Nuacem Security & Trust
Effective date: May 23, 2023
Enterprise Security, Privacy, and Data Integrity.
At Nuacem, we take the Security and Privacy of our client’s data very seriously. Our omnichannel Conversational User Interfaces collect and process immense amounts of both personal and payment data, making stringent security controls a crucial priority.
Our technology, infrastructure, and processes are monitored continuously and improved, with security being the main focus. We have policies and procedures that address a broad spectrum of security concerns, establishing a solid foundation that assists our clients to exceed their customer expectations.
Nuacem’s multi-layered security design protocol provides the platform with best in class enterprise-grade unparalleled security framework capabilities focused on data protection for our clients and their end customers and ensuring compliance, security, and vulnerability best practices.
Physical Security
Nuacem’s cloud instances run on highly secure multi-region AWS and NTT Data cloud servers. These cloud facilities house the supporting infrastructure and systems; as a result, NTT Data and AWS is responsible for physical security control, on-site data protection, and monitoring of the data centres. Application security and Privacy outside of NTT Data/AWS scope is the shared responsibility model handled by Nuacem and covered by being compliant with GDPR, ISO9001, ISO27001, and ISO27017.
Our internal security team (IST) works in tandem with external teams of professionals to ensure all systems are monitored and operational from the infrastructure standpoint.
Data Security
We leverage secure components, such as FIPS-140 certified encryption solutions to protect customer data throughout its lifecycle.
ISO 9001 and ISO 27001 Certifications
Nuacem AI holds both ISO 9001:2015 and ISO 27001:2013 certifications. These standards cover Quality Management and Information Security Management, respectively. ISO 9001 ensures high-quality services, customer satisfaction, and continuous improvement. ISO 27001 focuses on managing sensitive information such as financial details, intellectual property and third-party data with a systematic approach.
Encryption in Transit
Network traffic between the customers and Nuacem servers is encrypted via industry best-practices HTTPS using Secure Socket Layer (SSL) protocol over public networks with the latest non-weak cipher suites. Additionally, no HTTP protocols are allowed. TLS supports email encryption as well.
Encryption at Rest
All Nuacem managed data, disk, filesystems, or datastores are encrypted using provider-managed key-management-systems using keys operated and maintained by Nuacem. All data is encrypted using the industry-standard AES-256 algorithm and strongest block ciphers. For on-premise deployments, customers can instead use an HSM that best meets their private security and operational needs.
eDiscovery and Enterprise Level Data Access
Data Retention and eDiscovery for all legal and compliance reporting are well designed and managed on the platform. Provisions for archiving and exporting of conversations are made available on the platform. Platform administrators have access to generate instance-specific encryption keys. Nuacem gives administrators complete visibility of messages, regardless of communication channel covering both text and voice interactions.
Platform Security
At Nuacem, we take steps to securely develop and test against security threats to ensure the safety of our customer data. We maintain secure development lifecycle (SDLC) standards to ensure the delivery of a highly secure platform and codebase. We employ third-party security experts to perform detailed penetration tests on different applications within our platform.
Development Environments
Our product development, testing and staging environments are separated physically and logically from the live environment by network isolation, firewalls, and Network ACLs. No actual production Data will be used in the development or test environment; mock and random data may be generated to simulate high data volumes.
Quality Assurance
Our QA department reviews and tests our codebase and functionality. Various manual and automated tests are conducted and integrated with the CI/CD pipelines to deploy only well tested and secure code. Our QA team takes part actively in the end-application security testing as well as the entire development process in the release pipeline/flow.
Change Management
At Nuacem, we adhere to a strict change management process. All the change requests are tracked, reviewed, and approved to ensure operational changes are aligned with Nuacem’s business objectives and compliance requirements. A change is analyzed before being moved into a staging environment, where it is further tested before finally being released to production.
Access and API’s
A strict permission structure governs access to data and backend services. This structure allows us to grant access to a highly granular level. Access to each environment (staging, development, and production) is manually granted to authorized employees. Once allowed access, all employees must use multi-factor authentication. Access to any data is enabled via APIs and SDKs only through secure keys, tokens, and secrets.
Security Training
All Nuacem employees must complete and successfully pass security training. During the training program, a qualified instructor covers all the points above, including network access, password policies, clear desk policies, and more following the internal control policy. Whenever required, the InfoSec Management Team updates the staff of any changes to our policies. All Nuacem employees must sign non-disclosure and confidentiality agreements (NDAs) and will be going through background verification before on-boarding.
Application Security
Nuacem platform is leveraged by customers to chat with Bots and Agents who monitor and engage customers, as well as obtain essential information regarding their transactions and behavioural datapoints at times. The security measures at the application level keep this sensitive data guarded against any unwarranted exposure.
To respect this sensitivity, we’ve implemented a range of security controls including chat history log encryption, generate and maintain audit trails, real-time data blocking, and sensitive data redaction and masking, comprehensive ACL management, password security and policies, multi-layer authentication, HIPAA compliant, PCI-DSS compliant forms for PII data collection, GDPR compliant and ready infra, IP Whitelisting and restriction capabilities, securing sensitive personal data for all our clients, our security framework is embedded and enforced across our entire Conversational AI platform.
Network Security
Nuacem maintains a security team that is on call 24/7 to respond proactively to security events. Through network vulnerability scanning, firewalls, continuous monitoring, the use of intrusion detection and prevention programs, and by participating in Threat Intelligence Programs, we keep a constant watch on the security of our customers’ data and use of their business processes. For each Nuacem NTT Data and AWS account, our security infrastructure is comprised of WAF, SIEM, IDS & IPS tools.
The edges of our network have a narrow attack surface and are protected with a WAF and IAM secured endpoints, with limited access to the Internet. All network activity and traffic are proactively monitored for intruders (IDS/IPS) and misuse. We retain access logs for forensic purposes.
In case of any system warning, alerts will get generated, and events get escalated to our 24/7 teams providing Operations, Network Engineering, and Security support. Employees are trained on security incident response processes as controlled in both ISO9001 and 27001.