Vodia Data ProtectionFact Sheet

1. Introduction

Vodia Customers generate or handle sensitive data on Vodia phone systems. The Vodia system is carefully designed to match the requirements of GDPR and SOC 2 when used correctly. With this fact sheet we describe how we match the respective requirements during the system design, implementation and deployment steps.

However, it’s the responsibility of the phone system operator and user to comply with GDPR and SOC regulations. Vodia is neither a data controller nor a data processor. But Vodia supports service providers, customers and end users to maintain secure system setup, operation and use.

2. Data Privacy and IT Security with Vodia Phone Systems

The design of the Vodia phone system reflects a lawful basis for processing personal data. This includes obtaining explicit consent from the data subject, fulfilling a contractual obligation, compliance with legal obligations, protecting vital interests, performing a task carried out in the public interest, or legitimate interests pursued by the data controller. Default settings are set to run the Vodia phone system with a minimum of sensitive data.

We have ensured that Vodia phone systems provide mechanisms to facilitate the exercise of data subject rights. These rights include the right to access, rectify, erase, restrict processing, data portability, object to processing, and not to be subject to automated decision-making.

Vodia systems maintain the principle of lawfulness and transparency. System audits can be conducted to determine what information needs to be processed to fulfill the task as a communication system. All data processing is designed to handle the absolute minimum of data with a legal justification. Respective information provides the system operator with the privacy policy.

The Vodia phone system is designed to work on-premise under full control of the data controller and data processor regarding data storage and data exchange. It is designed to work autonomously without exchanging data with third parties and external services.

Following the security by design principle we create an implementation of data privacy and IT security across the Vodia phone system at every stage of it’s implementation.

By avoiding use of external frameworks and open source packages and coding from scratch internally we create a code every customer can trust on. Our IDE is set up to meet industry standards, meaning that potential causes of security threats can be traced down and eliminated.

3. Secure System Operations

We enable Vodia phone system operators (data processors) to provide data processing agreements with their customers (data controllers) according to GDPR and SOC standards that can clearly maintain responsibilities and obligations of each party regarding data protection. These agreements can include provisions related to security measures, data breach notifications, and data transfers.

Vodia implemented functionality that enables operators to provide technical and organizational measures to ensure the security and confidentiality of the personal data a data processor processes. This includes encryption of communications and data exchange, access controls, regular security assessments and staff training.

The phone systems of Vodia are designed to comply also with SOC 2 (System and Organization Controls 2) the framework developed by the American Institute of CPAs (AICPA) to assess and report on the security, availability, processing integrity, confidentiality, and privacy of a service organization's systems and data. Here are some key areas covered by SOC 2 related to data protection:

Ensuring security with Vodia phone systems: SOC 2 requires service organizations to implement security controls to protect against unauthorized access, both physical and logical. This includes measures such as access controls, encryption, network security, and monitoring of system activity. Vodia phone systems are designed to meet this requirement.

Ensuring confidentiality with Vodia phone systems: SOC 2 emphasizes the protection of sensitive information from unauthorized disclosure. Service organizations must have policies and procedures in place to safeguard confidential data, including customer data and intellectual property.

Ensuring privacy with Vodia phone systems: SOC 2 includes privacy controls to ensure compliance with applicable privacy regulations and commitments made to individuals regarding the collection, use, retention, and disclosure of their personal information. Organizations must establish and adhere to privacy policies and practices that protect personal data. Vodia phone systems are designed to meet data privacy requirements.
‍
Ensuring availability of Vodia phone systems: SOC 2 requires service organizations to ensure their systems and services are available for operation and use as agreed upon with their customers. This involves implementing measures to prevent and respond to system interruptions, including backup and disaster recovery plans. Vodia phone systems can be operated with a high availability profile.

Ensuring processing Integrity: SOC 2 assesses the accuracy, completeness, and timeliness of data processing. Service organizations must have controls in place to ensure the integrity of data, including measures to detect and correct errors, reconcile data, and maintain data accuracy.

SOC 2 is a flexible framework, and the specific controls and requirements may vary depending on the nature of the service provided and the organization's objectives. The SOC 2 report, prepared by an independent auditor, provides a detailed assessment of the controls implemented by the service organization and their effectiveness in achieving the specified criteria.

4. Secure System Usage

Vodia phone systems provide functionality to meet the day-to-day business needs of end users in business processes. All default settings focus on minimum data collection. End users can enable settings that enhance data collection in order to facilitate business processes.

Using the Vodia integration framework can lead to transfer of data outside the system to third parties like CRM or billing service providers. The end user has to make sure that these data transfers are compliant with GDPR and SOC 2.

The functionality of communication recording can be turned on by the end users if that is enabled by the phone system operator. End users are responsible to meet legal requirements for storing and processing communication records.

In order to enable billing the phone system operator collects calling data records for billing processing. This data needs to be processed under specific national regulations. The operator and the customer are responsible to meet these national regulations.

Phone systems in general are subject to fraud. Data processors and controllers are responsible for adequate fraud protection. Vodia systems are designed to protect from fraud if configured in the right way.

Vodia provides information on how to set up secure firewall settings. The setup of the appropriate firewall and it’s monitoring is in the responsibility of the data processor to avoid unauthorized access to the phone system.

With the monitoring functionality of the Vodia phone systems, operators and end users are able to collect data to improve communication patterns, availability and security. This functionality is disabled by default. The usage of monitoring functionality according to GDPR and SOC 2 regulations has to be ensured by the data processor and the data controller.

Vodia provides professional services to data processors (operators) to check the appropriateness of Vodia phone systems configurations.

5. Certification Support

GDPR certification is not mandatory but in any case it shows awareness of sensitive business requirements and provides credibility for system operators and customers. For operators and customers in critical business it can be mandatory. Vodia can help operators and customers to take steps to demonstrate compliance with the GDPR. Here are actions we support:
‍
Data Protection Impact Assessment (DPIA): If you perform a DPIA to identify and assess the potential risks and impacts associated with your PBX operations on the privacy and data protection rights of individuals we help you to understand and mitigate any potential privacy risks.
‍
Implement GDPR-compliant policies and procedures: If you develop and implement comprehensive policies and procedures that align with the GDPR's requirements including data protection, data breach response, data subject rights, consent management, and security measures we can provide input for your documenting duties.

Lawful bases for processing: Identify and document the lawful bases for processing personal data under the GDPR. Ensure you have a valid legal basis for processing personal data and that you communicate this to data subjects.

Consent management: If a data processor or controller relies on consents as a legal basis for processing personal data, a consent management system has to be established. Vodia can support the integration between the phone system and consent management systems so that explicit and informed consent from individuals and provide them with clear options to withdraw consent.

Data security measures: Appropriate technical and organizational security measures to protect personal data processed through the specific phone system. This includes encryption, access controls, regular security assessments, and employee training on data protection and security. Vodia can help to carry out these tasks.

Data subject rights: If you want mechanisms in place to facilitate the exercise of data subject rights, such as providing access to personal data, enabling rectification and erasure requests, and handling objections to processing Vodia phone systems providing appropriate interfaces and providing professional services for integrations.

Vendor management: If a  data processor or a data controller uses third-party vendors or subprocessors, they have to ensure they also comply with the GDPR. Vodia provides professional services to establish data processing agreements that clearly outline responsibilities and obligations related to data protection.

Data breach response: As a data processor or data controller you have to develop and document procedures for detecting, investigating, and responding to data breaches. With Vodia professional services we can help to implement a data breach notification process to inform the relevant supervisory authority and affected individuals within the required timeframes.

Documentation and record-keeping: Maintain comprehensive documentation of your data processing activities, policies, procedures, and any steps taken to ensure compliance with the GDPR. This documentation helps demonstrate your accountability and compliance efforts.

While GDPR does not provide a certification process, you can consider obtaining certifications from independent bodies or organizations that validate your data protection practices. Certifications like ISO 27001 (Information Security Management) or SOC 2 (System and Organization Controls) can provide additional assurance to your customers and stakeholders about your commitment to data protection and security.

Vodia offers partners and customers certificates for adequate security setup of their Vodia phone system. Ask for respective professional services at sales@vodia.com

‍Vodia offers professional services to partners, customers and certification bodies to receive or issue GDPR or SOC2 certificates. Ask for respective professional services at sales@vodia.com