Secure Cloud Communications
Physical security: State-of-the-art on-premises security for all of our distributed computing and storage networks worldwide.
Network security: All data entering and leaving Plivo is encrypted with TLS/HTTPS.
Application security: Encryption and authentication for secure and efficient access of Plivo’s APIs.
Data security and privacy: Backup encryption and account access limitations to mitigate risk and threats to our customer data.
Payment security: Use of leading industry transaction processing vendors to protect all transactions and payment information.
ensure physical, network, application, data, and payment security.
Physical on-premises security
All of our data centers and hosting partners are housed in state-of-the-art facilities with industry-standard access controls and physical security measures.
AWS provides dedicated 24/7 state-of-the-art electronic surveillance and physical security measures at all of our server locations, including foot patrols, security logs, and perimeter inspections.
Only authorized Plivo personnel are granted access credentials to our data centers. Every access is also logged and reviewed to ensure that our systems are not breached by internal threats.
All activity on our servers are logged, and we review historical reports for system change tracking, security analysis, and compliance auditing.
Plivo uses cloud storage and compute services from Amazon Web Services (AWS). We do not own or maintain hardware located in the AWS data centers; we operate under a shared security responsibility model, where AWS is responsible for the security of the underlying cloud infrastructure (i.e. physical infrastructure, geographical regions, availability zones, edge locations, operating, managing and controlling the components from the host operating system, virtualization layer and storage) and Plivo is responsible for securing the application platform deployed in AWS (i.e. applications, identity access management, operating system and network virtual security groups configuration, network traffic, server-side encryption).
Infrastructure security and availability
We guarantee infrastructure security and 99.99% uptime by deploying the latest technology and best practices to keep our platform online and performing optimally.
Our infrastructure, web applications, and APIs are penetration tested annually by external independent parties, and any vulnerabilities found are fixed.
Redundant links reroute traffic over backup networks in less than two seconds in case of backbone failover. We employ multiple instances and redundant servers with active pairs that are automatically triggered in the event a failover is required.
All of our facilities offer 100% power and HVAC functionality in any given month. Trained specialists monitor and maintain hardware components on-site at each of our six global points of presence.
We distribute workloads across multiple resources to optimize response times, maximize throughput, and avoid single points of failure.
We aim to connect to multiple carriers in each country. At a minimum, we connect to at least two local carriers in each country. If a carrier fails, our systems automatically load balance and divert traffic through other reliable carriers.
We use automated systems to deploy new code to clusters in real time to ensure smooth transitions between software updates with no downtime. All of our infrastructure and data is distributed across multiple AWS availability zones and will continue to work should any one of those data centers fail.
Defensive systems embedded at multiple points and layers across the infrastructure and server environment work to protect our systems from unauthorized, potentially harmful, malicious, and problematic traffic and input. These defensive systems are automated, monitored, and logged. Each system uses firewalls to restrict access to systems from external networks and between systems internally. To mitigate internal and external risk, access to systems is restricted to only the ports and protocols required for specific business needs.
Thousands of customer applications across the globe communicate securely with Plivo through our Voice and SMS APIs. We use three primary tools for application security and authentication.
To prevent unauthorized account access, each session requires the account username and a strong passphrase for access to each Plivo account. We also require phone number verification delivered through an SMS text message or a voice call to the user’s phone to activate new accounts.
We employ unique Authentication IDs and Authentication tokens for every user to ensure that only authorized people have access to accounts. Organizations can renew token-based service authentication at any time by generating a new authentication token through the Plivo console.
All web session traffic between customer applications and Plivo is encrypted using TLS (transport layer security). The TLS protocol provides data encryption and authentication between your applications and our servers and prevents third parties from stealing information. All data entering or leaving Plivo infrastructure is encrypted with TLS/HTTPS.
Data security and privacy
Our APIs can log and record data so that our customers can assess platform behaviors. Because user data such as account information and call logs and recordings can be sensitive, we take precautions to mitigate risks and threats to it. We also offer customers with sensitive data a no-log option, where SMS messages and DTMF actions are not saved on our systems at any point.
For customer data protection, Plivo provides logical tenant separation, encryption in transit (TLS 1.2 or greater) and encryption at rest (256-bit Advanced Encryption Standard (AES-256), one of the strongest encryption standards available for electronic data). All customer data is logically separated and not accessible to other tenants.
Administrative access privileges within the production environment are restricted to authorized personnel. Internally, only Plivo employees who require customer data access as part of their job functions — such as customer support, development, and security teams — are permitted to access customer data. Plivo’s policies and procedures limit and log all external and internal access to customer data and request management approval prior to access.
We perform regular backups on all Plivo customer data hosted on AWS’s data center infrastructure, including account information, call logs, SMS logs, and call recordings. Backed-up customer data is retained redundantly across multiple availability zones. All backups are stored redundantly and are encrypted using AES-256.
All laptop devices issued to Plivo employees come with encrypted storage partitions and MDM software that allows the IT department to monitor, manage, update, and secure the devices and the data contained on them. In addition, we have the ability to remotely wipe a device in the event of it being lost or stolen.
Payment security is a critical component for our customers. We use an industry-leading payment platform for all of our transactions.
To ensure that we deploy the highest security measures, we don’t store any credit card information on our servers. Instead, all credit card information is encrypted using AES-256 and handled by our payment platform provider.
Our payment platform provider is PCI DSS (Payment Card Industry Data Security Standard) compliant, which means that they’re validated and held to the same industry standards as all major credit cards, including Visa, Mastercard, and American Express.
Plivo adheres to high operational standards and provides policies and practices for security audits, incident response, and privacy. Plivo’s network status and incident reports are publicly available in real time.
As part of Plivo’s service-level agreements to all customers, we respond to priority 1 business-critical incidents around the clock, 365 days a year. We also monitor our infrastructure through two network operations centers (NOC) and security operations centers (SOC) and use third-party notification and alert systems to identify and manage threats.