Data Center & Network Security
We ensure the confidentiality and integrity of customer data with industry best practices. MaxContact is hosted at SSAE-16, ISAE 3402, PCI DSS, and ISO 27001, 27017,27018, 22301, 9001 compliant facilities.
Our network is protected by redundant firewalls, load balancers, secure HTTPS transport over public networks and regular audits by 3rd party security experts.
All of our production systems are monitored constantly. We use anomaly detection to alert us of anything that’s happening which is out of the normal state of operation. Production systems are only administered by Azure staff. Physical security, power, and internet connectivity are monitored by our infrastructure provider, Microsoft Azure.
MaxContact is hosted within Microsoft Azure global infrastructure. Access to data centers is closely monitored by Azure Security Centre. Azure continually watch for unauthorised entry, using video surveillance, intrusion detection, and access log monitoring systems.
MaxContact leverages Microsoft Azure network of data centres across the globe, including Europe, USA and Australia regions. Customers can choose to locate their service data in a specific region and with data sovereignty that guarantees even in the event of a data centre failover the data will stay within the specified region.
Network security scanning gives us in-depth insight for out-of-compliance and/or potentially vulnerable systems.
Access to the MaxContact production network is restricted to a strict, need-to-know basis, that utilises the least privilege, and is frequently audited and monitored. Employees accessing the MaxContact production network are required to use multiple factors of authentication.
Our employees are fully trained in our security response protocols including escalation paths and appropriate communication channels. In the case of a system alert, events are escalated to our teams providing operations, security and engineering support.
We implement multiple security zones in our network architecture. Sensitive systems, such as database servers, are protected in our most trusted zones. Other systems are housed in zones applicable to their sensitivity, risk and function.
We perform internal testing in an automated and manual fashion. Annually MaxContact, employs third-party security experts to perform penetration tests across the MaxContact production network and infrastructure.
All of our network ingress and egress are monitored 24/7, with automatic alerts set for any abnormal values and incidents differ from our pre-defined thresholds.
Availability & Resilience
MaxContact uses the latest technology and systems to monitor and report on information that includes system availability details, scheduled maintenance, service incident history and relevant security events.
Our Disaster Recovery program ensures that our services remain available or easily recoverable in the case of a disaster. We have built a redundant technical environment and have created Disaster Recovery plans which are regularly tested.
MaxContact is deployed across multiple availability zones, and multiple instances within each zone to eliminate single points of failure. Our strict backup procedures ensure Service Data is actively replicated across primary and secondary DR systems and facilities.
Our software development teams securely develop and test against security threats to ensure the safety of our customer data. In addition, MaxContact employs third-party security experts to perform detailed penetration tests covering our application and infrastructure.
A Secure Software Development Lifecycle (SDLC)
All MaxContact engineers and developers participate in secure code training covering the OWASP Top 10 security flaws, common attack vectors, and MaxContact security controls. These courses are twice a year. Senior Employees also attend conferences and training by 3rd parties such as Azure and other companies who work to Industry Best Standard Practices.
Test and staging environments are separated physically and logically from the Production environment. No actual Service Data is used in the development or test environments.
As part of every release, our team reviews and tests our code base to identify, test and triage possible security vulnerabilities in the code. This is in addition to any 3rd party testing and automated testing.
MaxContact utilise framework security controls to limit exposure to OWASP Top 10 security flaws. These include controls that reduce our exposure to Cross Site Request Forgery (CSRF), Cross Site Scripting (XSS), and SQL Injection, amongst others.
MicroSoft Azure provides a range of qualified security tools to continuously dynamically scan our applications against the OWASP Top 10 security flaws.
In addition to an extensive internal scanning and testing program, every year MaxContact employs third-party security experts to perform detailed penetration tests on our applications and infrastructure.
We make it easy for customers to manage access, configure roles and permissions and assign granular reporting levels to their users. All communications with MaxContact are encrypted with industry standard HTTPS over public networks, meaning the traffic between you and EvaluAgent is secure. Alternatively we can provide solutions which are On-Net and never touch the public internet.
MaxContact provides its customers with the ability to create different password policies regardless of their role within the organisation. This can include but not limited to specific required characters, quantity of characters, expiry period and lockout attempts. Only users with the appropriate permission can change the password security level.
The MaxContact Application and and API is SSL-only and you must be an authenticated user to make API requests from whitelisted IP addresses and credentials.
MaxContact follows security best practices for credential storage by never storing passwords in human readable format, and only as the result of a secure, salted, one-way hash.
Additional Product Security Features
Access to data within MaxContact is governed by access control policy, and can be configured to define granular access privileges. MaxContact provides a standard set of permissions to get you started and you totally customise and/or disable these initial set of permissions if required
All communications with MaxContact servers are encrypted using industry standard HTTPS over public networks. This ensures that all traffic between you and MaxContact is secure during transit.
MaxContact has developed a comprehensive set of security policies covering a range of topics. These policies are shared with, and made available to, all employees with access to MaxContact assets. This ISMS (Information Security Management System) is accredited to ISO 27001 Standard and audited by BSI.
All employees attend Security Awareness training which is given upon hire and twice a year thereafter. All developers receive quarterly Secure Coding training. The Security team provides additional security awareness updates via email, blog posts, and in presentations during internal training.