Secure Cloud Communications
We employ security best practices and policies to ensure that our network is secured physically and virtually, and that our customers’ data and payment information are both private and secure. Our security architecture comprises five main components:
Physical security: State-of-the-art on-premises security for all of our distributed computing and storage networks worldwide.
Network security: All data entering and leaving Plivo is encrypted with TLS/HTTPS.
Application security: Encryption and authentication for secure and efficient access of Plivo’s APIs.
Data security and privacy: Backup encryption and account access limitations to mitigate risk and threats to our customer data.
Payment security: Use of leading industry transaction processing vendors to protect all transactions and payment information.
GDPR
Plivo systems are compliant with the data protection principles of the European Union’s General Data Protection Regulation.
SOC 2 Certified
Plivo is SOC 2 certified. Our SOC 3 report provides more details, including our Independent Service Auditor’s Report and Plivo Management’s Assertion.
HIPAA/HITECH Compliant
Plivo is willing to sign a Business Associate Agreement for customers who handle protected health information (PHI) and have a signed contract with us. We’re audited annually by an independent auditor to demonstrate HIPAA compliance.
PCI DSS Compliant
Plivo is certified compliant with PCI DSS Level 1. We’re audited annually by an independent auditor to demonstrate PCI DSS compliance.
ISO 27001:2022 Certified
Plivo is certified to ISO/IEC 27001:2022, the premier standard for an Information Security Management System (ISMS). This certifies our commitment to the highest level of data security and privacy, ensuring trust and protection for our customers' sensitive information.
CSA STAR Level 1
Plivo has completed the CSA STAR Level 1 self-assessment, demonstrating transparency and adherence to cloud security controls as outlined in the CAIQ v4.
How Plivo keeps your data secure and available
Businesses around the world rely on Plivo to keep their data secure. Here are the measures we take to
ensure physical, network, application, data, and payment security.
ensure physical, network, application, data, and payment security.
Physical on-premises security
All of our data centers and hosting partners are housed in state-of-the-art facilities with industry-standard access controls and physical security measures.
24/7 surveillance
AWS provides dedicated 24/7 state-of-the-art electronic surveillance and physical security measures at all of our server locations, including foot patrols, security logs, and perimeter inspections.
Personnel authorization
Only authorized Plivo personnel are granted access credentials to our data centers. Every access is also logged and reviewed to ensure that our systems are not breached by internal threats.
Security logs
All activity on our servers are logged, and we review historical reports for system change tracking, security analysis, and compliance auditing.
Infrastructure “Security of the Cloud”
Plivo uses cloud storage and compute services from Amazon Web Services (AWS). We do not own or maintain hardware located in the AWS data centers; we operate under a shared security responsibility model, where AWS is responsible for the security of the underlying cloud infrastructure (i.e. physical infrastructure, geographical regions, availability zones, edge locations, operating, managing and controlling the components from the host operating system, virtualization layer and storage) and Plivo is responsible for securing the application platform deployed in AWS (i.e. applications, identity access management, operating system and network virtual security groups configuration, network traffic, server-side encryption).
Infrastructure security and availability
We guarantee infrastructure security and 99.99% uptime by deploying the latest technology and best practices to keep our platform online and performing optimally.
Annual penetration tests
Our infrastructure, web applications, and APIs are penetration tested annually by external independent parties, and any vulnerabilities found are fixed.
Full redundancy
Redundant links reroute traffic over backup networks in less than two seconds in case of backbone failover. We employ multiple instances and redundant servers with active pairs that are automatically triggered in the event a failover is required.
HVAC and power stability
All of our facilities offer 100% power and HVAC functionality in any given month. Trained specialists monitor and maintain hardware components on-site at each of our six global points of presence.
Optimized load balancing
We distribute workloads across multiple resources to optimize response times, maximize throughput, and avoid single points of failure.
Carrier redundancy
We aim to connect to multiple carriers in each country. At a minimum, we connect to at least two local carriers in each country. If a carrier fails, our systems automatically load balance and divert traffic through other reliable carriers.
Clustered and distributed infrastructure
We use automated systems to deploy new code to clusters in real time to ensure smooth transitions between software updates with no downtime. All of our infrastructure and data is distributed across multiple AWS availability zones and will continue to work should any one of those data centers fail.
Network firewalls
Defensive systems embedded at multiple points and layers across the infrastructure and server environment work to protect our systems from unauthorized, potentially harmful, malicious, and problematic traffic and input. These defensive systems are automated, monitored, and logged. Each system uses firewalls to restrict access to systems from external networks and between systems internally. To mitigate internal and external risk, access to systems is restricted to only the ports and protocols required for specific business needs.
Application security
Thousands of customer applications across the globe communicate securely with Plivo through our Voice and SMS APIs. We use three primary tools for application security and authentication.
Multifactor authentication (MFA)
To prevent unauthorized account access, each session requires the account username and a strong passphrase for access to each Plivo account. We also require phone number verification delivered through an SMS text message or a voice call to the user’s phone to activate new accounts.
Authentication IDs and tokens
We employ unique Authentication IDs and Authentication tokens for every user to ensure that only authorized people have access to accounts. Organizations can renew token-based service authentication at any time by generating a new authentication token through the Plivo console.
TLS encryption
All web session traffic between customer applications and Plivo is encrypted using TLS (transport layer security). The TLS protocol provides data encryption and authentication between your applications and our servers and prevents third parties from stealing information. All data entering or leaving Plivo infrastructure is encrypted with TLS/HTTPS.
Data security and privacy
Our APIs can log and record data so that our customers can assess platform behaviors. Because user data such as account information and call logs and recordings can be sensitive, we take precautions to mitigate risks and threats to it. We also offer customers with sensitive data a no-log option, where SMS messages and DTMF actions are not saved on our systems at any point.
Customer data protection
For customer data protection, Plivo provides logical tenant separation, encryption in transit (TLS 1.2 or greater) and encryption at rest (256-bit Advanced Encryption Standard (AES-256), one of the strongest encryption standards available for electronic data). All customer data is logically separated and not accessible to other tenants.
Limited data access
Administrative access privileges within the production environment are restricted to authorized personnel. Internally, only Plivo employees who require customer data access as part of their job functions — such as customer support, development, and security teams — are permitted to access customer data. Plivo’s policies and procedures limit and log all external and internal access to customer data and request management approval prior to access.
Backup encryption
We perform regular backups on all Plivo customer data hosted on AWS’s data center infrastructure, including account information, call logs, SMS logs, and call recordings. Backed-up customer data is retained redundantly across multiple availability zones. All backups are stored redundantly and are encrypted using AES-256.
Mobile device management (MDM)
All laptop devices issued to Plivo employees come with encrypted storage partitions and MDM software that allows the IT department to monitor, manage, update, and secure the devices and the data contained on them. In addition, we have the ability to remotely wipe a device in the event of it being lost or stolen.
Payment security
Payment security is a critical component for our customers. We use an industry-leading payment platform for all of our transactions.
Payment encryption
To ensure that we deploy the highest security measures, we don’t store any credit card information on our servers. Instead, all credit card information is encrypted using AES-256 and handled by our payment platform provider.
PCI compliance
Our payment platform provider is PCI DSS (Payment Card Industry Data Security Standard) compliant, which means that they’re validated and held to the same industry standards as all major credit cards, including Visa, Mastercard, and American Express.
Operational transparency
Plivo adheres to high operational standards and provides policies and practices for security audits, incident response, and privacy. Plivo’s network status and incident reports are publicly available in real time.
Transparent incident response
As part of Plivo’s service-level agreements to all customers, we respond to priority 1 business-critical incidents around the clock, 365 days a year. We also monitor our infrastructure through two network operations centers (NOC) and security operations centers (SOC) and use third-party notification and alert systems to identify and manage threats.
Privacy policy
All Plivo employees are bound by Plivo’s privacy policy.