Trust Center

Security

Our main goal is to deliver a worldwide platform with all channels and features to best reach your audience worldwide. 

investor relations

Introduction

Our Communications Platform as a Service (CPaaS) contains all messaging channels, as well as next-gen payments and smart identification tools.

And with our customer data platform (CDP), we provide you easy use of these features.

We aim to be flexible, scalable, and fast at delivering the services to our customers while maintaining the highest standards in security and compliance.

  1. verified

    Measures

    Measures are in place to monitor, control and continuously improve data security and business continuity. This page provides insight in how we do that.

  2. download

    Backups

    We schedule regular backups to ensure that all data is stored safe, secure, and is swiftly restorable in a disaster recovery situation. 

  3. lock-locked

    Audits

    We conduct penetration tests per half-year / per quarter of a year using a certified third-party supplier.

Security @ CM.com

Datacenters in different locations

By default all data on the CM platform is stored in the Netherlands (EU).

For CPaaS products you may request to store data in:

• Belgium, Germany

• South Africa

• Hong Kong

Controls to prevent physical access

• Security staff, door locking

• Surveillance facilities (e.g. CCTV footage, alarm system)

• Automatic physical access control system

• Logging of visitors to data centers and data warehousing

We use network controls for

• Outgoing traffic

• Incoming traffic

• Network traffic between zones

• Access to data and portals per user

• Access to and from user data

Out Platform is monitored 365/24/7

• Deviations in network traffic

• Malicious attacks

• Deviations in the amount of logging

• Traffic from untrusted IP addresses

• DDOS attack monitoring and mitigation

We schedule regular backups

• Full system backups of servers and databases are taken daily

• Transaction log backups are taken with high frequency

• Backups are stored in an off-site location

cmcom noc support

Allocation of Security Incident Management Responsibilities

As a part of the service specifications, the cloud service provider should define the allocation of information security incident management responsibilities and procedures between the cloud service customer and the cloud service provider.

The customer is responsible for its data and generated traffic; including security measures.

Read Terms & Conditions

Summary of Measures

CM.com’s main goal is to deliver a worldwide platform with all channels and features to best reach your audience worldwide. Our Communications Platform as a Service (CPaaS) contains all messaging channels, as well as next gen payments and smart identification tools. And with our customer data platform (CDP), we provide you an easy use of these features.

We aim to be flexible, scalable and fast at delivering the services to our customers, while maintaining the highest standards in security and compliance. Therefore, all software on CM.com’s platform is designed and developed by our own staff. The platform runs on own and self-operated servers and software. It is hosted in our own datacenters and in external datacenter locations of top-tier certified suppliers. The CM.com Platform is operated in different data center locations:

  • EU: Netherlands, Belgium, Germany

  • UK

  • Africa: South Africa

  • Asia: Hong Kong

Logical Access Control:

  • Logical access to information systems within CM.com is governed by users and administrators:

  • User access to applications is governed by three control factors: user ID, password, authentication key. The authentication key is provided on the personal mobile phone or email address. This does not only apply to our staff, but to all users of the CM platform;

  • CM.com frequently cleans up user access to the platform by disabling inactive accounts;

  • Staff user access is managed by system administrators for general purpose systems (such as corporate intra-web, desktop environment, network drives) and user access is managed by dedicated application administrators for the information systems that are used by a specific team or function.

CM.com has several policies and measures in place to ensure that security is administered correctly.

Physical Access Control

In order to guarantee that the security and access requirements are met for alle sites used by CM.com, all CM.com services comply with the following requirements:

Physical Access

  • The third-party data centers used by CM.com have to meet the requirements of ISO 27001. These data centers have their own security access policies. CM.com carefully assessed security and redundancy of these third-party data centers to ensure they meet our standards and that of our customers. CM.com annually verifies if they have successfully recertified;

  • Access to services, machines and data stored in the data centers used by CM.com is only allowed by authorized personnel of CM.com. Access is only granted when registered with valid identification upon entrance;

  • Addition and removal of personnel from the allowed access list is initiated by Human Resources and executed by ICT and monitored by the manager of the employee’s team;

  • Third party service suppliers are only allowed to gain access to services and machines when escorted by authorized CM.com personnel. Access is only granted when registered with valid identification upon entrance and after approval of a qualified CM.com employee;

  • Various controls are in place to prevent physical access of unauthorized persons to other premises and facilities, such as:

    o Security staff;

    o Surveillance facilities (e.g. CCTC footage, alarm systems) ;

    o Automatic physical access control system;

    o Door locking;

    o Logging of visitors to data centers and data warehousing

Physical Security

  • Access points that are used for supply are controlled by surveillance cameras and are isolated from information processing facilities;

  • Every site is visited at least every two weeks to verify the state of the environment;

  • As CM.com services are used all over the world, CM.com delivers its services 24/7/365. NOC personnel is 24/7/365 on site at our own datacenter in Breda and constantly monitors all critical entrances through CCTC camera control. The recorded images are kept for 120 days. The access to these images are restrictor to four appointed officials.

Passwords

Passwords of employees need to have at least 16 characters. After five unsuccessful login attempts the user account will be blocked for 30 minutes and will be unlocked after a successful login.

System Security

We use Firewalls on all internet facing elements of our infrastructure to protect data and control all traffic on the CM.com Platform. Firewalls are enabled on all employee endpoints at all times. IDS, IPS and WAF are enabled on our production environment firewalls.

All our equipment and servers are protected using appropriate real-time anti-virus, anti-spyware and anti-malware software (endpoint protection). The outcome and logs of this equipment is stored in a centralized database. Monitoring and alerting takes place from this centralized data system, the outcome is provided to our NOC/SOC. Realtime network monitoring is in place that can determine malicious behaviour based on a.i.

Threat Compartmentation

All network traffic running through the CM.com platform and the access provided to humans and API’s are strictly compartmented and zoned. Every set with services with a shared purpose is running in an isolated zone, providing only access to and from allowed systems or services, based on physical, virtual or per user/service separation for:

  • Outgoing traffic;

  • Incoming traffic;

  • Network traffic between zones;

  • Access to data and portals per user;

  • Access to and from user data.

Centralize Monitoring, Detection and Mitigation

For CM.com to monitor and act swiftly on incoming threats, we have effective centralized logging, threat detection and mitigation. The following measures are implemented;

  • Centralized logging of all traffic based on net flow, syslog and proprietary protocols;

  • Vulnerability scanning to assist patch management process;

  • External threat analysis and fingerprints fed to appliances and centralized logging;

  • Automatic DDOS protection environment, specifically focusing on either volume or slow attacks;

  • Protected from API and DDOS attack through cloud infrastructure, and standardized tooling in place as offered by Microsoft Azure, and through the use of Cloudflare DDOS protection suite.

  • Security Appliances and services per zone automatically acting upon known threats and reporting this to the centralized logging system;

  • Firewall,

  • Intrusion detection system,

  • Intrusion protection system,

  • Gateway anti-virus (endpoint protection), Malware filter, Spam filter,

  • Web Application Firewall,

  • Anomaly detection.

Monitoring

The CM.com platform is monitored by CM.com professionals, 24/7/365. This way we detect threats and errors that could potentially lead to security incidents at an early stage.
We apply four types of monitoring to verify operations and information processing on the CM.com platform. Monitoring and associated controls are all automated.

Be aware that logs are not made available publicly, the status of CM.com products can be followed through the status.cm.com page. CM.com logs are protected in the same way databases with customer data are protected.

The four types of monitoring that have are: Basic Server Monitoring, Application Test Scripts, Trend Monitoring and Security Monitoring. Specialized Security monitoring tools are used to detect:

  • Deviations in network traffic;

  • Malicious attacks;

  • Deviations in the amount of logging;

  • Traffic from untrusted IP addresses;

  • Monitoring and mitigating DDOS attacks.

All these logs are monitored by the Security team and the NOC.

Security Audits

We conduct penetration tests per half year / per quarter of a year using a certified third party supplier. In addition to this, we take part in a bug bounty program and we undertake external and internal vulnerability scans using Authorized Scanning Vendors and vulnerability assessment applications. These scans are highly automated and for each test it is determined at which frequency it is performed (daily to monthly), depending on the type of test.

Platform Availability

CM.com schedules regular backups to ensure that all data is stored safely and securely. This way it can be restored quickly in the event of a disaster.

  • Full backups of our servers and databases are performed on a daily basis;

  • Backups of transaction logs are performed at a high frequency;

  • Backups are stored in an off-site location;

  • Creating backups is an automated process within CM.com. Only authorized personnel that have been qualified are able to access the backups

  • The platform design is based on an always-on high availability architecture.


CM.com does not retain your traffic or customer data longer than necessary to provide the service.

  • The retention time for daily full backup created of all CM.com base SQL servers is 6 days;

  • CM.com’s guideline for daily differential database backups is 4 weeks;

  • CM.com’s guideline for weekly database backups is 3 months;

  • Backups of server configuration data are kept for 7 days;

  • Access logs are kept for 90 days.

CM.com has their backups stored in the Netherlands. There are multiple platforms in different locations, a backup is always restored on all slave databases. Besides the Netherlands, backups are also stored in another datacenter of CM.com. This way, backups are continuously available on an external location.

Redundancy and Continuity

CM.com commits to the availability of its services and processes in the Service Level Agreement. Not all factors that contribute to this commitment are fully in CM.com’s own control. CM.com has developed a Business Continuity Plan to minimize business damage from a major issue affecting staff, office and data center locations, and equipment. This covers the following aspects and is updated several times per year:

  • Detailed recovery procedures

  • BCP maintenance testing and training;

  • A crisis communication protocol is available, platform status page https://status.cm.com/ is set up on a hosted environment.

Change Management

There is a formal change management/operational change policy. This policy is annually shared, revised and updated. It ensures that changes on assets (e.g. maintenance, repair) are performed and logged.

There is also a Change Advisory Board (CAB) formed between IT and Security to collaborate and discuss changes. These changes and possible impacts are discussed in a meeting every three weeks between the CISO and CEO.

Incident Response

CM.com classifies an incident as follow: Severity 4: Incident, Severity 3: Disturbance, Severity 2: Outage, Severity 1: Critical Outage. In all of these classifications the Security team will perform it’s incident response & digital forensics utilities to follow up on the incident. In case of an information security incident, CM.com has an incident response plan.

In the event of a breach, hack or data leak, CM.com has implemented the following protocols to respond adequately:

  • The security team is available and together with the support team, the security team provides the 1st, 2nd and 3rd line support and response in the event of incident.

  • A business continuity plan to eliminate the threat, contain the damage, restore the availability of the secure service and implement structural remedies to prevent its recurrence.

  • In the event of a security incident, we inform customers via appropriate communication channels such as status.cm.com, e-mail or a personal phone call, depending on the severity and SLA-levels.

As an electronic communications provider, CM.com has an independent duty to inform the respective authorities in the event of a security incident.


Data Breach

Detection or suspicion of any possible or proven security incident: In respect of a personal data breach, CM.com notifies each affected client of a personal data breach involving CM.com or a sub-contractor without undue delay (but in no event later than forty-eight hours after becoming aware of the personal data breach). The notification will be communicated via e-mail to the relevant contact persons.

Encryption

Data encryption: CM.com applies strong encryption algorithms to encrypt data rest. This ensures that sensitive data stored on physical servers or storage devices remains securely encrypted and unreadable without proper decryption keys.

Key management: We have robust key management practices in place to securely generate, store and manage encryption keys used to encrypt and decrypt data at rest. This includes implementing secure key storage mechanisms and ensuring adequate access and audit controls.

Secure storage infrastructure: Our organization employs a secure storage infrastructure, including encrypted file systems or database storage, to protect data at rest. This infrastructure ensures that even if physical storage media are compromised, data remains encrypted and inaccessible to unauthorized parties.

Compliance: We adhere to industry best practices and compliance requirements for encryption at rest. This includes following standards and guidelines set by regulatory bodies or specific frameworks for data security and privacy.

Regular audits and monitoring: We conduct regular audits and monitoring of our encryption-at-rest capabilities to ensure compliance and identify any potential vulnerabilities or risks. This proactive approach allows us to address any issues promptly and continually improve the security of stored data.

Documentation and policies: Our organization maintains clear documentation and policies that describe encryption-at-rest practices, including encryption algorithms used, key management procedures and data access controls. These policies ensure consistency and help establish a secure framework for protecting data at rest.

serverpark servers

Reporting Suspected Vulnerabilities

Did you as a security researcher or a client discover a vulnerability in our system? Please help us by reporting these to us, so that we can improve the safety and reliability of our systems together. If you would like to report a vulnerability or have a security concern regarding the website of CM.com or its services, please email [email protected].

Our clients are also welcome to submit their requests to [email protected].

See Our Disclosure Policy
Is this region a better fit for you?
Go
close icon