Information Security
and Compliance

VCC Live’s global data centers provide our clients with strong performance, reliability, and security. What’s more, by using different vendors from around the world, we reduce the risk of vendor dependency. 

All of VCC Live’s data centers provide high availability (Tier 2/3) and each hold the following certifications: ISO/IEC 27001:2013, ISO 22301:2019, ISO/IEC 20000-1:2018, ISO 14001:2015, and ISO 9001:2015.

Network and endpoint security are paramount in ensuring the safety of an organization’s digital assets.

To achieve robust protection, we use the following measures:

• Multiple firewall layers and strict firewall rules to control incoming and outgoing traffic
• Independent third-party penetration tests to identify and rectify potential vulnerabilities
• Network segmentation to minimize the impact of potential breaches
• Security incident event management (SIEM) system to monitor and respond to security incidents
• Intrusion detection systems (IDS) and Intrusion prevention systems (IPS) for real-time threat detection and mitigation
• Vulnerability management practices are in place to prevent potential exploitation
• Comprehensive malware protection is implemented to safeguard against malicious software threats

Our business continuity program begins with a thorough risk management and risk analysis process to proactively identify potential threats and prevent them from impacting our operations.

We have comprehensive business continuity plans and a restoration program, along with disaster recovery capabilities that enable us to switch seamlessly among data centers if needed. We regularly conduct data and service recovery tests and closely monitor recovery point objectives (RPO) and recovery time objectives (RTO). Our backup management is meticulous, involving daily backups of configurations and real-time replicas of databases, which not only ensures better RPO and RTO values but also minimizes any service disruptions.

To safeguard client data, we utilize a multiple redundant storage system for storing audio files. Additionally, our infrastructure is designed with redundancy in mind, encompassing redundant networks, electricity, standby critical ITC resources, and high availability systems.

In the event of incidents, our incident management and response plan ensures a swift reaction to prevent data leakage and escalate issues as necessary. We conduct root cause analyses as part of our continuous improvement process to prevent similar issues from occurring in the future, promoting ongoing enhancement and optimization of our business continuity measures.

We take vendor security seriously by conducting thorough business and security reviews for all vendors involved in providing our main services. This practice ensures that our vendors meet the necessary security standards and align with our commitment to safeguarding data and maintaining a secure environment for our clients and their information.

Operational security is prioritized through adherence to industry standards and requirements throughout our entire operational process. We maintain a robust hardening program that enhances the security of our infrastructure from the outset and consistently conduct patch management and vulnerability scans.

To bolster security further, all user activity is diligently logged, and we actively monitor and investigate any suspicious activity as soon as it arises, ensuring a proactive approach to identifying and mitigating potential threats.

VCC Live prioritizes robust user access management to ensure the highest level of security. We strictly adhere to the least privilege principle, applying it both for our clients and our own employees.

To enhance account protection, we implement a strong password policy and support two-factor authentication (2FA) for an additional layer of security. Our clients have the flexibility to configure account access protection through customizable password policies and 2FA options.

Additionally, we offer single sign-on (SSO) functionality via OAuth 2.0, allowing client-side identities to be delegated to log in to our systems securely and with simplicity.

For added security, user access can also be restricted to specific whitelisted IP addresses, granting an extra layer of control and protection.

Data at rest is stored data that is not moving from one device to another (data in transit).

To further enhance data security, all data stored in the server’s storage is encrypted using an industrial-standard strong encryption method, specifically AES-256 encryption. This encryption ensures that data remains secure even if unauthorized access to the storage occurs.

Data in transit is data that is being transferred between different locations.

All data exchanges between our clients and the central system are conducted using the latest secure protocols, including HTTPS/WSS with TLS1.2 or higher encryption.

For media transfer, a secure streaming protocol (sRTP/custom) is employed throughout the entire VCC system, guaranteeing the confidentiality of media content.

To further enhance security, perfect forward secrecy (PFS) is applied, minimizing the impact of any potentially compromised encryption keys between the client and central system.

We also utilize secure channels, such as virtual private networks (VPNs), to safeguard communication among data centers. Additionally, these secure channels can be configured to provide protected user access, ensuring that sensitive data remains secure and confidential during transit.

Product security is paramount at VCC, and our platform is equipped with robust features to safeguard user data and communications.

We offer configurable IP filtering for data transfer via API calls. This feature empowers users to define and restrict authorized IP addresses, ensuring that data exchange occurs exclusively with trusted sources.

For email security, we ensure comprehensive protection with spam filtering and virus scanning for incoming emails, safeguarding against potential threats. Additionally, we employ email signaling mechanisms for mass email transfer such as DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Conformance) to verify email authenticity and prevent spoofing.

In chat interactions, we enforce file restrictions to prevent the exchange of potentially harmful files or content. To uphold user privacy, we offer automatic deletion of emails and chat messages after a user-configurable period, with anonymization applied if no tickets are linked to them, ensuring data retention aligns with user preferences.

For transparency and accountability, all activities are meticulously recorded in audit logs, which are securely stored in a central logging system. This feature allows for easy tracking and auditing of all actions taken within the platform, enabling efficient monitoring and ensuring compliance with security and privacy standards.

Secure development practices are at the core of our approach at VCC, ensuring the highest level of security for our software.

Throughout the entire development process, from design to coding, code reviews, and testing, we incorporate secure coding principles and provide training to our developers. This emphasis on security helps to mitigate potential vulnerabilities and risks from the earliest stages.

To fortify our systems, we conduct regular and thorough security testing, which includes internal exploratory tests and third-party penetration tests. This comprehensive approach allows us to identify and address any potential weaknesses proactively.

In addition to secure coding and testing, we prioritize software composition analysis (SCA). We go beyond by maintaining an extended SCA that analyzes third-party libraries and dependencies, as well the robustness of our own written code. By conducting regular analyses, we can promptly identify and address any vulnerabilities, ensuring that our software remains secure and robust.