Security•

Summary of Measures

CM.com’s main goal is to deliver a worldwide platform with all channels and features to best reach your audience worldwide. Our Communications Platform as a Service (CPaaS) contains all messaging channels, as well as next gen payments and smart identification tools. And with our customer data platform (CDP), we provide you an easy use of these features.

We aim to be flexible, scalable and fast at delivering the services to our customers, while maintaining the highest standards in security and compliance. Therefore, all software on CM.com’s platform is designed and developed by our own staff. The platform runs on own and self-operated servers and software. It is hosted in our own datacenters and in external datacenter locations of top-tier certified suppliers. The CM.com Platform is operated in different data center locations:

• EU: Netherlands, Belgium, Germany

• UK

• Africa: South Africa

• Asia: Hong Kong

Physical Access Control

Various controls are in place to prevent physical access of unauthorized persons to other premises and facilities, such as:

• Security staff;

• Surveillance facilities (e.g. CCTV footage, alarm system);

• Automatic physical access control system;

• Door locking;

• Logging of visitors to data centers and data warehousing.

• Access points that are used for supply are controlled by surveillance cameras and are isolated from information processing facilities.

• Every site is visited at least every two weeks to verify the state of the environment.

• As CM.com services are used all over the world, CM.com delivers its services 24/7/365. NOC personnel is 24/7/365 on site at our own datacenter in Breda and constantly monitors all critical entrances through CCTV camera control. The recorded images are kept for 120 days. The access to these images is restricted to four appointed officials.

Passwords

Passwords of employees need to have at least 16 characters. After five unsuccessful login attempts the user account will be blocked for 30 minutes and will be unlocked after a successful login.

System Security

We use Firewalls on all internet facing elements of our infrastructure to protect data and control all traffic on the CM.com Platform. Firewalls are enabled on all employee endpoints at all times. IDS, IPS and WAF are enabled on our production environment firewalls.

All our equipment and servers are protected using appropriate real-time anti-virus, anti-spyware and anti-malware software (endpoint protection). The outcome and logs of this equipment is stored in a centralized database. Monitoring and alerting takes place from this centralized data system, the outcome is provided to our NOC/SOC. Realtime network monitoring is in place that can determine malicious behaviour based on a.i.

Threat Compartmentation

All network traffic running through the CM.com platform and the access provided to humans and API’s are strictly compartmented and zoned. Every set with services with a shared purpose is running in an isolated zone, providing only access to and from allowed systems or services, based on physical, virtual or per user/service separation for:

• Outgoing traffic;

• Incoming traffic;

• Network traffic between zones;

• Access to data and portals per user;

• Access to and from user data.

Centralize Monitoring, Detection and Mitigation

For CM.com to monitor and act swiftly on incoming threats, we have effective centralized logging, threat detection and mitigation.. The following measures are implemented;

• Centralized logging of all traffic based on net flow, syslog and proprietary protocols;

• Vulnerability scanning to assist patch management process;

• External threat analysis and fingerprints fed to appliances and centralized logging;

• Automatic DDOS protection environment, specifically focusing on either volume or slow attacks;

• Security Appliances and services per zone automatically acting upon known threats and reporting this to the centralized logging system;

• Firewall,

• Intrusion detection system,

• Intrusion protection system,

• Gateway anti-virus (endpoint protection), Malware filter, Spam filter,

• Web Application Firewall,

• Anomaly detection.

Monitoring

The CM.com Platform is monitored by professionals, 365/24/7. This way we detect threats and errors that could potentially lead to security incidents in an early stage.

We apply four types of monitoring for checking the operations and the information processing on the CM.com platform. The monitoring and related checks are all automated.

These types are: Basic server monitoring, application test scripts, trend monitoring and security monitoring.

• Deviations in network traffic;

• Malicious attacks;

• Deviations in the amount of logging;

• Traffic from untrusted IP addresses;

• DDOS attack monitoring and mitigation.

Security Audits

We conduct penetration tests per half year / per quarter of a year using a certified third party supplier. In addition to this, we take part in a bug bounty program and we undertake external and internal vulnerability scans using Authorized Scanning Vendors and vulnerability assessment applications. These scans are highly automated and for each test it is determined at which frequency it is performed (daily to monthly), depending on the type of test.

Platform Availability

CM.com schedules regular backups to ensure that all data is stored safe, secure, and is swiftly restorable in a disaster recovery situation.

• Full system backups of servers and databases are taken daily;

• Transaction log backups are taken with high frequency;

• Backups are stored in an off-site location;

• The creation of backups is an automated process. Only personnel authorized, qualified by the IT manager are able to access backups.

• The platform design is based on a high availability always on architecture.

CM.com retains your traffic or customer data for no longer than necessary to provide the service:

• Retention time for the full daily backup created of all CM.com core SQL servers is 6 days;

• The CM.com guideline for daily differential backups of databases is 4 weeks;

• The CM.com guideline for weekly backups of databases is 3 months;

• The server configuration data backups are kept for 7 days;

• Access logs are kept for 90 days.

Redundancy and Continuity

CM.com commits to the availability of its services and processes in the Service Level Agreement. Not all factors that contribute to this commitment are fully in CM.com’s own control. CM.com has developed a Business Continuity Plan to minimize business damage from a major issue affecting staff, office and data center locations, and equipment. This covers the following aspects and is updated several times per year:

• Detailed recovery procedures

• BCP maintenance testing and training;

• A crisis communication protocol is available, platform status page https://status.cm.com/ is set up on a hosted environment

Incident Reponse

In case of an information security incident, CM.com has an incident response plan, including the following protocols to respond adequately:

• Security team is available and together with the support team, the security team provides 1st, 2nd and 3rd line support and response in case of incidents;
• A business continuity plan to eliminate the threat, contain the damage, restore service availability and implement structural remedies to prevent repetitive incurrence;
•  In the event of a security incident, we inform customers via appropriate communication channels such as status.cm.com, e-mail or a personal phone call, depending on the severity and SLA-levels.

As an electronic communications provider, CM.com has an independent duty to inform the respective authorities in the case of security incidents and/or network disruptions.

Data Breach

In respect of a personal data breach, CM.com notifies each affected client of a personal data breach involving CM.com or a sub-contractor without undue delay (but in no event later than forty-eight hours after becoming aware of the personal data breach). The notification will be communicated via e-mail to the relevant contact persons.