Security and Compliance
At ConnectyCube, we take the security and privacy of your data seriously. Our commitment to safeguarding your information is at the core of everything we do. Explore our comprehensive security measures and privacy practices below to understand how we protect your data and ensure a safe and secure experience for all users.
Client side Security Measures
-
By default, the data is encrypted in transit via state of the art protocols:
- HTTPS for server API communication
- TLS for real time messaging
- SRTP, SCTP, DTLS for calling
-
Session token - uniquely generated OAuth 2.0 session access token, per user, signed, is used to authenticate each API request. A session token provides temporary, secure access to app features. A session token is an opaque string that identifies a user and an application. It informs the API that the bearer of the token has been authorized to access the API and perform specific actions specified by the scope that has been granted.
-
Chat messages are stored in a plain way at the backend, hence search & navigation across chat history is possible.
- Another level of encryption can be potentially added via E2EE.
- Text data transfer between users is happening via secure TLS protocol
-
Voice/Video calling - a standard WebRTC encryption stack with secured media and data channels is used. Media data transfer between users is happening via secure SRTP, SCTP, DTLS protocols.
- All the calls are E2EE by default.
-
Multi-factor Authentication - MFA increases security for your account. A user can enable MFA at app settings. A user will be required to enter a time-based one-time (TOTP) password generated by the authenticator app which will be used as an additional authentication layer.
Server side Security Measures
-
High Availability and Disaster Recovery:
- We implement redundant server architecture with failover mechanisms to ensure continuous availability of services.
- Deploy geographically distributed data centers or cloud regions to mitigate the impact of localized outages or disasters.
- Develop and test comprehensive disaster recovery plans and procedures to minimize downtime and facilitate rapid recovery in case of system failures or disasters.
-
24/7 Uptime Monitoring:
- Utilize monitoring tools and services to continuously monitor server performance, availability, and uptime.
- Set up automated alerts and notifications to promptly identify and respond to potential issues or disruptions.
- Implement proactive monitoring and incident response procedures to maintain 24/7 uptime and minimize service disruptions.
-
GDPR Compliance:
- Ensure compliance with the General Data Protection Regulation (GDPR) by implementing data protection measures and privacy controls.
- Obtain explicit consent from users before collecting, processing, or storing their personal data.
- Implement data encryption, pseudonymization, and anonymization techniques to protect the privacy and confidentiality of user information.
-
HIPAA Compliance:
- Comply with the Health Insurance Portability and Accountability Act (HIPAA) regulations when handling protected health information (PHI).
- Implement stringent security controls and safeguards to protect PHI from unauthorized access, disclosure, and misuse.
- Conduct regular risk assessments and audits to ensure HIPAA compliance and mitigate potential security risks and vulnerabilities.
-
Data Encryption in Rest and Transit:
- Encrypt sensitive data at rest using strong encryption algorithms and cryptographic techniques to protect it from unauthorized access.
- Use secure communication protocols, such as TLS/SSL, to encrypt data transmitted between clients and servers, ensuring confidentiality and integrity during transit.
-
On-Premise Considerations:
- Maintain full control and visibility over server infrastructure by hosting servers on-premises within your own data center or private cloud environment.
- Implement physical security measures, such as access controls, surveillance cameras, and environmental controls, to protect server hardware and facilities from unauthorized access, theft, and environmental hazards.
Privacy Practices
The following privacy practices are applied at ConnectyCube:
-
Data Minimization: We collect and process only the data necessary to provide our services and fulfill our contractual obligations. We adhere to the principle of data minimization to limit the collection, storage, and use of personal information to the extent required for legitimate business purposes.
-
User Consent: We obtain explicit consent from users before collecting, processing, or sharing their personal information. We provide clear and transparent information about our data practices, including the purposes of data processing, the types of data collected, and the rights of users regarding their data.
-
Data Anonymization: Where feasible, we anonymize or pseudonymize personal data to protect user privacy. By removing or encrypting personally identifiable information (PII), we reduce the risk of unauthorized disclosure and enhance the privacy of user data.
-
Data Retention Policies: We establish data retention policies and procedures to govern the storage and deletion of user data. We retain personal information only for as long as necessary to fulfill the purposes for which it was collected or as required by law, and we securely dispose of data when it is no longer needed.
-
GDPR Compliance: We comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws and regulations. We respect the privacy rights of individuals and provide mechanisms for users to exercise their rights, including the right to access, rectify, and delete their personal data.
Request additional consultancy regarding Security and Compliance in ConnectyCube