Skip to end of banner
Go to start of banner

Security Policy at Wildix

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Updated: April 2018

Permalink: https://confluence.wildix.com/x/QgBuAQ

Security is a top priority for Wildix and all the security features are built-in inside the product, which means the Wildix System is Secure By Design and security is not delegated to third party devices.

All Wildix products are regularly controlled for security breaches and upgrades are made available whenever any breaches are discovered in Wildix services or in third party libraries used by the system.

Security measures in place

We support the following security and encryption protocols and reporting tools:

  • Single Sign-On with Active Directory, Google, Microsoft Office 365

  • 2 Factor Authentication when using Google, Microsoft Office 365 Single Sign-On

  • Secure hash functions SHA-512 + salt for encryption of User Passwords

  • TLS encryption of HTTPS traffic to the PBX, screen sharing sessions

  • SIP TLS - SIP signalling over TLS

  • SRTP - SDES-AES 128 encryption of voice / audio

  • DTLS-SRTP - TLS encryption of voice / audio

  • VPN AES encrypted traffic between PBXs

  • LDAP via TLS

  • SMTP / IMAP / POP3 connections over TLS

  • SSH console access

  • Intrusion detection over all services managed by the PBX (SIP / RTP / DNS proxy / NTP / Web)

  • DoS protection over all services managed by the PBX (SIP / RTP / DNS proxy / NTP / Web)

  • SIP SBC built in

  • Requirement for secure passwords

  • Support for Zabbix monitoring

  • Report of intrusion detected within the System

All these security measures are enabled by default on all Wildix Phones and Media Gateways connected to the system. All Wildix Phones and Media Gateways cannot be accessed by using Master Passwords.

Security vulnerabilities report

Vulnerabilities and questions about privacy must be communicated using the following email security@wildix.com, we have a Vulnerability Reward Program in place. The reward will depend on the importance of the problem found.

Reasons to contact us at security@wildix.com:

  • I’m experiencing a security problem with my Wildix account

  • I want to report a technical security bug in a Wildix product (WMS, Collaboration, WMP, Kite, ubiconf, WP, iOS / Android Wildix apps)

  • I have a privacy doubt or a privacy-related question about Wildix products and services.

Wildix Cloud and ISO 27001 compliance

Wildix Cloud services are located in data centers that undergo ISO 27001 audits. These data centers share hosted facilities space with the world’s largest Internet companies. The geographic diversity of these locations act as an additional safeguard which minimizes the risk of service interruption due to natural disasters.

Privacy and GDPR Security

Note: Article 4 of the EU General Data Protection Regulation defines data controllers and data processors as below:

(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Both Wildix and all the System Integrators (Wildix Business Partners) who process data of customers residing in the European Union (regardless of whether the data processing takes place in the EU or not), are Data processors.

In regards to GDPR that comes in force in 25 May 2018, Wildix provides many features which are automatically active or that can be activated to make sure the services provided by Wildix and Wildix Business Partners comply with GDPR requirements:

  • SIP Proxy logging: information about new SIP registrations (from user, from name, user agent) is now logged with default debug level (WMS-4295)

  • Collaboration / WMS connections logging: information about connections is now written to syslog (remote IP, port, username, auth method, login / logout / login failed) (WMS-3986)

  • Added the possibility to use Remote syslog (Rsyslog) in addition to local syslog (WMS-3987)

    • Records containing personal data must be treated with caution, by introducing a remote syslog you make sure that in the event your system has been hacked, 1) a hacker doesn’t get access to the syslog 2) a hacker does not delete the syslog

  • All conference recordings and files are automatically deleted after 6 months (WMS-4347)

    • GDPR - Right to be forgotten

  • Added an option to auto-delete CDR, chats / Kite chats, voicemails and call recordings in WMS Settings -> PBX -> Call and chat history after a period of time (WMS-4090; WMS-4084)

    • GDPR - Right to be forgotten

  • Files shared via the system are automatically deleted after 6 months

    • GDPR - Right to be forgotten

  • Contacts imported from Outlook / Google are automatically deleted

    • GDPR - Right to be forgotten

  • Contacts, previously imported from an external database / backend via WMS are automatically deleted, if not received during the cron job (existed always, to implement - check the box “Remove existing contacts which are not received from the backend” in WMS - Users - Phonebooks - Import)

    • GDPR - Right to be forgotten

  • Added CSRF attack protection via domain whitelist added in WMS Settings - PBX - Security: any WebAPI / PBX API integration will stop working if the domain is not added to the list (WMS-3985)


  • No labels