Back to Blog
Tech

How The Vodia PBX Protects Your Data

Published on:

July 5, 2023

We designed the Vodia phone system, the industry’s most feature-rich, on a lawful groundwork and list of requirements, both in the EU and in the USA, for processing personal data.

Christian Stredicke

A Guide for Managed Service Providers

Managed Service Providers (MSP) generate a significant amount of sensitive data, handle it, or both, all with the Vodia phone system, including the latest version of our industry-leading software, version 69. Our phone system has been designed to meet the requirements of the European Union General Data Protection Regulation (GDPR) and System and Organization Control (SOC) 2 before they even existed, and we’d like to explain how we align the respective requirements during system design, implementation and deployment. Our goal is to support MSPs and their customers and end users to maintain a secure set up, operation and ongoing use.

We designed the Vodia phone system, the industry’s most feature-rich, on a lawful groundwork and list of requirements, both in the EU and in the USA, for processing personal data. This includes:

  • obtaining explicit consent from the data subject
  • fulfilling a contractual obligation
  • compliance with legal obligations
  • protecting vital interests
  • performing a task carried out in the public interest or legitimate interests pursued by the data controller
  • system default settings run the PBX with a minimum of sensitive data

Vodia phone systems are built with robust mechanisms to facilitate the exercise of data subject rights. These rights include:

  • access
  • rectification
  • restricted processing
  • data portability
  • object to processing
  • not to be subject to automated decision-making

The Vodia phone system operates according to lawfulness and transparency: system audits can be conducted to determine what information needs to be processed to fulfill the task as a communication system; all data processing is designed to handle the absolute minimum of data with a legal justification, while respective information provides the privacy policy to the system operator. With regard to data storage and exchange, our phone system works on-premise under the jurisdiction of the data controller and data processor and is designed to work autonomously without any exchange of third-party/private services data.

Security by Design

Following the security by design principle, we implement data privacy and IT security across the Vodia phone system at every stage of implementation. Rather than use external frameworks and open source packages and coding from scratch internally, Vodia creates a code every customer can depend on and trust.

In contrast to many hosted services, the Vodia PBX can run on a single virtual machine. Only few outside services like SMTP or push servers are used, and these can be scrapped if necessary. This dramatically reduces the complexity of the setup, as compared to other solutions, and contains all data in a single instance. Firewalls can be programmed to allow traffic only to specific addresses, and even the amount of data transferred can be limited, making it impossible for data to leave the instance without prior permission.

Anticipating a potential EU Cyber Resilience Act (EUCRA), the Vodia PBX uses only a very small amount of open source code; this significantly reduces the risk of unintentionally including malware in the software and will make it easy to comply with these regulations.

Secure System Operations

Vodia phone system operators (data processors) can enter into data processing agreements with their customers (data controllers) – according to GDPR and SOC standards – that clearly delineate the responsibilities and obligations of each party. These agreements usually include provisions related to security measures, data breach notifications and data transfers.

The Vodia PBX includes features that permit operators to provide technical and organizational measures to ensure the security and confidentiality of any personal data a data processor processes, including encryption of communications and data exchange, access controls, regular security assessments and staff training.

The Vodia PBX complies with SOC 2, the framework created by the American Institute of CPAs (AICPA) to assess and report on the security, availability, processing integrity, confidentiality and privacy of a service organization's systems and data. These are some of the key data protection areas covered by SOC 2:

  • Security: SOC 2 requires service organizations to implement security controls to protect against unauthorized access, both physical and logical, including access controls, encryption, network security and monitoring of system activity. The Vodia phone system meets this requirement.
  • Confidentiality: SOC 2 emphasizes the protection of sensitive information from unauthorized disclosure: service organizations must have policies and procedures in place to safeguard confidential customer data and intellectual property.
  • Privacy: SOC 2 includes privacy controls to ensure compliance with privacy regulations and commitments made to individuals regarding the collection, use, retention and disclosure of their personal information. Organizations must establish and adhere to privacy policies and practices that protect personal data, and our phone system meets SOC 2 data privacy requirements.
  • Availability: SOC 2 requires service organizations to ensure their systems and services are available for operation and use as agreed upon with their customers. This involves implementing measures to prevent and respond to system interruptions, including backup and disaster recovery plans. Vodia phone systems can be operated with a high availability profile.
  • Processing Integrity: SOC 2 assesses the accuracy, completeness and timeliness of data processing; service organizations must have controls in place to ensure the integrity of data, including measures to detect and correct errors, reconcile data and maintain data accuracy.

SOC 2 is a flexible framework, and specific controls and requirements may vary depending on the service provided and organizational objectives. An independent auditor  prepares the SOC 2 report, which provides a detailed assessment of the controls implemented by the service organization and its effectiveness in meeting the specified criteria.

Secure System Usage

All Vodia phone system default settings require minimum data collection, and end users can enhance data collection to facilitate business processes. The Vodia integration framework can lead to data transfer to third parties outside the system, such as CRMs or billing service providers; end users have to make sure data transfers are compliant with GDPR and SOC 2. End users can record communication, but only if it’s permitted by the operator of the PBX and end users must meet legal requirements for process and storage of communication records.

To enable billing the phone system operator collects calling data records for billing processing – there are specific national regulations for processing this data, and both operator and customer/end user are obligated to follow these regulations. Phone systems are generally subject to fraud, and data processors and controllers are responsible for sufficient fraud protection.

Our phone system enables secure firewall settings – firewall set up and monitoring are the responsibility of the data processor and crucial for preventing unauthorized access to the system. Thanks to the monitoring functionality of our PBX, operators and end users can collect data to improve communication patterns, availability and security (disabled by default). Monitoring functionality, as outlined in GDPR and SOC 2 regulations, has to be ensured by both the data processor and the data controller. Vodia offers professional services to data processors to verify Vodia phone system configurations are appropriate.

Certification Support

GDPR certification isn‘t mandatory, but it demonstrates awareness of sensitive business requirements and gives system operators and customers credibility; for operators and customers in critical businesses, it can be mandatory. Vodia helps operators and customers take steps to demonstrate compliance with GDPR. We support:

  • Data Protection Impact Assessment (DPIA): If you perform a DPIA to identify and assess the potential risks and impacts associated with your PBX with regard to the privacy and data protection rights of individuals, we help you to understand and mitigate any potential privacy risks.
  • Implementation of GDPR-compliant policies and procedures: If you develop and implement comprehensive policies and procedures that align with GDPR requirements, including data protection, data breach response, data subject rights, consent management and security measures, we can provide input for your documentation responsibilities.
  • Lawful bases for processing: Identify and document the lawful bases for processing personal data under GDPR and ensure you have a valid legal basis for processing personal data (you must communicate this to data subjects).
  • Consent management: If a data processor or controller depends on consent as a legal basis for processing personal data, a consent management system must be deployed. Vodia supports the integration between the phone system and consent management systems: this requires explicit and informed consent from individuals, all of whom must be provided clear options for the withdrawal of consent.
  • Data security measures: Appropriate technical and organizational security measures to protect personal data must be processed via the phone system – this includes encryption, access controls, regular security assessments and employee data protection and security measures. This can be accomplished with our phone system.
  • Data subject rights: The Vodia PBX provides you with all necessary mechanisms to facilitate the exercise of data subject rights, including the provision of access to personal data, rectification and erasure requests and handling objections. Our phone system gives you appropriate interfaces and professional services for easy, robust integrations.
  • Vendor management: If a data processor or a data controller uses third-party vendors or sub processors, they have to ensure they also comply with the GDPR. Vodia provides professional services to establish data processing agreements that clearly outline responsibilities and obligations related to data protection.
  • Data breach response: Data processors/controllers have to develop and document procedures for detecting, investigating and responding to data breaches. We can help you implement a data breach notification process to inform the relevant supervisory authority and affected individuals within required timeframes.
  • Documentation and record-keeping: The Vodia phone system maintains comprehensive documentation of your data processing activities, policies, procedures and any steps you take to comply with GDPR. This documentation demonstrates accountability and compliance efforts.

About Vodia Networks, Inc.

Vodia Networks has been a trendsetter in the Voice over Internet Protocol (VoIP) industry for over a decade. Since 2006, Vodia has led the VoIP world in innovation and forward-thinking development, particularly with its early adoption of a multi-tenancy platform for its customers – Vodia was the first company to offer a true multi-tenancy platform and it remains one of the very few companies that can deliver it. Vodia’s multi-tenancy platforms are compatible with an unprecedented number of technologies, including desk phones, softphones and APIs for numerous third-party SW and CRM systems. For additional information please visit www.vodia.com.

While GDPR does not provide a certification process, MSPs can obtain certifications from independent bodies or organizations that validate your organization’s data protection practices. Certifications like ISO 27001 (Information Security Management) or SOC 2 can provide additional assurance to your customers and stakeholders about your commitment to data protection and security.

Vodia offers partners and customers certificates for adequate security setup of their Vodia phone system alongside professional services for partners, customers and certification bodies to receive or issue GDPR or SOC 2 certificates. Please reach out to us at sales@vodia.com for further information and assistance.

Latest Articles

View All
Announcement

Version 69.2.4 of The Vodia Phone System Now Available​

Vodia recently released version 69.2.4, the latest update to their industry-leading cloud phone system. This update boasts a completely rebuilt frontend, providing a modern user experience, and integrates seamlessly with nearly any browser-based platform. A key feature is integration with Grafana, a powerful tool that enables comprehensive monitoring of Vodia instances across various platforms. Version 69.2.4 also brings several other improvements, including the ability to add custom notes to accounts, sending CDR emails for regular extensions, and enhanced support for Mitel 68xx and 69xx series phones.

April 30, 2024
Editorial

Vodia Adds Value for Internet and Telecommunications Service Providers

How are Vodia's service provider partners gaining an edge in the competitive telecommunications market? By leveraging the innovative capabilities of Vodia, they're able to expand their market share, offer a diverse range of services and streamline their operations. As the telecommunications landscape evolves, service providers must adapt to meet the changing needs of their customers. With Vodia's robust architecture and minimal hardware requirements, service providers can ensure reliability, scalability, security and cost-effectiveness.

April 23, 2024
Editorial

Significant Growth in Global UC&C and CPaaS Markets

In late September 2023, IDC reported significant growth in the global Unified Communications & Collaboration (UC&C) and Communications Platform as a Service (CPaaS) markets. UC&C encompasses solutions like Audio Conferencing, Desktop Sharing, Instant Messaging, IP Telephony, Video Conferencing, Voice, and Web Conferencing. Vodia's communication system seamlessly integrates many UC&C functionalities, enhancing collaboration, flexibility, and productivity for businesses. As a CPaaS provider, Vodia offers developers a cloud platform to add real-time communications features to their applications effortlessly.

April 16, 2024