Security and Authentication
CINNOX empowers its users to communicate effortlessly and effectively in a unified platform by dissolving boundaries and connecting consumers globally.
As a powerful cloud-based customer service platform, CINNOX provides businesses with robust calling and messaging capabilities on their websites and APPs; and ultimately creates better engagement between service providers and their consumers.
CINNOX offers a combination of voice and chat functions, allowing you and your customers to talk and chat on a single multi-channel platform. Using CINNOX's mobile web browser or application, your agents can continue to support your customers anywhere and at any time.
Equally important to providing effective communication, CINNOX also embraces security as a serious matter to consider. Protecting your data beyond the industry standard is one of our top priorities.
We have extensive years of experience providing satisfactory services for big and small businesses; including Fortune 500 companies.
We are proud that we have not only reached but have exceeded their requirements and expectations. This is proven by the certificates we have obtained within the telecommunications field.
Shared Security Responsibility
Security and Compliance is a shared responsibility between "You" as a Customer and "Us" as the SaaS Provider.
CINNOX responsibility "Security Behind CINNOX" - CINNOX is responsible for protecting the infrastructure, including data, software, hardware, networking, and facilities that run in the service.
Customer responsibility "Security in CINNOX" – Customer responsibility will be determined by the features adopted and deployed. This determines the amount of configuration work the customer must perform as part of their security responsibilities.
IT infrastructure is the foundation of CINNOX’s services. A robust IT service is dependant on robust IT infrastructure.
Our IT infrastructure consists of:
- Capacity Planning
- Availability Planning
- Continuity Planning
- Security Planning
- Business Growth Planning
We build our IT infrastructure with careful technical planning and business planning to ensure it fulfils industry standards and business needs.
Our network equipment is located in multiple dedicated data centres. These data centres house switches, servers, and network equipment that distribute our services. CINNOX's Data Centres are ISO 9001, ISO 27001, ISO 20000 and ISO 27017 compliant.
CINNOX also uses multiple public clouds for better service. These tier-1 data centres are all applied to local compliance.
CINNOX uses multiple standard protocols for exchanging messages and calls. These protocols are known as firewalls.
We are using well-known ports to prevent any blockage of firewalls or proxies. Calls are starting via HTTPS (port 443) protocol SIP to exchange source and destination numbers. As soon as calls are connected, the media exchange on UDP 10000-50000 (DTLS-SRTP).
The exchange of messages is done through a WebSocket via HTTPS (port 443).
Each of our customers owns a unique domain and service ID. After visitors click on the widget button, we make a unique ID for each visitor related to the same domain. An authorisation is only done once, causing your visitors to be identified the next time they visit your website. However, the integrity of the visitor is defined and is checked every time they revisit your website.
Since customer’s browsers can be used to hijack customer data, we implemented a high-security mechanism to mitigate this risk. A unique token that expires soon after once-off use is generated for the customer each time they visit your website. We use local storage to prevent session hijack.
- Cross-region identification
- Secure encryption
- Secure authentication
- Multi-factor authentication
- Access control by IP or number for agent and visitor
- Password policy
- Integrate with third-party authentication systems (oAuth 2)
- Audit log
- Data retention
- Customised roles and permissions
- Private and public rooms
- Security setting to make a change for boundaries, like Call Per Minute or Message Per Minute (Advanced Throttling System)
- AI calls fraud detection and blocking
- Free DDoS prevention system
Protected agent/admin area: The control panel area is protected by username and password, and it has a login attempt limitation. It is designed to allow the administrator to define the password policy (password history, password age, and lockout threshold). Administrator and agent are carefully created and can only be customised for an administrator.
The administrator can also allow or block visitors/agents' access from a specific IP or number.
Room security: After visitors or agents create a new room, the following security steps are checked:
- Check if the visitor is spam or not
- Create an encrypted room and notify agent on a secure channel
- Encrypt messages and calls during the conversation
- Prevent the sending of a lot of messages and enquiries for spamming purposes (Rate limit)
- Data encryption in transit (Using TLSv1.3 – Grade A+ from SSL Labs’ tests)
- Data encryption at rest with key rotation feature
- Unique room ID with pre-defined participants
Call security: CINNOX uses the standards-based VoIP (Voice-Over-Internet-Protocol) to deliver high-quality calls.
- High quality/reliable codec with HD to lowest bandwidth consummation (Opus) which supports other codecs as backup
- AES-256 bit TLS1.3 encryption (with supporting TLS 1.2) – Grade A+ from SSL Labs’ tests
- Media encryption (DTLS-SRTP)
- Data encryption at rest to protect data
- Fraud detection and prevention
- Using global blocklist numbers to prevent spam
- Using unique EID for source and destination numbers to prevent unauthorised use
- Generating a unique temporary SIP (Session Initiation Protocol) account with AES 256-bit encryption token
CINNOX has extensive years of experience in successfully defending customers from thousands of hackers. CINNOX has security features implemented in your account. It's your responsibility to protect yourself by utilising the Administration Control Features.
We offer security capabilities to manage your data access internally:
- Create a staff account with a designated role
- Customised role and permission
- Ability to create multiple companies
- Ability to create multiple departments
- Ability to assign a different role to a different department
- Suspend staff account
- Mandatory multi-factor authentication
- Enforce staff members to enable multi-factor authentication before they can log in
- Monitor staff members usage
- Check and audit billing reports for each staff member
- Read-only audit trail for every single change
- Export feature to import to SIEM
You can customise these features to protect yourself from any suspicious activities:
- Block login after several failed attempts
- Limit the number of enquiries a visitor can make
- Limit the number of messages a visitor can send
- Detect fraudulent calls and reject them by default
- Reject requests from hostel's IP addresses
- Detect multi-region spam
Furthermore, you can enable Data Retention to archive your data.
- When you use the Data Retention feature, it will be your sole responsibility to manage and maintain your on-premise SFTP server (such as locally-hosted servers or preferred backup sites).
SIEM & SOC
SIEM tools are an essential part of the data security ecosystem: they aggregate logs from multiple systems and analyse them to catch abnormal behaviour or potential cyberattacks. A key focus is to monitor and help manage user and service privileges, directory services, and other system-configuration changes and provide log auditing and review and incident response.
The benefits of SIEM in CINNOX is to identify attackers or hackers who try to access our platform. We trace the hackers from the first access until we block them on different platforms.
CINNOX Use Cases
- Collecting logs from all devices and applications
- Correlating logs and find anomalies behaviours
- Using AI to find cyberattacks
- Forensics capabilities - Making proper decision and reports for incident response
- Fraud detection and prevention by using AI algorithm
Why we in CINNOX using SIEM?
With SIEM, we can detect a cyber attack and use AI to block the bad traffic automatically. We also generate alerts to our security team, and some of them are sent to customers to make them aware of the incident.
CINNOX's SIEM can also be valuable to improve incident handling activities' efficiency, by reducing resource utilisation and allowing real-time incident responses, limiting the damage.
Security Operation Centre (SOC)
Our SOC team has high-level security skills for accessing different security systems like SIEM to prevent identity theft and block incidents.
At CINNOX, we use a 24/7 dedicated SOC team with different security certificates (CEH, CISSP, OSCP, and SANS).
Our security team is separated into different tiers. The first one monitors the graphs and alarms. They analyse and send reports to the next tier for investigation and proper action with the security alerts. The action can be to block the hacker or to do a forensic process and incident handling.
Privacy & Compliance
Protecting our customers' privacy is a priority at CINNOX, and we are committed to maintaining strong and compliant privacy protections in line with the provisions of the Hong Kong Personal Data (Privacy) Ordinance (CAP 486) and the General Data Protection Regulation (EU) 2016/679. Ensuring your information's privacy is an important responsibility, and we thank you for the trust you place in us.
CINNOX guarantees to use the best technologies and methods to protect customers' data.
ISO 27001 is the best-known standard in the family, providing requirements for an information security management system (ISMS).
An ISMS is a systematic approach to managing sensitive customer information so that it remains secure. It includes people, processes, and IT systems by applying a risk management process.
CINNOX certified for:
- Clear security policy
- Secure documents and communications
- Information security incident management
- Business continuity management (This is the process involved in creating a system of prevention and recovery from potential threats to a company)
- Access control
- Secure asset management
- Secure development and maintenance process
Awarded ISO 9001 certification for its Quality Management System. This international recognized standard is based on several quality management principles, including a strong customer focus, the motivation and implication of top management, the process approach, and continual improvement.
Awarded ISO 20000 for IT service management. It sets out a comprehensive framework covering various areas of the management process, including continuity and availability of service, information security, service configuration, incident handling, and business relationships to ensure the delivery of stable, reliable and high-quality IT services.
Awarded ISO 27017 for its commitment to providing secure cloud services and ensuring robust data protection controls. The achievement represents CINNOX’s ongoing pursuit of the most recent and stringent security standards in the industry.
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world.
The GDPR aims primarily to give control to the individuals over their personal data. And to simplify the regulatory environment for international business by unifying the regulation within the EU.
CINNOX guarantee to:
- Keep the personal data in a safe place and proper location based on GDPR
- Collect minimum data to improve products
- Clear and simplified policy
- Answer to customers for delete or edit the personal data
- Notify customers in case of the data breach
Other Security Features
We have security awareness training each year with a monthly security newsletter for our employees. Developers passed multiple security training to make sure their code is secure by default.
CINNOX has been tested several times by security companies and hackers. It helps us to ensure our application is secure, and we covered the latest OWASP risks.
We perform vulnerability scans on our PoP sites every day to make sure new deployments or libraries are secure and not susceptible to exploits or attacks.
Every day we have a vulnerability scan for our pop-sites to make sure new deployments or libraries are not susceptible to attacks.
We have a bug bounty program for hackers. If you find a security bug, you can contact us at [email protected] for analysing the bug and receive your bonus.
We have multiple policies for our employees.
Sensitive database credentials are only provided to trusted employees with audit rail review by an independent party.
Our built-in policy and password manager generate temporal credentials for them after manager approval. The account then ceases to work after an hour.
Employee contracts include a confidentiality agreement section.
Critical assets that contain sensitive data, like customer data, is only accessible from a safe environment that the internet is blocked and secured by multiple security controls.
The mandatory leaves for key people to assure the required training are already done for their backup person and ensure the nonexistence of fraud.
Updated 3 months ago