001- Server security
Malware protection is used on all servers and endpoints connecting to production systems to ensure a secure environment. Backup copies of production data are created and tested on a regular basis to ensure continuous data availability. Redundant hardware and fail-over capabilities are ensured for backup systems, mostly including offsite (remote) storage.
002- Backup security
Backups are encrypted, with physically secured access. Hardware failures on media containing production data are handled exclusively by Infobip personnel, i.e. no 3rd party is allowed to transfer the media out of secure data centre premises.
003- Monitoring activity of platform
Critical information regarding platform operations and customer data (such as creating, modifying and deleting data, as well as warnings, exceptions, faults and information security events) are properly logged and are monitored and managed 24/7 by Support, Networking and Technical and organisational measures 11 Security Operations teams.
004- Recording Log-ins
Logs retention varies depending on the criticality and storage systems. API requests logs retention period range from 4 to 10 days (due to excessive storage requirements). Customer User Portal (CUP) audit (authentication) logs are preserved by default for 30 days. Extension of the retention period can be requested, subject to discussion due to the storage requirements.
Security/audit logs (including successful and failed authentication attempts to core production servers) are collected, analyzed and stored securely on the central logging system. Special (extended) logging principles are applied for PCI DSS scoped environments.
005- Messages Sent Records
Call Data Records (CDRs) containing metadata regarding message traffic are preserved for several months, due to several legitimate business reasons:
- lawful purposes,
- tax/audit purposes,
- billing/dispute processes,
- clients’ requests (troubleshooting, analysis/reports),
- Detecting/ preventing, and investigating spam,
- fraudulent activity, network exploits and abuse.
PCI DSS and critical security/audit logs are retained for a minimum of 12 months.
006- Internal Security
Business data confidentiality from employees perspective is ensured by security and privacy awareness programs and signing of very strict NDA guaranteeing he/she will not misuse confidential information, penalties applied.
007- Further development of security
Logging infrastructure upgrade is being implemented in terms of new communication logs management system, offering more robust and scalable solution. All parts of the email system are monitored in detail: anti-spam servers, main email system servers, load balancers and client access servers. Alerts are sent from multiple monitoring systems to dedicated mailing groups, supervised by redundant support personnel. Logs encryption initiative is currently undergoing, aiming to secure maximum possible extent of data, depending on the available technology.