Security
Security — overview
Summary of SIVO's security measures. For your security or procurement team. No unnecessary jargon.
This page summarizes SIVO’s security measures. Designed for conversations with your security, procurement or audit teams — before signing.
The essentials
| Aspect | How SIVO addresses it |
|---|---|
| In-transit encryption | TLS 1.3 on API and panel. SRTP on voice. WSS on WebRTC. |
| At-rest encryption | AES-256-GCM in DB. Encryption-at-rest on storage (S3/equivalent). |
| Identity | Mandatory MFA on admin accounts. SAML/OIDC SSO on Enterprise. |
| Access control | 5 base roles + customizable permissions (Enterprise). Every action verified backend-side. |
| Audit | Immutable log of every admin action. Exportable to CSV. Retention per plan. |
| Residency | EU by default. US or custom region on Enterprise. |
| Backups | Encrypted, retention per plan, periodic restore tests. |
| Compliance | GDPR-ready. Formal certifications under evaluation. |
Customer isolation
Each customer’s data is separated at the database engine level. Even if the application had a bug, PostgreSQL automatically drops rows that don’t belong to the asking customer. See Multi-tenant for details.
GDPR and privacy
SIVO processes personal data on behalf of its customers (role of data processor). For formal details, see:
- DPA (Annex I of terms) — the data processing agreement.
- Privacy policy — how we treat data from the site itself.
Key points:
- Sub-processors authorized and notified 30 days in advance if changed.
- Data subject rights (access, rectification, erasure) exercisable via API or backoffice.
- Breach notification in under 72h per GDPR art. 33.
- Right-to-be-forgotten by user or by tenant.
Operational hardening
- Rate limiting on sensitive endpoints (login, public API).
- Short-TTL JWT (24h) with blacklist on logout.
- Temporary lockout after 5 failed login attempts in 15 min.
- Dynamic ACL on SIP trunks — only authorized IPs can send calls.
- WAF at the perimeter (Cloudflare) to block common attacks.
What your security team can request
Things we usually share under NDA in Enterprise evaluations:
- Complete sub-processors list (including cloud providers and regions).
- Internal incident management policy.
- Annual pentests (when available).
- Log retention and backup policies.
- Business Continuity Plan (BCP) and Disaster Recovery (DR) plan.
- Documentation of internal processes and controls.
Contact [email protected] to start the evaluation.
Vulnerability reports
If you discover a security flaw: [email protected] with PGP key available on request. Responsible disclosure program active — we confirm in 48h and publish credit to the researcher after fix (with their authorization).
Related pages
- RBAC — roles and permissions — detailed access control model.
- Configuration variables — security-related keys.
- JWT key rotation — key rotation policy.