Compliance
Callsign is proud to be externally verified as compliant to the following standards and can provide supporting evidence and information about the controls we have in place in specific relation to these standards.
ISO accreditations
ISO 27001
Callsign has implemented an Information Security Management System certified since 2018. This validates that Callsign has met rigorous international standards in ensuring the confidentiality, integrity, and availability of customers’ information.
ISO 27018
Additional guidelines to ensure data privacy and protect personally identifiable information (PII) in cloud computing.
ISO 27017
Provides additional specific information security controls for cloud service providers to reduce security risk in a cloud-based environment.
System and Organization Controls
SOC 2 (Type II)
Callsign has certified its systems to SOC 2 Type II through a leading AICPA-accredited independent auditor who has assessed the operational and security processes of our service and our company.
Security policies
Our security policies, standards and controls cover a wide range of areas including information security, crisis and incident response, access control, physical security, network security, vulnerability management, software/systems development life cycle, secure development, change management, 3rd Party Risk management, disaster recovery and business continuity.
Cloud security
Callsign is a cloud native organization and has policies and procedures to ensure the confidentiality, integrity and availability of data. Callsign services are built in-line with the AWS Well Architected Framework for designing and operating reliable, secure, efficient, and cost-effective systems in the cloud.
Access control
Callsign uses role-based access control (RBAC) and an identity management system to identify, authenticate, and validate access to systems or resources. Multi-factor authentication is required to access systems and remote access to our Clients platform is strictly controlled using a Privileged Account Management (PAM) solution providing just-in-time access.
Our policies and technical access controls prohibit arbitrary staff from accessing our Clients systems and information without a valid business need.
Callsign staff only use laptops managed by Callsign IT which are encrypted by default and protected with anti-malware and DLP controls.
Encryption
Data is transferred securely across public networks using Transport Layer Security (TLS) with 128-bit or higher Advanced Encryption Standard (AES) encryption. Data is also stored securely at rest with AES-256-bit encryption. Encryption keys are stored separately from the encrypted data and managed securely by Callsigns cloud service provider.
Vulnerability management
Callsigns Offensive Security Team performs regular application and infrastructure security vulnerability and penetration testing. Callsign contracts with leading CREST accredited third-party security specialists and a bug bounty provider, to proactively identify vulnerabilities and complete remediation in a timely manner.
Dedicated dependency monitoring and code review scanning tools are in place to continually inspect source code and prevent the introduction of vulnerabilities into Callsigns products.
Human resources
Callsign promotes a culture of security, so staff understand its importance. Before hiring, we conduct rigorous background checks and require new hires to sign confidentiality agreements. Staff must complete annual training for security, data privacy, fraud awareness, ABC and AML.
Operations and change management
Callsign manages changes through a Change Advisory Board (CAB) which meets regularly to review change requests. Change control includes change requests, initiation, documentation requirements, development practices, and quality assurance testing.
The Technology team maintains systems thorough a software development life cycle (SDLC) procedure to guide in the documentation and implementation of application and infrastructure changes. Callsign has separate production and non-production environments with version control and rollback capabilities, if needed.
Callsign monitors the use of cloud resources including daily backups and plans for of future capacity requirements to ensure the required system performance.
Logging and monitoring
Security event logs are centrally stored, and any alerts are managed by Callsign’s Security Operations Center (SOC) and monitored 24x7x365.