Our Communications Platform as a Service (CPaaS) contains all messaging channels, as well as next-gen payments and smart identification tools.
And with our customer data platform (CDP), we provide you easy use of these features.
We aim to be flexible, scalable, and fast at delivering the services to our customers while maintaining the highest standards in security and compliance.
Measures are in place to monitor, control and continuously improve data security and business continuity. This page provides insight in how we do that.
We schedule regular backups to ensure that all data is stored safe, secure, and is swiftly restorable in a disaster recovery situation.
We conduct penetration tests per half-year / per quarter of a year using a certified third-party supplier.
By default all data on the CM platform is stored in the Netherlands (EU).
For CPaaS products you may request to store data in:
• Belgium, Germany
• South Africa
• Hong Kong
• Security staff, door locking
• Surveillance facilities (e.g. CCTV footage, alarm system)
• Automatic physical access control system
• Logging of visitors to data centers and data warehousing
• Outgoing traffic
• Incoming traffic
• Network traffic between zones
• Access to data and portals per user
• Access to and from user data
• Deviations in network traffic
• Malicious attacks
• Deviations in the amount of logging
• Traffic from untrusted IP addresses
• DDOS attack monitoring and mitigation
• Full system backups of servers and databases are taken daily
• Transaction log backups are taken with high frequency
• Backups are stored in an off-site location
As a part of the service specifications, the cloud service provider should define the allocation of information security incident management responsibilities and procedures between the cloud service customer and the cloud service provider.
The customer is responsible for its data and generated traffic; including security measures.Read Terms & Conditions
CM.com’s main goal is to deliver a worldwide platform with all channels and features to best reach your audience worldwide. Our Communications Platform as a Service (CPaaS) contains all messaging channels, as well as next gen payments and smart identification tools. And with our customer data platform (CDP), we provide you an easy use of these features.
We aim to be flexible, scalable and fast at delivering the services to our customers, while maintaining the highest standards in security and compliance. Therefore, all software on CM.com’s platform is designed and developed by our own staff. The platform runs on own and self-operated servers and software. It is hosted in our own datacenters and in external datacenter locations of top-tier certified suppliers. The CM.com Platform is operated in different data center locations:
EU: Netherlands, Belgium, Germany
Africa: South Africa
Asia: Hong Kong
Various controls are in place to prevent physical access of unauthorized persons to other premises and facilities, such as:
Surveillance facilities (e.g. CCTV footage, alarm system);
Automatic physical access control system;
Logging of visitors to data centers and data warehousing.
Access points that are used for supply are controlled by surveillance cameras and are isolated from information processing facilities.
Every site is visited at least every two weeks to verify the state of the environment.
As CM.com services are used all over the world, CM.com delivers its services 24/7/365. NOC personnel is 24/7/365 on site at our own datacenter in Breda and constantly monitors all critical entrances through CCTV camera control. The recorded images are kept for 120 days. The access to these images is restricted to four appointed officials.
Passwords of employees need to have at least 16 characters. After five unsuccessful login attempts the user account will be blocked for 30 minutes and will be unlocked after a successful login.
We use Firewalls on all internet facing elements of our infrastructure to protect data and control all traffic on the CM.com Platform. Firewalls are enabled on all employee endpoints at all times. IDS, IPS and WAF are enabled on our production environment firewalls.
All our equipment and servers are protected using appropriate real-time anti-virus, anti-spyware and anti-malware software (endpoint protection). The outcome and logs of this equipment is stored in a centralized database. Monitoring and alerting takes place from this centralized data system, the outcome is provided to our NOC/SOC. Realtime network monitoring is in place that can determine malicious behaviour based on a.i.
All network traffic running through the CM.com platform and the access provided to humans and API’s are strictly compartmented and zoned. Every set with services with a shared purpose is running in an isolated zone, providing only access to and from allowed systems or services, based on physical, virtual or per user/service separation for:
Network traffic between zones;
Access to data and portals per user;
Access to and from user data.
For CM.com to monitor and act swiftly on incoming threats, we have effective centralized logging, threat detection and mitigation.. The following measures are implemented;
Centralized logging of all traffic based on net flow, syslog and proprietary protocols;
Vulnerability scanning to assist patch management process;
External threat analysis and fingerprints fed to appliances and centralized logging;
Automatic DDOS protection environment, specifically focusing on either volume or slow attacks;
Security Appliances and services per zone automatically acting upon known threats and reporting this to the centralized logging system;
Intrusion detection system,
Intrusion protection system,
Gateway anti-virus (endpoint protection), Malware filter, Spam filter,
Web Application Firewall,
The CM.com Platform is monitored by professionals, 365/24/7. This way we detect threats and errors that could potentially lead to security incidents in an early stage.
We apply four types of monitoring for checking the operations and the information processing on the CM.com platform. The monitoring and related checks are all automated.
These types are: Basic server monitoring, application test scripts, trend monitoring and security monitoring.
Deviations in network traffic;
Deviations in the amount of logging;
Traffic from untrusted IP addresses;
DDOS attack monitoring and mitigation.
We conduct penetration tests per half year / per quarter of a year using a certified third party supplier. In addition to this, we take part in a bug bounty program and we undertake external and internal vulnerability scans using Authorized Scanning Vendors and vulnerability assessment applications. These scans are highly automated and for each test it is determined at which frequency it is performed (daily to monthly), depending on the type of test.
CM.com schedules regular backups to ensure that all data is stored safe, secure, and is swiftly restorable in a disaster recovery situation.
Full system backups of servers and databases are taken daily;
Transaction log backups are taken with high frequency;
Backups are stored in an off-site location;
The creation of backups is an automated process. Only personnel authorized, qualified by the IT manager are able to access backups.
The platform design is based on a high availability always on architecture.
CM.com retains your traffic or customer data for no longer than necessary to provide the service:
Retention time for the full daily backup created of all CM.com core SQL servers is 6 days;
The CM.com guideline for daily differential backups of databases is 4 weeks;
The CM.com guideline for weekly backups of databases is 3 months;
The server configuration data backups are kept for 7 days;
Access logs are kept for 90 days.
CM.com commits to the availability of its services and processes in the Service Level Agreement. Not all factors that contribute to this commitment are fully in CM.com’s own control. CM.com has developed a Business Continuity Plan to minimize business damage from a major issue affecting staff, office and data center locations, and equipment. This covers the following aspects and is updated several times per year:
Detailed recovery procedures
BCP maintenance testing and training;
A crisis communication protocol is available, platform status page https://status.cm.com/ is set up on a hosted environment
In case of an information security incident, CM.com has an incident response plan, including the following protocols to respond adequately:
As an electronic communications provider, CM.com has an independent duty to inform the respective authorities in the case of security incidents and/or network disruptions.
In respect of a personal data breach, CM.com notifies each affected client of a personal data breach involving CM.com or a sub-contractor without undue delay (but in no event later than forty-eight hours after becoming aware of the personal data breach). The notification will be communicated via e-mail to the relevant contact persons.
Did you as a security researcher or a client discover a vulnerability in our system? Please help us by reporting these to us, so that we can improve the safety and reliability of our systems together. If you would like to report a vulnerability or have a security concern regarding the website of CM.com or its services, please email [email protected].
Our clients are also welcome to submit their requests to [email protected].See Our Disclosure Policy
Select a region to show relevant information. This may change the language.