Nexmo provides a cloud communications platform for a wide range of customer and business needs. Recognizing the importance of information security, we have invested considerable time and effort into ensuring our platform’s security.
This document summarizes various technical and organizational security measures we have implemented to protect our customers’ data from malicious or accidental destruction, alteration, loss, unauthorized access or disclosure.
Nexmo’s data processing environment is built on the IBM SoftLayer platform with geographically distributed Tier IV data centers. IBM SoftLayer complies with various security standards - including ISO/IEC 27001:2013, ISO/IEC 27017:2015, ISO/IEC 27018:2014, ISO 22301:2012, ISO 31000:2009, HITRUST CSF v8.1, SOC 2, SOC 3 - and guarantees protection of physical infrastructure and facilities.
Nexmo stores all production data in physically secure data centers, including IBM SoftLayer, Amazon and Google facilities. Nexmo’s cloud storage vendors (Google Cloud Datastore, Amazon DynamoDB, and Amazon Simple Storage Service (S3)), are compliant with ISO/IEC 27001:2013, ISO/IEC 27017:2015, ISO/IEC 27018:2014, SOC 2, and SOC 3. In addition, Google Cloud Datastore complies with NIST 800-171.
Nexmo’s office facilities are secured by 24/7 guards, interior and exterior video surveillance, alarm systems, security gates, and doors equipped with access card readers or locks. Authorized visitors are provided with escort-controlled access.
Nexmo data processing systems are designed to ensure only authorized access and processing of customers’ data.
Only a limited number of authorized personnel have access to the data processing environment via a VPN endpoint defining specific access scope based on the assigned functional role. Access scope is enforced on multiple levels including VLAN-based isolation at the data link layer. The authentication mechanism employed is two-factor, requiring possession of the machine with the VPN public/private key pair and knowledge of LDAP credentials. Password policy mandates that LDAP passwords to access the data processing environment follow composition, minimum size, reusability, and expiration rules.
The granting or modification of access rights follows an established workflow with a mandatory approval from the line management. Workflow tools provide accountability through recordkeeping.
All account actions can be traced to the particular user taking action on the account. The time, date, and type of action are recorded for all privileged account actions.
Only properly authorized personnel are allowed to access and manage customer data. Team-wide security roles covering critical tools and applications are applied.
Nexmo’s onboarding process mandates that domain credentials for each employee are requested by the HR function in a formal, accountable manner. Employment termination triggers revocation of issued credentials.
Nexmo ensures that personnel are notified of significant requirements as well as personal and corporate consequences of engaging in improper activities. All employees complete a periodic mandatory security training and a Code of Conduct training covering business ethics and professional standards, each at least annually.
Customers can manage their accounts through Nexmo Customer Dashboard - a dedicated web page which supports two-factor authentication and IP address verification security mechanisms. If enabled, Nexmo Customer Dashboard will in addition to customer’s password require a one-time verification code - an SMS sent to the phone registered on the customer’s account when the customer’s IP address differs from the one used previously.
Nexmo Customer Dashbord password-based authentication utilizes secure hashing and salting to protect against impersonation and brute-force attacks.
Nexmo supports HTTPS and SMPP over TLSv1.2 as main protocols for encrypted communication. Nexmo holds a public 4096-bit RSA-based wildcard certificate covering *.nexmo.com for authentication purposes.
Customers are solely responsible for any decision to use unencrypted channels when consuming Nexmo services.
Nexmo does not provide telecom carrier services, and as such relies on carriers to secure SMS channels since the SMS standard does not provide for end-to-end encryption; encryption, if any, is determined by individual carrier.
Nexmo supports secure SIP signaling over TLS for protection of multimedia communication control plane in inbound and outbound directions. Security, if any, of PSTN-terminated/originated SIP control channel is determined by individual carrier and cannot be guaranteed by Nexmo. Media plane (voice path) encryption is currently not supported by Nexmo.
Nexmo’s data processing environment is separated from the outside world and from the test environment with firewalls. Fine-grained segmentation inside production and test environments is achieved with the help of VLANs.
Nexmo's data processing environment is comprised of Linux servers each being protected by a host-based firewall. Applications are grouped by types/categories and there is no platform sharing between applications of different types.
Nexmo employs a three-fold vulnerability management strategy which includes proactive updates of 3rd-party applications, internal monthly vulnerability scans, and external penetration tests. Nexmo keeps itself up to date with patches/upgrades and updates 3rd-party applications promptly as new versions are released. External penetration tests covering APIs, web applications, and SDKs are performed quarterly. External infrastructure vulnerability assessment is done annually.
Identified vulnerabilities are assessed on an individual basis. Nexmo utilizes a risk-based approach to the patch management process and commits to mitigate vulnerabilities according to the following time frame:
Emergency patching for threats of imminent danger to systems or data should occur within 7 days.
Nexmo's development process is built on the principle of segregation of duties and employs mandatory reviews and approvals. Each change to production environment is submitted by Development, tested by Quality Assurance, and reviewed by Operations before deployment.
Web applications and APIs provided by Nexmo go through a rigid assessment process which includes review of security controls following the OWASP Application Security Verification Standard. Assessment is done by the external entity.
Apart from system level logging to ensure traceability of account actions, Nexmo commits to logging of all API requests to recognize, investigate, and protect customers from fraudulent activity. Among other information, logs contain: source IP, account Id, type of activity and timestamp. All successful/unsuccessful authentication attempts are logged and investigated, as appropriate.
Customers control and configure Nexmo services through a portal (the Nexmo Customer Dashboard). To provide an audit trail, all changes and actions performed using the customer dashboard are recorded.
Internal administration activities are performed via tools accessible only by authorized Nexmo personnel. All activities including provisioning of Nexmo services are logged.
Nexmo’s business continuity planning incorporates procedures to sustain critical functions, backup and recover data, and protect company assets.
Single points of failure are eliminated for critical services with multi-node and multi-channel network design and load-balancing strategy.
Nexmo follows a Data Backup Policy which mandates regular backups of configuration and account data required for continuous service operation and usage of off-site storage, and daily data restoration tests where appropriate.
Nexmo recognizes a potential internal attack surface originating from compromised end-user machines used by Nexmo employees, and to mitigate this threat implements a set of security measures including hard drive encryption, secure data erasure upon laptop decommissioning, virus/malware protection with automated updates, browsing/traffic control, and centralized domain-based authentication.
Nexmo utilizes two main strategies to protect customer’s data: data encryption for long-term data and limited data retention for short-lived data.
Nexmo retains data processing logs for a minimum of three days.
Nexmo provides, upon customer’s request and subject to applicable legal requirements, a true data anonymization by means of data redaction. Data redaction is a one-way process that substitutes original data with a predefined set of characters that reveals no information on the original data except that it was anonymized.
If you believe that you have found a Nexmo security vulnerability, please contact us at [email protected] for further investigation.