availability and data integrity.
• Incident response: We have a responsive system and security monitoring and incident response processes in place.
• Employee processes: Our effective employee onboarding and termination processes help maintain security integrity.

These controls continue to evolve as we maintain the privacy and security of customer data and enhance our security systems.

Our Security Commitment: Beyond a Checkbox

Renewing our SOC 2 Type 2 certification is more than just meeting a requirement; it's a testament to our ongoing commitment to you, our valued customers. For us, it’s not just about compliance but about living up to the trust you place in Plivo every day.

We’re proud of our team’s hard work over the past year, and we will continue implementing robust security measures and achieving accreditations in the future.

You can read more about our renewed SOC 2 Type 2 compliance, our security measures, and how we continually protect your data on our security page.

Your security is always our top priority. We deeply appreciate your trust in us.

We’re pleased to announce that Plivo has renewed its HIPAA compliance for 2024, reaffirming our commitment to security for healthcare customers. Our latest SOC 2 Type 2 audit report also covers HIPAA compliance.

The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) protect the privacy and security of patients' medical information, known as protected health information (PHI). Healthcare organizations in the US must follow HIPAA's Privacy and Security Rules for handling PHI and must work with business associates that also protect PHI.

At Plivo, we understand the importance of securing PHI. For eligible customers, Plivo can sign a HIPAA business associate agreement (BAA) as part of our Enterprise package. The BAA contractually obligates us to properly safeguard PHI in alignment with HIPAA standards.

Our Commitment to Security

Plivo implements various data security controls, including:

• Encryption: Data in transit and at rest is encrypted using strong protocols like AES-256.
• Access controls: Strict access controls and personnel policies protect systems handling PHI.
• Data redaction: PHI details are redacted from logs and audits.
• Independent verification: Independent third-party auditors routinely verify our HIPAA compliance controls.

Security is a Shared Responsibility

However, HIPAA compliance is a shared responsibility between Plivo and our customers. While we provide the compliant platform and infrastructure, customers must also use Plivo in a way that follows HIPAA guidelines, including:

• Securing their Plivo account credentials
• Ensuring PHI is only accessed in secure environments
• Making sure their application instructions to Plivo align with HIPAA rules

For healthcare organizations that need to comply with HIPAA and HITECH, Plivo provides the capabilities and assurances to securely build communication workflows. Contact our sales team to learn more about HIPAA compliance with Plivo.

The Payment Card Industry Data Security Standard (PCI DSS) is the gold standard for information security for organizations that handle credit and debit card payments. Plivo is certified for PCI DSS compliance and has renewed its compliance.

What does PCI DSS cover?

PCI DSS covers security requirements regarding storage and transmission of data, access control, and other factors, including:

• Use of firewalls and antivirus software
• Data encryption, leveraging end-to-end encryption with the robust AES-256 (Advanced Encryption Standard) protocol
• Passwords
• Multifactor authentication
• Specified roles and responsibilities for each requirement

PCI DSS comprises a set of requirements instituted and regulated by the PCI Security Standards Council (PCI SSC), a consortium of card brands including Visa, Mastercard, American Express, and Discover. All organizations that process, store, or transmit payment card data must comply with PCI DSS requirements or risk losing their ability to process these payments.

Plivo is PCI DSS certified

Plivo is certified for PCI DSS Level 1, which applies to organizations that process more than six million credit or debit card transactions annually. We undergo an internal audit once a year, conducted by an authorized PCI auditor, and submit to a PCI scan by an approved scanning vendor once a quarter.

Plivo doesn’t accept payments directly — a cloud-based payment platform handles all of our transactions. However, while using a third-party provider cuts down on our risk exposure and reduces the scope of detail necessary to validate compliance, we still need to be PCI DSS compliant.

Plivo has renewed its PCI DSS compliance, ensuring your cardholder data remains secure.

PCI DSS compliance requires everyone’s attention

As a communications platform as a service (CPaaS), cardholder data security is of utmost importance at Plivo. Having achieved PCI DSS compliance, we’re committed to ensuring an unparalleled level of safety. Our platform is designed to accommodate payment-related workflows through voice or message APIs.

However, PCI DSS compliance is a shared responsibility. While Plivo ensures elements like data encryption both in transit and at rest, and redaction of specific details in logs, corroborated by audit reports from independent third parties, our customers have their own set of responsibilities. They must ensure the security of their authentication credentials, use the Plivo console securely, and ensure that their applications’ instructions are compliant. This collaborative approach helps us maintain a platform that’s secure for every user.

Become an enterprise customer

PCI DSS compliance is just one Plivo feature that will appeal to large organizations. We’ve rolled several other features into an enterprise package that has numerous benefits for large organizations. Tell us about your needs and we’ll have an expert get in touch with you.

The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) protect the privacy and security of patients’ medical information, known as protected health information (PHI), in the United States. Healthcare organizations must follow HIPAA’s Privacy and Security Rules for handling PHI, and can work with business associates that also protect PHI.

At Plivo, we understand the importance of securing PHI. For eligible customers, Plivo can sign a HIPAA business associate agreement (BAA) as part of our Enterprise package. The BAA contractually obligates us to properly safeguard PHI in alignment with HIPAA standards.

Plivo has renewed our HIPAA compliance for 2023, reaffirming our commitment to healthcare customers. HIPAA compliance is also covered in our latest SOC 2 Type 2 audit report.

Plivo implements various controls to keep data secure, including:

• Encryption of data in transit and at rest using strong protocols like AES-256
• Access controls and personnel policies to protect systems handling PHI
• Redaction of PHI details from logs and audits
• Independent third-party auditors routinely verify our HIPAA compliance controls.

However, HIPAA compliance is a shared responsibility between Plivo and our customers. While we provide the compliant platform and infrastructure, customers must also use Plivo in a compliant manner, including:

• Securing their Plivo account credentials
• Ensuring PHI is only accessed in secure environments
• Making sure their application instructions to Plivo align with HIPAA rules

For healthcare organizations that need to comply with HIPAA and HITECH, Plivo provides the capabilities and assurances to securely build communication workflows. Contact our sales team to learn more about HIPAA compliance with Plivo.

At Plivo, we’re steadfast in our dedication to stringent security measures, to ensure we offer our clients a trustworthy and robust Cloud Communication Platform as a Service (CPaaS). We’re pleased to share that we’ve renewed our SOC 2 Type 2 certification, which includes HIPAA controls.

Maintaining a strong security culture

The focus on security is at the heart of our operations, woven into the fabric of our services. Our security team continually improves our security controls, threat-mitigation processes, and monitoring systems. Everyone at Plivo knows that keeping your data safe is our highest priority; we’ve built our culture around that value.

Our SOC 2 Type 2 commitment

In 2022 we obtained our initial SOC 2 Type 2 report, which provided reassurance to our customers about us as a service organization handling, storing, and processing user data. The report not only confirmed the adequacy of our security systems and procedures, it also examined our operational effectiveness in adhering to these controls over time. The SOC 2 Type 2 certification underscored our commitment to data security.

Our SOC 2 Type 2 certification this year reaffirms our dedication to managing the critical data our clients entrust us with, and reaffirms our stringent controls across critical areas:

• Regular communication of changes to customers
• Robust internal access control to production environments
• Thorough system monitoring and ongoing risk assessments
• Reliable disaster recovery, data backup measures, and system availability
• Responsive system and security monitoring and incident response processes
• Effective employee onboarding and termination processes

These controls continue to evolve as we maintain the privacy and security of customer data and perfect our security systems.

Our security commitment: beyond a checkbox

We see our certification renewal as a testament to our ongoing commitment to you, our valued customers. It signifies our dedication to ensuring your data’s security and our unwavering efforts to keep improving. It isn’t just about ticking a box for us, but rather about living up to the trust you place in us.

We’re proud of our team’s hard work over the past year, and we’ll continue striving toward more robust security measures and accreditations in the future.

You can read more about our renewed SOC 2 Type 2 compliance, our security measures, and how we’re continually protecting your data on our security page.

Your security is always our top priority. We appreciate your trust in us.

What is DND number?

Few people enjoy receiving calls or text messages they didn’t request from businesses, especially if they’ve registered on their country’s Do Not Disturb (DND) list. In India, that list is officially called the National Do Not Call (NDNC) Registry. Individuals who do not wish to receive promotional texts or calls from businesses that they have no relationship with can sign up for free. Then, if a business tries sending someone promotional messages they don’t want, consumers can file complaints that have serious consequences for the businesses that are in violation.

How to Sign Up for the DND List in India?

The easiest way to get on the DND list is to send an SMS message to 1909, the national number reserved for the purpose. The body of the message should be simply START DND or START 0.

The subscriber’s carrier should instantly acknowledge the request and warn that it may take some time for the registration to become effective. The registry provides a page consumers can visit to check registration status.

If an individual doesn’t get a confirmation text, or simply prefers voice calls to texting, they can also call 1909 and follow the recorded instructions to register.

To remove a number from the registry, send STOP DND to 1909. However, numbers cannot be deactivated for 90 days after activation.

Customizing DND Preferences in India

By the way, while most people block all unsolicited commercial communications (UCC), consumers can pick and choose which industries to block. There are seven sectors (see below). Text START n, where n is the digit, associated with the sector, to block promotional messages from each industry.

1. Banking, insurance, financial products, and credit cards
2. Real estate
3. Education
4. Health
5. Consumer goods and automobiles
6. Communication, broadcasting, entertainment, and IT
7. Tourism and leisure

People can change DND preferences at any time, but after someone makes one change, they won’t be able to make another for 30 days.

What to Do When DND Doesn’t Help: Report Spam Calls in India

The NDNC Registry is a great resource, but it’s not perfect. If a telemarketer illegally ignores the DND list, consumers may receive messages they don’t want. This happens far too frequently — according to LocalCircles, two out of three people whose numbers are in the registry get three or more unwanted calls every day. The Telecom Regulatory Authority of India (TRAI) has taken many steps to combat these unwanted communications. Most recently, new rules went into effect on May 1 that require telecom companies to use AI spam filters in their call and SMS services.

Still, knowing spam happens, the TRAI set up a way to file spam complaints.

How to Report Spam Calls in India Using the 1909 Number

As with registration, the trick is to text or call 1909. Provide all the particulars of the unwanted message:

• Sender ID
• Message content
• Message date and time

Alternatively, recipients can search their carrier’s website for a form on which to make a DND complaint.

Consumers who submit a complaint should receive a unique complaint tracking number. The NDNC Registry should follow up by reporting to filers the action it takes within seven days. Actions may include having the calling number disconnected and forcing the originator to pay financial penalties.

How to Avoid DND Violations as a Business in India?

As a business, it behooves you not to be the source of DND complaints. Several best practices will keep you on the side of the angels.

• Register with the TRAI and obtain a unique sender ID to use in your messages.
• Gain consent from recipients before sending any marketing or promotional messages. Consent can be explicit (given directly by the customer) or inferred (derived from an existing business relationship or transaction); for promotional messages, get explicit consent.
• Check each recipient against the NDNC, and respect people’s preferences.
• Provide an opt-out mechanism, such as an unsubscribe link or instructions to send a “STOP” message, with each promotional message.
• Respect time restrictions — don’t send promotional messages after 9 p.m. or before 9 a.m. Also, don’t send more than six messages per hour with the same content, from the same sender, to the same number.
• Keep records of customer consent, preferences, and opt-out requests, as mandated by the TRAI.

Do all of that and you should be fine. If you run into trouble, the experts on Plivo’s support team stand ready to help.

Healthcare businesses frequently ask us, “Is Plivo HIPAA compliant?” To answer that question, we have to throw a little jargon around — but we think you’ll like the answer.

The Health Insurance Portability and Accountability Act (HIPAA) and its follow-on, the Health Information Technology for Economic and Clinical Health Act (HITECH), are US laws designed to protect the privacy and security of consumers’ medical data, which in HIPAA terms is referred to as protected health information (PHI).

Under HIPAA, covered entities (such as physicians and health plans) have to follow documented Privacy Rules and Security Rules guidelines for handling PHI. They don’t have to do everything on their own systems, however; they can contract with other companies that provide business functions such as billing or medical record storage or (ahem) providing a communications platform that lets the covered entities communicate with consumers via messaging or voice calls. To keep a covered entity complaint, a service provider that can access PHI must sign a business associate agreement (BAA) that provides assurances to the covered entity that the service provider will do its part to protect their data.

Plivo can sign a BAA for customers who sign up for an enterprise package.

HIPAA compliance requires everyone’s attention

HIPAA compliance is a shared responsibility, however. Plivo can guarantee things like encryption of data in transit and at rest and redaction of details in logs, and back those guarantees up with audit reports from independent third parties. But our customers, the covered entities, are responsible for other aspects, such as securing their authentication credentials and using the Plivo console in a secure environment. In short, you have to use Plivo in a compliant manner and make sure your applications’ instructions to us comply with the statutes.

Become an enterprise customer

Plivo’s Enterprise Package has numerous benefits for large organizations. Tell us about your needs and we’ll have an expert get in touch with you.

The Payment Card Industry Data Security Standard (PCI DSS) is the gold standard for information security for organizations that handle credit and debit card payments. Plivo is certified for PCI DSS compliance.

What is PCI DSS?

PCI DSS covers security requirements regarding storage and transmission of data, access control, and other factors, including:

• Use of firewalls and antivirus software
• Data encryption
• Passwords
• Multifactor authentication
• Specified roles and responsibilities for each requirement

PCI DSS comprises a set of requirements instituted and regulated by the PCI Security Standards Council (PCI SSC), a consortium of card brands including Visa, Mastercard, American Express, and Discover. All organizations that process, store, or transmit payment card data must comply with PCI DSS requirements or risk losing their ability to process these payments.

Plivo is PCI DSS certified

Plivo is certified for PCI DSS Level 1, which applies to organizations that process more than six million credit or debit card transactions annually. We undergo an internal audit once a year, conducted by an authorized PCI auditor, and submit to a PCI scan by an approved scanning vendor once a quarter.

Plivo doesn’t accept payments directly — a cloud-based payment platform handles all of our transactions. However, while using a third-party provider cuts down on our risk exposure and reduces the scope of detail necessary to validate compliance, we still need to be PCI DSS compliant.

PCI DSS compliance requires everyone’s attention

PCI DSS compliance is a shared responsibility, however. Plivo can guarantee things like encryption of data in transit and at rest and redaction of details in logs, and back those guarantees up with audit reports from independent third parties. But our customers are responsible for other aspects, such as securing their authentication credentials and using the Plivo console in a secure environment. In short, you have to use Plivo in a compliant manner and make sure your applications’ instructions to us comply with the statutes.

Become an enterprise customer

PCI DSS compliance is just one Plivo feature that will appeal to large organizations. We’ve rolled several other features into an enterprise package that has numerous benefits for large organizations. Tell us about your needs and we’ll have an expert get in touch with you.