Data security
As a company who keeps security at the heart of its products, nothing is more important to us than the security of our subscriber organisation data. Security is part of our DNA and we go above and beyond to implement robust processes and the fundamentals of information security to ensure we protect our subscriber organisation information.
The specific controls and approaches we take to secure our subscriber organisation information and the different aspects of our business, from the office we use, to our third parties, access control, and prevention and detection strategies, etc. are summarised below:
Responsible disclosure | Maintaining the security of our systems and networks is a high priority to Callsign. Our information technologies provide critical services to our customers, Callsign employees and contractors. Recognising that the broader security research community regularly makes valuable contributions to the security of the Internet, Callsign believes that a close relationship with this community will also improve our security. As a result, if you have information about a vulnerability, we want to hear from you! In order to get more eyes on our products and services, we have created a bug bounty program that pays for in-scope vulnerabilities in our products and services. All details of the program, including in-scope systems and other rules of engagement are available on the bug bounty program landing page. Click here to access our bug bounty program. |
Ongoing monitoring and detection | Callsign uses automated monitoring systems which cover security, service performance and availability. We have monitoring and alerting capabilities against external and internal threats (including intrusions). The availability and capacity of our environments are also continuously monitored through a specific set of tools and control procedures. |
Endpoint protection | Callsign uses state of the art anti-virus, anti-malware, DLP agents and VPN with deep package inspection, as part of a suite of next generation endpoint protection tools. |
Transport encryption | Callsign services are using industry standard Transport Layer Security (TLS) encryption on all transport links carrying subscriber organisation information or controlling our infrastructure. |
Data separation | The Callsign platform uses software architect and engineering techniques to ensure logical data separation between clients’ datasets within the SaaS environment. |
Identity and access management | Callsign assigns all privileged users with individual accounts to enable auditing and logging of privileged accesses to subscriber organisation data. Callsign also control access to subscriber organisation data using a Privileged Access Management system to provide time-based access and record the privileged access session. |
Data hosting security | Callsign exclusively uses AWS Infrastructure for hosting subscriber organisations data who have numerous security certifications, including ISO27001, ISO27017, ISO27018 and more. |
Patch management | Callsign has robust policies and implements processes to ensure we regularly perform essential maintenance activities such as patching software, taking data backups and testing controls are functional as expected. |
Backups | Callsign performs regular backups of our subscriber organisations and company information and stores it securely replicated across 3 geographically dispersed cloud availability zones. Backup restore procedures are tested bi-annually to ensure that any disasters can be recovered from. |
Background checks | We vet every employee with third party background screening and verification checks to ascertain candidate’s identity, education, previous employment, and criminal record, as per the applicable laws. |
Access reviews | Callsign performs regular access reviews of employee privileges to ensure that as employee roles change or any access that is deemed to be inactive, the privileges are updated, and access of users is appropriate as needed. |
Penetration Testing | We perform penetration testing against our products and internal network using a combination of CREST accredited security testing firms, crowd source penetration testing firms and internal assessments. |
Storage encryption | Callsign has device encryption in place for all company devices as standard and use AES-256 bit encryption for cloud services storing subscriber organisation information. This enables us to protect data on equipment that is lost or stolen. |
Hardened builds | Callsign secures its systems against the US Center for Internet Security (CIS) recommended hardening standards and we monitor the systems regularly to ensure all systems meet these standard’s requirements. Additionally, our cloud systems are hardened according to CIS benchmarks, and we install the agents and services that are required for running applications and monitoring instances. Systems are built as “configuration as code” and are fully automated. |
Secure coding | Callsign adopts secure coding principles during development and adhere to “Secure-by-design” principles. All code being checked in is reviewed for security weaknesses and detecting security misconfigurations by using automated scanning tools. |
Two Factor Authentication | Callsign uses two-factor authentication on all corporate accounts. This helps us prevent common attacks like email phishing, that aims to capture user credentials to gain access to company information and services. |
Physical security | The Callsign offices are located in a secured office block. The entrance to the building is secured with security guards on site 24/7, with a reception desk fully staffed during business hours along with Surveillance by video monitoring services for lobby and ingress/egress points. |
Least privilege | When provisioning access to any Callsign resources, internal network and subscriber organisation data, we adhere to the principles of least privilege and need-to-know. Employees are only provided to access to information and systems, where required. |
Governance and responsibility | No amount of technical security controls would be sufficient unless backed up by robust process and governance. Callsign has a robust governance model in place which makes specific staff members responsible for information security in the organisation, in line with ISO27001 principles. |
Certifications and attestations | Callsign successfully completed the AICPA Service Organization Control (SOC) 2 Type II audit. The audit confirms that Callsign’s information security practices, policies, procedures, and operations meet the SOC 2 standards for security. Callsign is also certified against ISO27001 standard. |