Information Security
and Compliance

As a leading contact center software provider, VCC Live works diligently to ensure its information security and compliance is exceptionally robust.

This commitment is critical in protecting client and customer data, remaining compliant with laws and regulations, and mitigating risk as much as possible.

Safeguarding our clients and their customers

On this page, we provide extensive details about our information security and compliance measures. These include:

VCC Live maintains UKAS-accredited ISO certifications relating to the management of information security and maintaining effective business continuity plans.

ISO 27001:2013

The world-renowned standard for information security management systems (ISMS). In line with the certification’s requirements, VCC Live maintains its ISMS to ensure standards are met across risk management, cyber-resilience, and operational excellence.

Certification available here.

ISO 22301:2019

The international standard for business continuity management (BCM). In line with the certification’s requirements, VCC Live implements a robust management system to protect, reduce the likelihood of, and recover from disruptions should they arise.

Certification available here.

VCC Live complies with the Payment Card Industry Data Security Standard (PCI DSS). As such, we adhere to the policies and procedures for protecting card transactions and preventing misuse of cardholders’ personal information.

The company has been PCI-certified since 2015. This measure is fundamental to our over-the-phone card payment solution, a feature that’s in use by client organizations all over the world.

Certification available here.

VCC Live maintains compliance with GDPR through a number of measures to ensure the lawful processing and handling of data. We uphold a transparent approach and this is detailed in several key documents, including our data processing agreement, general terms of agreement, and privacy policy.

To further enhance its information security practices, VCC Live aims to acquire the additional certification SOC 2 in 2024. This audit is to ensure best-practice handling of sensitive information by cloud-based service providers.

As well as the certifications detailed above, VCC Live also applies a number of recommendations in its practices. These include:

  • National Institute of Standards and Technology (NIST) Cybersecurity Framework for best-practice management of cybersecurity risk
  • Center for Internet Security (CIS) Benchmarks for best-practice approaches for securing systems, software, networks, and cloud infrastructure
  • Hungarian National Bank (MNB) guidance on how financial institutions should use social and public cloud services
  • Open Web Application Security Project (OWASP) for recommendations on developing secure software and applications
  • SANS 25 detailing the most common and dangerous software weaknesses to protect the platform from

Global data centers

VCC Live’s global data centers provide our clients with strong performance, reliability, and security. What’s more, by using different vendors from around the world, we reduce the risk of vendor dependency. 

All of VCC Live’s data centers provide high availability (Tier 2/3) and each hold the following certifications: ISO/IEC 27001:2013, ISO 22301:2019, ISO/IEC 20000-1:2018, ISO 14001:2015, and ISO 9001:2015.

Network and endpoint security

Network and endpoint security are paramount in ensuring the safety of an organization’s digital assets.

To achieve robust protection, we use the following measures:

  • Multiple firewall layers and strict firewall rules to control incoming and outgoing traffic
  • Independent third-party penetration tests to identify and rectify potential vulnerabilities
  • Network segmentation to minimize the impact of potential breaches
  • Security incident event management (SIEM) system to monitor and respond to security incidents
  • Intrusion detection systems (IDS) and Intrusion prevention systems (IPS) for real-time threat detection and mitigation
  • Vulnerability management practices are in place to prevent potential exploitation
  • Comprehensive malware protection is implemented to safeguard against malicious software threats

Business continuity

Our business continuity program begins with a thorough risk management and risk analysis process to proactively identify potential threats and prevent them from impacting our operations.

We have comprehensive business continuity plans and a restoration program, along with disaster recovery capabilities that enable us to switch seamlessly among data centers if needed. We regularly conduct data and service recovery tests and closely monitor recovery point objectives (RPO) and recovery time objectives (RTO). Our backup management is meticulous, involving daily backups of configurations and real-time replicas of databases, which not only ensures better RPO and RTO values but also minimizes any service disruptions.

To safeguard client data, we utilize a multiple redundant storage system for storing audio files. Additionally, our infrastructure is designed with redundancy in mind, encompassing redundant networks, electricity, standby critical ITC resources, and high availability systems.

In the event of incidents, our incident management and response plan ensures a swift reaction to prevent data leakage and escalate issues as necessary. We conduct root cause analyses as part of our continuous improvement process to prevent similar issues from occurring in the future, promoting ongoing enhancement and optimization of our business continuity measures.

Vendor security

We take vendor security seriously by conducting thorough business and security reviews for all vendors involved in providing our main services. This practice ensures that our vendors meet the necessary security standards and align with our commitment to safeguarding data and maintaining a secure environment for our clients and their information.

Operational security

Operational security is prioritized through adherence to industry standards and requirements throughout our entire operational process. We maintain a robust hardening program that enhances the security of our infrastructure from the outset and consistently conduct patch management and vulnerability scans.

To bolster security further, all user activity is diligently logged, and we actively monitor and investigate any suspicious activity as soon as it arises, ensuring a proactive approach to identifying and mitigating potential threats.

User access management

VCC Live prioritizes robust user access management to ensure the highest level of security. We strictly adhere to the least privilege principle, applying it both for our clients and our own employees.

To enhance account protection, we implement a strong password policy and support two-factor authentication (2FA) for an additional layer of security. Our clients have the flexibility to configure account access protection through customizable password policies and 2FA options.

Additionally, we offer single sign-on (SSO) functionality via OAuth 2.0, allowing client-side identities to be delegated to log in to our systems securely and with simplicity.

For added security, user access can also be restricted to specific whitelisted IP addresses, granting an extra layer of control and protection.

Data at rest

Data at rest is stored data that is not moving from one device to another (data in transit).

To further enhance data security, all data stored in the server’s storage is encrypted using an industrial-standard strong encryption method, specifically AES-256 encryption. This encryption ensures that data remains secure even if unauthorized access to the storage occurs.

Data in transit

Data in transit is data that is being transferred between different locations.

All data exchanges between our clients and the central system are conducted using the latest secure protocols, including HTTPS/WSS with TLS1.2 or higher encryption.

For media transfer, a secure streaming protocol (sRTP/custom) is employed throughout the entire VCC system, guaranteeing the confidentiality of media content.

To further enhance security, perfect forward secrecy (PFS) is applied, minimizing the impact of any potentially compromised encryption keys between the client and central system.

We also utilize secure channels, such as virtual private networks (VPNs), to safeguard communication among data centers. Additionally, these secure channels can be configured to provide protected user access, ensuring that sensitive data remains secure and confidential during transit.

Product security

Product security is paramount at VCC, and our platform is equipped with robust features to safeguard user data and communications.

We offer configurable IP filtering for data transfer via API calls. This feature empowers users to define and restrict authorized IP addresses, ensuring that data exchange occurs exclusively with trusted sources.

For email security, we ensure comprehensive protection with spam filtering and virus scanning for incoming emails, safeguarding against potential threats. Additionally, we employ email signaling mechanisms for mass email transfer such as DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Conformance) to verify email authenticity and prevent spoofing.

In chat interactions, we enforce file restrictions to prevent the exchange of potentially harmful files or content. To uphold user privacy, we offer automatic deletion of emails and chat messages after a user-configurable period, with anonymization applied if no tickets are linked to them, ensuring data retention aligns with user preferences.

For transparency and accountability, all activities are meticulously recorded in audit logs, which are securely stored in a central logging system. This feature allows for easy tracking and auditing of all actions taken within the platform, enabling efficient monitoring and ensuring compliance with security and privacy standards.

Secure development

Secure development practices are at the core of our approach at VCC, ensuring the highest level of security for our software.

Throughout the entire development process, from design to coding, code reviews, and testing, we incorporate secure coding principles and provide training to our developers. This emphasis on security helps to mitigate potential vulnerabilities and risks from the earliest stages.

To fortify our systems, we conduct regular and thorough security testing, which includes internal exploratory tests and third-party penetration tests. This comprehensive approach allows us to identify and address any potential weaknesses proactively.

In addition to secure coding and testing, we prioritize software composition analysis (SCA). We go beyond by maintaining an extended SCA that analyzes third-party libraries and dependencies, as well the robustness of our own written code. By conducting regular analyses, we can promptly identify and address any vulnerabilities, ensuring that our software remains secure and robust.

At VCC, privacy is our topmost priority, and we go to great lengths to ensure the highest level of security and compliance with local and international legal requirements.

From the very beginning to the end, we implement a host of logical and operational measures to fortify privacy. This includes:

  • Designating of a dedicated Data Protection Officer
  • Conducting thorough employees security awareness training programs
  • Providing internal privacy training
  • Implementing general access management and the least privileges principle
  • Including password and identification controls
  • Storing data in encrypted storage and using secure data destruction (SDD) practices
  • Enforcing strong endpoint security and border protection to prevent data leakages
  • Using classified and segregated zones, such as separate development, test, and production environments, to avert accidental data incidents.

Moreover, we adhere to a strict “no data sharing among customers” policy, safeguarding customers’ privacy as the utmost priority. We maintain separate databases for each client, ensuring that access is limited and controlled to provide an additional layer of protection and confidentiality.

Want to learn more?

Contact VCC Live to discuss our data security
measures and any of your requirements.