Fuze Data Protection

Introduction

Security and privacy requirements are extremely important when it comes to business communications. Unauthorized access or mishandling of information could have a significant negative impact on an organization. A leaked product roadmap or a breach of financial, personally-identifiable, or health information could cause irreparable damage to a company’s reputation, financial position, and/or competitive advantage in the marketplace.

Fuze considers the protection of customer data and the transparency of our security posture of the utmost importance. We make every effort to ensure that data is secure and shielded from eavesdropping and unauthorized access. A defense-in-depth approach is employed across the Fuze platform whereby multiple layers of security work together to deliver reliable service in a trusted environment.

Security in Depth

Security in Depth

All data created in the Fuze platform belongs to our customers. Under no circumstances does Fuze sell this data to third parties. Details of the Fuze Privacy Policy can be found at fuze.com/product-privacy-statement.

Security Organization

A dedicated security team manages our comprehensive security program and reports on a quarterly rhythm to a security council of cross-functional leadership and to the board of directors’ audit committee. The security team conducts regular audits of operational processes, coordinates all penetration testing activity, and works closely with engineering to provide information security governance for the Software Development Life Cycle (SDLC).

People Security

  • Personnel Verification- Fuze completes background checks on all employees and contractors.
  • Information Security Training & Education - All new Fuze employees are required to complete security awareness training during their on-boarding, and all employees are mandated to complete annual security awareness and data privacy training.
  • Access Management - We actively reduce the attack surface of our platform by limiting the number of personnel with access to production. We employ a role-based access control (RBAC) model, the principle of least privilege, and multi-factor authentication for access to production systems.
  • Feedback and Reporting- Fuze understands the important role that security researchers play in keeping our systems and software secure. We publish guidelines for the responsible disclosure of product vulnerabilities on our website and respond to all inquiries within 24 hours.

Product Security

  • Secure by design - We inject security best practices into every step of our development lifecycle. Security is built into checkpoints from when a developer begins design and checks in code to when a build is validated and deployed.
  • Vulnerability Management - We aggressively hunt for bugs and weaknesses in our software using the following security rigor:
    • SDLC processes include adherence to the OWASP Top 10 list
    • Peer reviews of source code are conducted prior to product builds
    • Automated Software Scanning with Veracode
      • Source code vulnerability scanning
      • Open source scanning to ensure license compliance and vulnerability management
  • Internal Penetration Testing - As a continuous effort, Fuze’s internal security team regularly tests the Fuze platform against the latest security threats.
  • 3rd party Penetration Testing - Unauthenticated and authenticated third party penetration testing is commissioned for every client endpoint and all web properties.
  • Threat Modeling - Optimizes security by identifying threats and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, those threats to the platform.
  • Encryption-in-transit - For all Fuze endpoints without requiring VPN.
  • Encryption-at-rest - For certain data stored in the platform.
  • Data Retention - Customer data is retained based on defined retention periods or retained only as required to deliver Fuze platform services.
  • Change ManagementRegular change reviews, documented change requests and approval, post- deployment verification, and roll-back procedures.
  • Patch Management - Required and deployed patches are documented and tested on non-production environments before production deployment and include roll-back contingencies.
  • Account Security - Fuze can integrate with the customer’s directory service through SAML 2.0. Alternatively, if native Fuze authentication is used, passwords are stored in a salted, one-way hash.
  • Data Isolation - Customer data is logically separated and secured through access control lists.

Cloud and Network Infrastructure Security

  • Defense-in-Depth - Multiple layers of security are implemented to ensure customer data remains safe. These layers include physical, network, system, and application levels of security protocol.
  • Infrastructure Management - Access to platform networks, data, and infrastructure is limited to employees with proper authentication, authorization, and documentation.
  • Configuration Management - Automatically identify configuration changes to assets to ensure no unauthorized changes to production systems occur.
  • Network Monitoring- All data center assets are continuously monitored to ensure adequate performance and capacity are available for our customers.
  • Fraud Prevention - Default disabling of premium, international, and voicemail dial out calling, as well as automated blacklist functionality.
  • Fraud Detection - Fuze personnel are notified when the carrier detects aberrations on their networks, and alerted when the platform detects potential fraudulent activity.

Physical Security

  • Tier 4 Data Centers - Our data centers equip redundant HVAC and power, raised floors, electronic access control, biometric scanners, alarms and video surveillance, 24/7 guard presence, and geographic redundancy.
  • AWS - More information on the physical and operational security processes for network and server infrastructure under the management of AWS can be found here.
  • Offices - Physical security controls include access control and audit trail for employees and visitors, video monitoring of all entrance and exit points, delimited security perimeters with additional security for places such as storage rooms, power and AC rooms, employee awareness training, and periodic testing of physical controls.

Data Encryption - In Transit

UC Voice TLS for SIP (session) and AES 128-bit for SRTP (media)
Fuze Meeting TLS for SIP (session) and AES 128-bit for SRTP (media)
Customer Portal HTTPS with TLS
Mobile Application HTTPS with TLS
Fuze Desktop HTTPS with TLS

Data Encryption - At Rest

Call Recording AES 256-bit
Uploaded Fuze Meeting Content AES 256-bit
Fuze Meeting Recordings AES 256-bit
Fuze Chat History AES 256-bit

Vulnerability Management & Monitoring

  • Incident Response Program - Fuze has a clearly defined process for classifying, assessing, prioritizing, and mitigating security incidents.
  • Continuous Monitoring - Fuze is committed to trust and transparency. In addition to the monitoring at the infrastructure level, we provide communication and updates on any incidents via status.fuze.com.
    • Incident Logs
    • DDoS Detection and Prevention

Disaster Recovery & Business Continuity

  • Recovery Planning - Fuze regularly reviews and updates the defined Disaster Recovery and Business Continuity plans.
  • Regional & Global Resiliency - Geographically and globally redundant data center locations combined with services delivered from multiple AWS regions.
  • Customer Data Backups - Fuze utilizes secure backups of customer data and replicates data to a secondary Fuze data center for full redundancy.

Security Assessments and Compliance

Independent audit and verification is essential in any security framework. Fuze undergoes assessment through third parties and major industry parties. These assessments provide assurance that Fuze has the security controls in place to safeguard customer data.

ISO 27001
AICPA SOC
AICPA SOC 2
ISAE 3402
GDPR
HiTrust
Veracode
CSA Star
HIPAA compliant
Privacy Shield Framework
why fuze?

Ready to learn more about Fuze Security? Visit Why Fuze.