Technical & Organisational Security

Updated: May 19, 2020

Chatti provides a cloud communications platform for a wide range of customer and business needs. Recognising the importance of information security, we have invested considerable time and effort into ensuring our platform’s security. This document summarises various technical and organisational security measures we have implemented to protect our customers’ data from malicious or accidental destruction, alteration, loss, unauthorized access or disclosure.

Physical Access Control

Chatti is a technology partner of Vonage. Chatti’s data processing environment is built on the IBM SoftLayer platform with geographically distributed Tier IV data centres. IBM SoftLayer complies with various security standards - including ISO/IEC 27001:2013, ISO/IEC 27017:2015, ISO/IEC 27018:2014, ISO 22301:2012, ISO 31000:2009, HITRUST CSF v8.1, SOC 2, SOC 3 - and guarantees protection of physical infrastructure and facilities.

Chatti stores all production data in physically secure data centres, including IBM SoftLayer, Amazon and Google facilities. Chatti’s cloud storage vendors (Google Cloud Datastore, Amazon DynamoDB, and Amazon Simple Storage Service (S3)), are compliant with ISO/IEC 27001:2013, ISO/IEC 27017:2015, ISO/IEC 27018:2014, SOC 2, and SOC 3. In addition, Google Cloud Datastore complies with NIST 800-171.

Chatti’s office facilities are secured by interior and exterior video surveillance, alarm systems, security gates, and doors equipped with access card readers or locks. Authorized visitors are provided with escort-controlled access.

System Access Control

Chatti data processing systems are designed to ensure only authorized access and processing of customers’ data.

Only a limited number of authorized personnel have access to the data processing environment via a VPN endpoint defining specific access scope based on the assigned functional role. Access scope is enforced on multiple levels including VLAN-based isolation at the data link layer. The authentication mechanism employed is two-factor, requiring possession of the machine with the VPN public/private key pair and knowledge of LDAP credentials. Password policy mandates that LDAP passwords to access the data processing environment follow composition, minimum size, reusability, and expiration rules.

The granting or modification of access rights follows an established workflow with a mandatory approval from the line management. Workflow tools provide accountability through recordkeeping.

All account actions can be traced to the particular user taking action on the account. The time, date, and type of action are recorded for all privileged account actions.

Data access and personnel security

Only properly authorized personnel are allowed to access and manage customer data. Team-wide security roles covering critical tools and applications are applied.

Chatti’s onboarding process mandates that domain credentials for each employee are requested by the HR function in a formal, accountable manner. Employment termination triggers revocation of issued credentials.

Chatti ensures that personnel are notified of significant requirements as well as personal and corporate consequences of engaging in improper activities. All employees complete a periodic mandatory security training and a Code of Conduct training covering business ethics and professional standards, each at least annually.

Customer access control & account management

Customers can manage their accounts through Chatti Customer Dashboard - a dedicated web page which supports two-factor authentication and IP address verification security mechanisms. If enabled, Chatti Customer Dashboard will in addition to customer’s password require a one-time verification code - an SMS sent to the phone registered on the customer’s account when the customer’s IP address differs from the one used previously.

Chatti Customer Dashbord password-based authentication utilizes secure hashing and salting to protect against impersonation and brute-force attacks.

Transmission Control

Chatti supports HTTPS and SMPP over TLSv1.2 as main protocols for encrypted communication. Chatti holds a public 4096-bit RSA-based wildcard certificate covering *.chatti.com for authentication purposes.

Customers are solely responsible for any decision to use unencrypted channels when consuming Chatti services.

Chatti does not provide telecom carrier services, and as such relies on carriers to secure SMS channels since the SMS standard does not provide for end-to-end encryption; encryption, if any, is determined by individual carrier.

Chatti supports secure SIP signaling over TLS for protection of multimedia communication control plane in inbound and outbound directions. Security, if any, of PSTN-terminated/originated SIP control channel is determined by individual carrier and cannot be guaranteed by Chatti. Media plane (voice path) encryption is currently not supported by Chatti.

Network security and segmentation

Chatti’s data processing environment is separated from the outside world and from the test environment with firewalls. Fine-grained segmentation inside production and test environments is achieved with the help of VLANs.

Chatti's data processing environment is comprised of Linux servers each being protected by a host-based firewall. Applications are grouped by types/categories and there is no platform sharing between applications of different types.

Vulnerability management

Chatti employs a three-fold vulnerability management strategy which includes proactive updates of 3rd-party applications, internal monthly vulnerability scans, and external penetration tests. Chatti keeps itself up to date with patches/upgrades and updates 3rd-party applications promptly as new versions are released. External penetration tests covering APIs, web applications, and SDKs are performed quarterly. External infrastructure vulnerability assessment is done annually.

Identified vulnerabilities are assessed on an individual basis. Chatti utilizes a risk-based approach to the patch management process and commits to mitigate vulnerabilities according to the following time frame:

a.  Critical, CVSS Score > 8 - in 30 days

b.  Severe, 4 ≤ CVSS Score ≤ 8 - in 90 days

c.  Other - in the next patch cycle

Emergency patching for threats of imminent danger to systems or data should occur within 7 days.

Change management

Chatti's development process is built on the principle of segregation of duties and employs mandatory reviews and approvals. Each change to production environment is submitted by Development, tested by Quality Assurance, and reviewed by Operations before deployment.

Web applications and APIs provided by Chatti go through a rigid assessment process which includes review of security controls following the OWASP Application Security Verification Standard. Assessment is done by the external entity.

Logging

Apart from system level logging to ensure traceability of account actions, Chatti commits to logging of all API requests to recognize, investigate, and protect customers from fraudulent activity. Among other information, logs contain: source IP, account Id, type of activity and timestamp. All successful/unsuccessful authentication attempts are logged and investigated, as appropriate.

Customers control and configure Chatti services through a portal (the Chatti Customer Dashboard). To provide an audit trail, all changes and actions performed using the customer dashboard are recorded.

Internal administration activities are performed via tools accessible only by authorized Chatti personnel. All activities including provisioning of Chatti services are logged.

Business continuity

Chatti’s business continuity planning incorporates procedures to sustain critical functions, backup and recover data, and protect company assets.

Single points of failure are eliminated for critical services with multi-node and multi-channel network design and load-balancing strategy.

Chatti follows a Data Backup Policy which mandates regular backups of configuration and account data required for continuous service operation and usage of off-site storage, and daily data restoration tests where appropriate.

Media protection and end-user security

Chatti recognizes a potential internal attack surface originating from compromised end-user machines used by Chatti employees, and to mitigate this threat implements a set of security measures including hard drive encryption, secure data erasure upon laptop decommissioning, virus/malware protection with automated updates, browsing/traffic control, and centralized domain-based authentication.

Data encryption and secure data redaction

Chatti utilizes two main strategies to protect customer’s data: data encryption for long-term data and limited data retention for short-lived data.

Chatti retains data processing logs for a minimum of three days.

Chatti provides, upon customer’s request and subject to applicable legal requirements, a true data anonymization by means of data redaction. Data redaction is a one-way process that substitutes original data with a predefined set of characters that reveals no information on the original data except that it was anonymized.

Report a security vulnerability

If you believe that you have found a Chatti security vulnerability, please email us security@chatti.com .