This is the most vulnerable phase of the data lifecycle: entrusting your customer data in the hands of an outside vendor. That's why TeleVox approaches secure data storage through strategic risk management in three key areas to ensure availability, confidentially and integrity of your data and systems:

Governance/Standards: TeleVox has a dedicated Information Risk Management Team to ensure that information risks are identified and managed.

Security Operations: TeleVox has a team of highly-qualified IT professionals dedicated to using the policies and procedures to create layers of control that protect the data assets that have been placed in our care. Our multi-layered security framework consists of:

  • Physical Security: protection of personnel, hardware, programs, networks, and data from physical circumstances and events that could cause serious losses or damage our systems and data. This includes protection from fire, natural disasters, burglary, theft, vandalism, and terrorism.
  • Network Security: provisions and policies adopted by the Network Administrator to prevent and monitor unauthorized access, misuse, modification, or denial of the computer network and network-accessible resources.
  • Logical Security: software safeguards for an organization's systems, including user identification and password access, authentication, access rights and authority levels. These measures are to ensure that only authorized users are able to perform actions or access information in a network or a workstation.
  • Application Security: TeleVox products offer customizable application security hardening including password length, expiration and lockout to allow you to decide the level of application layer hardening required.

Monitoring/Audits: TeleVox's Monitoring Team continually monitors our data center for perceived threats. We also utilize internal and external audits to ensure the policies, procedures and governance controls are functioning as designed to maintain the highest security for our clients' data.

  • SSAE 16: An internationally-recognized, in-depth audit of control objectives and control activities.
  • HIPAA: An annual audit to validate that our data controls are consistent with the HIPAA standards.

Click here to learn more about SSAE 16 and here to learn more about HIPAA.

Questions to ask a potential vendor

  • What layers of security are established, monitored and controlled?
    • How is their organization structured to evaluate trends and potential threats? Are there individuals solely dedicated to this effort? If so, how many?
  • Do they have a dedicated Information Risk Management Team in place to consistently evaluate trends and potential threats?
  • Do they have important security operations policies in place for breach notifications, business continuity plans, backup procedures and destruction?
  • Do they have a formalized incident management plan? What is the process? Has this their incident management plan been audited and tested by a third-party?
  • How do they protect the data storage center against any perceived threats and ensure that operations are HIPAA-compliant? Is this supported by a team of qualified individuals?
  • What HIPAA guidelines does the vendor currently have in place? Responsible vendors will be able to articulate a clear HIPAA process that is supported by a HIPAA manual and regular HIPAA training for all employees.
  • Do they participate in external audits such as SSAE 16? If so will they share a copy of that certification report with you? When was their most recent audit (this should be done yearly)?

Click here to read about the Delivery phase of the Data Lifecycle.