Security at Callbi
Callbi takes security seriously and we work hard at ensuring that we implement the right security
controls to protect your call data so that you may use our services with confidence
Compliance and regulations
Web Services Certified
Callbi holds a valid Certificate of Vulnerability Assessment & Penetration Testing.
PoPIA
Callbi’s business processes, tools and technologies ensure that we are compliant with the
requirements of the PoPI Act (South Africa’s privacy legislation). You can be sure that your use
of our services does not place your own compliance with PoPIA at risk.
Security Practices
Callbi takes a holistic approach to security and try to weave it through everything we do at Callbi
to be sure that we appropriately protect the data that you entrust to us. Here are some of the
highlights of our security practices.
Organisational Security
Security is championed by our CEO and communicated to all staff via our information security
policy. Staff receive training on the provisions of the security policy and we validate adherence to
the policy on a regular basis.
Access Control
We see access control as one of the most effective tools in our security toolbox. We grant access
using the principle of least privilege, ensuring that staff only have access to those data or functions
that they need to do their job. All system access is centrally managed, logged and the logs are
monitored periodically.
Access rights are reviewed regularly and specifically when there is any change in a staff member’s role. Multi-factor authentication is used to control access to all sensitive data, including our production environment which houses customer data.
Each staff member uses a password manager tool that generates unique strong passwords for all services to reduce the risk of phishing and other password-based attacks. The password policy that governs password strength and other characteristics is centrally enforced by an administrator.
Access rights are reviewed regularly and specifically when there is any change in a staff member’s role. Multi-factor authentication is used to control access to all sensitive data, including our production environment which houses customer data.
Each staff member uses a password manager tool that generates unique strong passwords for all services to reduce the risk of phishing and other password-based attacks. The password policy that governs password strength and other characteristics is centrally enforced by an administrator.
Data protection rights
Callbi allows data subjects to exercise their data protection rights as required by POPIA
legislation. Firstly, an organization is allowed to specify and alter their retention period for their
uploaded calls. The default rolling retention period is 92 days from the current date, and the
shortest retention period is 1 day. Once data has expired and been deleted, it may further be
retained for up to 7 days within encrypted rolling backups, after which all traces are considered
deleted. If it is required that only certain calls be modified or deleted, Callbi allows mechanisms
(either per manual request via its support helpdesk or via the Callbi web application where
available) to correct or delete a filtered list of calls prior to their expiry. Data can also be extracted
using the Callbi web application or API, and access is limited to authorized users only.
Protecting Customer Data
Our main security objective is to prevent unauthorised access to customer information. To this
end, we take exhaustive steps to identify and mitigate risks, implement best practices, and
constantly develop ways to improve.
Each Callbi customer’s data is hosted in our shared infrastructure but logically separated from other customers’ data.
Our simplest security tool is our rigorous deletion of unnecessary data. We have automated processes in place that ensure that we only keep data that we are contractually obliged to keep. Everything else is regularly deleted in a secure manner.
Each Callbi customer’s data is hosted in our shared infrastructure but logically separated from other customers’ data.
Our simplest security tool is our rigorous deletion of unnecessary data. We have automated processes in place that ensure that we only keep data that we are contractually obliged to keep. Everything else is regularly deleted in a secure manner.
Secure Applications
A key part of protecting customer data is ensuring that the software applications and APIs that
allow access to customer data are secure and cannot be abused to gain unauthorised access to
that data. Our development team has adopted a “secure by design” approach to our software
development efforts and work from a comprehensive list of secure engineering principles when
making changes or improvements to our apps. Our development methodology ensures that
security is addressed at each stage of the development process. All changes to the system are
logged and these logs are monitored periodically.
Encryption
We encrypt all customer data in transit, and call recordings are encrypted at rest using the latest
recommended secure cipher suites. Call transcripts are encrypted in all areas where possible.
Encryption keys are managed using standard best practices for cryptography.
Disaster Recovery and Business Continuity
Callbi makes use of AWS database clusters which is fault tolerant by design. The cluster volume
spans multiple Availability Zones in a single AWS Region, and each Availability Zone contains a
copy of the cluster volume data. This functionality means that your database cluster can tolerate
a failure of an Availability Zone without any loss of data and only a brief interruption of service.
Callbi also stores rolling backups (encrypted at rest within AWS) that can be used during a catastrophic failure to restore to any specific point in time for the past 7 days.
Callbi’s backend services are all load balanced and also fault tolerant by design. Multiple instances of the backend services span across different Availability Zones in a single AWS Region. The necessary automatic health checks and autoscaling and recovery services are implemented. There are no specific components that need to be manually restored if a hardware failure should occur.
A 7-day rolling backup copy of the production database is separately maintained in AWS, and recovery of the backups is tested at least annually.
Callbi also stores rolling backups (encrypted at rest within AWS) that can be used during a catastrophic failure to restore to any specific point in time for the past 7 days.
Callbi’s backend services are all load balanced and also fault tolerant by design. Multiple instances of the backend services span across different Availability Zones in a single AWS Region. The necessary automatic health checks and autoscaling and recovery services are implemented. There are no specific components that need to be manually restored if a hardware failure should occur.
A 7-day rolling backup copy of the production database is separately maintained in AWS, and recovery of the backups is tested at least annually.
Incident Response
Callbi has procedures in place to detect and respond to security threats. We have a defined
Formal incident response plan.
Risk Management
Callbi has a have a formal risk management policy to help us identify and mitigate risks.
Validation and Review
Even though we think we’re pretty good at security, we don’t trust ourselves completely. We
have our systems tested for security vulnerabilities on an annual basis. All results from these
assessments are fed back to our development team and our system is strengthened where
necessary.
