Security and data privacy

Security by Design

Our approach is grounded in the principle of Security by Design, ensuring that security is an integral part of our product's foundation, from its inception to ongoing development and maintenance.

Authentication and Access Control

Users

Users must be authenticated in order to access the system. User authenticated sessions are terminated in case of user inactivity.

Single Sign On (SSO)

For convenience and best user experience, SentioCX provides the option to enable SSO for users at tenant level. We implement industry standard identity federation protocols like OpenID Connect and SAML for best security and ease of configuration.

Role based Access Control (RBAC)

SentioCX uses roles to enable fine grained user access to features and data. A user with administrator role can manage roles for the other users in the tenant.

API

API endpoints exposed by SentioCX are protected using industry standard Oauth2 authorization framework. All endpoints implement TLS (Transport Layer Security) encryption.

Tenant data isolation

SentioCX is built as a multi-tenanted system to ensure maximum level of isolation and security.

Every one of our customers is treated as a separate tenant. The data is isolated end-to-end at the tenant level. By default, tenants share the infrastructure, but we are able to accommodate dedicated tenant infrastructure when situation requires.

Data ownership

The data entered and managed in our system by a customer (tenant) is the property of the customer.

Account and Billing data is required by SentioCX. This data is managed separately from the multi-tenanted application data.

Data confidentiality

SentioCX does not share the data with third party entities.

SentioCX does not access the data unless unless a prior agreement is arranged between SentioCX and the tenant.

Data encryption

We employ industry-standard encryption protocols to safeguard your data during transit and at rest. This includes TLS (Transport Layer Security) for data in transit.

We encrypt all data stored in our system, ensuring that your information remains confidential and secure. We leverage storage technology provided by our certified Cloud infrastructure providers.

Data retention

SentioCX stores data for 90 days starting from the day the subscription to our services has ended.

Conversations data

Some integration models require that conversational data passes through our infrastructure.

SentioCX does not store this data for long term.

For example, the messages between users and agents are stored in our system until delivery to the recipient is confirmed, and deleted immediately.

Data residency

Our goal is to meet our customers requirements regarding legal and regulatory compliance, data sovereignty and performance.

We currently provide our services from data centers located in Frankfurt, Germany.

In the future we will make our services available in other geographical locations.

Regulatory compliance

GDPR

SentioCX acts as a data processor and a data controller under the GDPR.

Data processor:

• for personal data and information that gets uploaded into our system through regular use of provided applications and services.

• SentioCX does not access the tenant data unless a prior agreement is arranged between SentioCX and the tenant.

• SentioCX collects log data required for ensuring the quality and availability of the system. We do not collect or store any Personally Identifiable Information (PII) in the log data, neither Personal Data such as conversation data between the customers, agents and chatbots.

Data controller: for data collected to provide our products, services and customer support. This may include information as customer name and contact information.

Infrastructure Security

Our infrastructure is hosted on secure and compliant public cloud providers, adhering to industry-leading security standards ((ISO 27001, SOC, PCI-DSS).

The production environment (used by our customers) is hosted separately from the environments used for development. There is strict and audited access control to production environment based on the least privilege principle.

Business continuity

We constantly monitor our service availability and quality in order to immediately respond to any anomaly:

• external uptime and synthetic monitoring

• technical and business features metrics collected from our platform and (micro) services

• infrastructure provider metrics

Regular data backups are performed to prevent data loss. Our disaster recovery plans are in place to minimize downtime and ensure the continuity of service in the event of unforeseen incidents.

Transparent Communication

In the event of a security incident, we are committed to transparently communicating with our users. Our incident response plan ensures swift action, and we keep you informed throughout the resolution process.