Updated: April 2018
Permalink: https://confluence.wildix.com/x/QgBuAQ
Security is a top priority for Wildix and all the security features are built-in inside the product, which means the Wildix System is Secure By Design and security is not delegated to third party devices.
All Wildix products are regularly controlled for security breaches and upgrades are made available whenever any breaches are discovered in Wildix services or in third party libraries used by the system.
Security measures in place
We support the following security and encryption protocols and reporting tools:
Single Sign-On with Active Directory, Google, Microsoft Office 365
2 Factor Authentication when using Google, Microsoft Office 365 Single Sign-On
Secure hash functions SHA-512 + salt for encryption of User Passwords
TLS encryption of HTTPS traffic to the PBX, screen sharing sessions
SIP TLS - SIP signalling over TLS
SRTP - SDES-AES 128 encryption of voice / audio
DTLS-SRTP - TLS encryption of voice / audio
VPN AES encrypted traffic between PBXs
LDAP via TLS
SMTP / IMAP / POP3 connections over TLS
SSH console access
Intrusion detection over all services managed by the PBX (SIP / RTP / DNS proxy / NTP / Web)
DoS protection over all services managed by the PBX (SIP / RTP / DNS proxy / NTP / Web)
SIP SBC built in
Requirement for secure passwords
Support for Zabbix monitoring
Report of intrusion detected within the System
All these security measures are enabled by default on all Wildix Phones and Media Gateways connected to the system. All Wildix Phones and Media Gateways cannot be accessed by using Master Passwords.
Security vulnerabilities report
Vulnerabilities and questions about privacy must be communicated using the following email security@wildix.com, we have a Vulnerability Reward Program in place. The reward will depend on the importance of the problem found.
Reasons to contact us at security@wildix.com:
I’m experiencing a security problem with my Wildix account
I want to report a technical security bug in a Wildix product (WMS, Collaboration, WMP, Kite, ubiconf, WP, iOS / Android Wildix apps)
I have a privacy doubt or a privacy-related question about Wildix products and services.
Wildix Cloud and ISO 27001 compliance
Wildix Cloud services are located in data centers that undergo ISO 27001 audits. These data centers share hosted facilities space with the world’s largest Internet companies. The geographic diversity of these locations act as an additional safeguard which minimizes the risk of service interruption due to natural disasters.
Privacy and GDPR Security
Note: Article 4 of the EU General Data Protection Regulation defines data controllers and data processors as below:
(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Both Wildix and all the System Integrators (Wildix Business Partners) who process data of customers residing in the European Union (regardless of whether the data processing takes place in the EU or not), are Data processors.
In regards to GDPR that comes in force in 25 May 2018, Wildix provides many features which are automatically active or that can be activated to make sure the services provided by Wildix and Wildix Business Partners comply with GDPR requirements:
SIP Proxy logging: information about new SIP registrations (from user, from name, user agent) is now logged with default debug level (WMS-4295)
Collaboration / WMS connections logging: information about connections is now written to syslog (remote IP, port, username, auth method, login / logout / login failed) (WMS-3986)
Added the possibility to use Remote syslog (Rsyslog) in addition to local syslog (WMS-3987)
Records containing personal data must be treated with caution, by introducing a remote syslog you make sure that in the event your system has been hacked, 1) a hacker doesn’t get access to the syslog 2) a hacker does not delete the syslog
All conference recordings and files are automatically deleted after 6 months (WMS-4347)
GDPR - Right to be forgotten
Added an option to auto-delete CDR, chats / Kite chats, voicemails and call recordings in WMS Settings -> PBX -> Call and chat history after a period of time (WMS-4090; WMS-4084)
GDPR - Right to be forgotten
Files shared via the system are automatically deleted after 6 months
GDPR - Right to be forgotten
Contacts imported from Outlook / Google are automatically deleted
GDPR - Right to be forgotten
Contacts, previously imported from an external database / backend via WMS are automatically deleted, if not received during the cron job (existed always, to implement - check the box “Remove existing contacts which are not received from the backend” in WMS - Users - Phonebooks - Import)
GDPR - Right to be forgotten
Added CSRF attack protection via domain whitelist added in WMS Settings - PBX - Security: any WebAPI / PBX API integration will stop working if the domain is not added to the list (WMS-3985)