Natterbox Security Overview

Natterbox Security Overview  V1.0 14 May 2024

Introduction

Natterbox facilitates better, more aligned business conversations. We’re passionate about the value of talking to another person, but recognize that, too often, unintuitive technology or insufficient information gets in the way of genuine human connection. Our vision is to bring together the power of the human voice with the efficiency of digital technology to transform the world, one conversation at a time.

Natterbox operates a scalable Cloud Platform with high availability, resilience and performance, which supports a wide variety of Voice enabled applications. A key element of the platform operation is a solid security infrastructure both in terms of the architecture and the policies and processes that support it.

Our security controls and policies are aligned with the ISO 27001:2022 Information Security Standard, which includes: People Security controls, Incident Management, Access Controls, Policies and Procedures, Business Continuity, Network Security, Supplier and Third-Party Security and Vulnerability & Patch Management.

AWS Infrastructure	Assured Security	Protecting your data
Natterbox uses AWS as a it’s hosting provider. Cloud security at AWS is the highest priority, and AWS data centers and network architectures are built to meet the requirements of the most security-sensitive organisations.  AWS holds many certifications such as ISO 27001, SOC2 and PCI DSS, and provides for a safe and secure environment.	Natterbox is built on a secure, multi-layer infrastructure that is ISO 27001 and GDPR compliant.  Natterbox was one of the first companies in the UK to become certified to the new version of the standard ISO 27001:2022 written to address growing global cybersecurity challenges and improve digital trust.	All recording files are encrypted using 256 bit AES encryption keys.  Data that passes between VPCs (Virtual Private Clouds) in distinct regions flows across the AWS global network in encrypted form. The data is encrypted in AEAD (authenticated encryption with associated data) fashion using the most  recent algorithms.

Secure Infrastructure

AWS

Natterbox uses AWS as a it’s hosting provider. Cloud security at AWS is the highest priority, and AWS data centers and network architectures are built to meet the requirements of the most security-sensitive organisations. Natterbox leverages the high-capacity, low-latency, and low-jitter global network of AWS, combined with our Tier-1 carriers around the globe, for crystal-clear call quality.

AWS holds many certifications such as ISO 27001, SOC2 and PCI DSS, and provides for a safe and secure environment. Details of the S3 security features can be found here (https://aws.amazon.com/s3/security/), and the AWS SOC faqs can be found here (https://aws.amazon.com/compliance/soc-faqs/).

Powered by AWS, Natterbox can seamlessly scale resources, while ensuring strong performance and uptime. Our infrastructure also operates as a single global platform, offering a uniform experience across all locations.

Encryption

All recording files are encrypted using 256-bit AES encryption keys.

Data that passes between VPCs (Virtual Private Clouds) in distinct regions flows across the AWS global network in encrypted form. The data is encrypted in AEAD fashion using a modern algorithm and AWS-supplied keys that are managed and rotated automatically. The same key is used to encrypt traffic for all peering connections; this makes all traffic, regardless of customer, look the same. This anonymity provides additional protection in situations where your inter-VPC traffic is intermittent.

Business Continuity and Disaster Recovery

Natterbox has established a Business Continuity and Disaster Recovery process in line with ISO 27001:2022, which is updated at least annually.

Natterbox achieves 99.99% availability by relying upon AWS, the industry-leading cloud provider. Our global infrastructure is designed with redundancy in mind, operating in 3 fully independent Availability Zones across each of the 6 regions.

We maintain a status page at https://status.natterbox.com/.

Physical Security

Amazon Web Services (AWS) is our cloud infrastructure provider, they maintain an audited security program including PCI, ISO 27000, and SOC2. The following controls are in place:

• Security guards

• Backup power supply

• Temperature and humidity control

• Closed Circuit Television Camera (CCTV)

• Smoke detection alarm

• Leakage detection

Monitoring

To ensure system integrity, Natterbox utilises logging and monitoring to promptly identify any suspicious activity or abuse. Upon detection of an event, a designated team will thoroughly investigate, analyse the root cause, and promptly apply necessary corrective measures to address the issue effectively.

Multi-tenant environment

All data access to the database for public and private applications that wish to access customer data are routed via the Core API layer which is located in the Protected Zone. This layer brokers all access to the underlying databases. The Core API layer is built on an MVC (Model, View, Controller) framework, in an object oriented fashion, which exposes a REST based interface.

The implementation incorporates base libraries that ensure that the tenancy segregation is validated for every API request based on the presence of a Session Token. The Session Token is generated on initial authentication and is locked to an IP. This Session Token is then used to restrict the data set available by account (tenant), limiting access to the underlying data structures (tables and fields) in the database.

Security Organisational Structure

Security Responsiblities

Natterbox Board and Executive Team is committed to the development, implementation and management of our Information Security Policy, which is compatible with the strategic direction and the context of the organisation.

Security responsibilities have been assigned to ensure that the management system conforms to the requirements of the ISO 27001:2022 standard. You can view our certificate here: Natterbox ISO 27001:2022 certificate

The Information Security Management Group (ISMG) has determined the Information Security Policy that is appropriate to the purpose of the organisation. The policy includes a commitment to meeting all client and legislative requirements and to continuously improve the ISMS.

Employee Contracts together with job descriptions and the Staff Handbook have been defined to outline each role within the organisation together with their related responsibilities and authorities, ensuring that the appropriate personnel are in place to cover the entire organisation and strategy of the business.

Background checks

A structured and documented onboarding procedure is in place to handle the necessary identity, reference, work authorisation, and document verifications for individuals before they start working. Individuals undergo thorough screening as allowed by law in our sector. Basic Disclosure checks are included in this screening process.

Awareness and Training

The organization implements a formal onboarding program for all new employees. Current staff members receive regular security updates at least once a month and as needed, along with continuous phishing assessments. All training activities are documented in employee records.

Access Management

Natterbox adheres to a structured process for granting or revoking access to its resources.

System access is governed by the principles of "least-possible-privilege" and "need-to-know" to guarantee that authorised access aligns with specific responsibilities.

Natterbox implements an industry-standard corporate password policy and employs Multi-Factor authentication and Single Sign-On solutions to enhance security.

From a customer and end-user perspective, the solution is 100% administered and managed within Salesforce, so leverages any security and access control systems in place.

Application Security

Penetration Test

Natterbox performs penetration tests at least annually using independent third-party entities to conduct application-level penetration tests. Security threats and vulnerabilities that are detected are prioritized, categorized, and resolved promptly. Redacted report summaries are available here: https://docs.natterbox.com/docs/natterbox-latest-penetration-test

Vulnerability and Patch Management

The configuration state and versions of all production systems, packages and devices are recorded and reviewed weekly for updates, vulnerability patches and known threats as outlined in our Vulnerability and Patch Management Process.

General external package updates are reviewed on a weekly basis, and relevant packages containing security fixes, enhancements, etc are synchronised to the Development Repository. Packages are tested within the Development/ QA environments for up to a week, before being formally released to the Production Repository for installation to the production network.

Patches from other vendors which are outside of the standard CentOS repository are approved on a case by case basis as and when released. Application of all patches and version updates are determined based on risk to the service and compatibility.

Software Development and Change Management

A five stage SCCM (Software Configuration and Management Policy) is formally defined, which tracks the process of software development from Engineering through to Controlled Build, QA, Staging and Production. Each phase has controls and segregation to ensure that the packages are not compromised in terms of quality and security, and that auditability of changes are maintained.

Changes are broken down into three categories; Emergency, Scheduled and Routine. Emergency and Scheduled changes are formally reviewed prior to application with a full risk review. Routine changes can be performed on request. Any Security Related changes are explicitly identified in the Change process. All Changes are logged within a ticketing system.

SOC II / ISO 27001

Natterbox don't currently have a SOC II report, SOC II and ISO 27001 cover many of the same topics, with their security controls including processes, policies and technologies designed to protect sensitive information. The two frameworks share around 96% of the same security controls. The difference is which controls are mandatory to implement and Natterbox has implemented all of the controls within the updated ISO 27001:2022 standard.

We have concluded that ISO 27001 is a more robust and thorough framework to ensure the continued security of our Customers’ data. We were one of the first companies in the UK to adopt and re-certify against the new modernized version of ISO 27001 (ISO 27001:2022), demonstrating our commitment to continuous improvement of our security controls. However, we may look to add SOC II reports to our security stack in the future.

We store all call recordings in AWS S3, and much of our architecture is within AWS, who hold a number of security certifications including SOC II reports. Details of the S3 security features can be found here (https://aws.amazon.com/s3/security/), and the AWS SOC faqs can be found here (https://aws.amazon.com/compliance/soc-faqs/).

Supplier Review

We conduct supplier reviews and onboarding for existing and new suppliers that includes a Supplier Service Agreement, Supplier Non-Disclosure Agreement, GDPR Review and a Technical Security Review. Our vendor management programme identifies and records the category of service, implications of service disruption and the procedures and time required to replace. Critical third party services are always identified and supplemented with redundant alternatives. Risk analysis is used to prioritise testing and the provisioning of alternative services.

Privacy

Our privacy policy on our website at www.natterbox.com/privacy