Security & Compliance

Don’t compromise customer experience for security

PCI-DSS CompliantSOC2HIPAA CompliantCyber EssentialsVerified by Visa

We built our cloud infrastructure to meet the security standards of our customers and the industries that they serve. We’ve gone through rigorous audits to achieve PCI-DSS, SOC2, and HIPAA compliance. We’re also a Visa Verified vendor. That means that our customers never need to worry about the security of data that moves through their applications on Plum’s platform. By meeting these standards we’re particularly well-equipped to serve the finance/banking, and health care industries.

Using both hardware and software, Plum Voice established and maintains physical and technical safeguards that protect the confidentiality and integrity of your electronic business information.

Learn more about what it takes to become PCI-DSS or HIPAA compliant.

Payment Card Industry (PCI) Compliance

  • Plum has achieved Level 1 compliance with Payment Card Industry Data Security Standards (PCI DSS).
  • Plum’s Level 1 compliance designation is certified by an approved Qualified Security Assessor (QSA).
  • Our systems are scanned externally by an Approved Scanning Vendor (ASV) every 90 days to ensure there are no vulnerabilities.
  • Our systems are also subjected to an external network penetration scan to ensure that access is not easily allowed into the secure environment.
  • Only a specific set of authorized Plum employees have access to Plum’s secure environment.
  • Our QSA has verified that any PCI data entering Plum’s secure hosting environment was handled securely.
  • Our QSA also verified that firewalls and systems were secure and that only authorized individuals for Plum had access to the secure hosting environment.
  • Plum’s services and products operate in class A data center facilities that maintain the physical security of the systems and network equipment of its secure cloud environment. The facility requires bioscan (fingerprint) verification along with a physical badge to gain access.
  • Plum also has an Incident Response Team to respond to any emergencies or disasters should one occur.

SOC 2 Compliance

  • Plum complied with AT101 standards for the security, availability, and processing integrity principles of Trust Services Principles (TSP) section 100.
  • Plum also underwent testing by an external auditor to examine the suitability of the design and operating effectiveness of Plum’s internal policies and procedures for security, availability, and processing integrity.

HIPAA Compliance

  • There is no electronic protected health information (ePHI) stored within our secure cloud environment. All ePHI that we transmit as a result of delivering our IVR services within our secure cloud environment is treated as confidential and private.
  • Access to network equipment and systems within our secure cloud environment is provided only to authorized Plum employees within our operations team. These systems and network devices can be accessed only via two- factor authentication.
  • Plum does not share any patient or provider information with any of our vendors, clients, partners, contractors, or temporary or part-time employees.
  • Plum has a designated Information Security Officer. Our Information Security Officer has the responsibility for the development and implementation of Plum’s information security policies, procedures, and technology.
  • Plum has established secure audit logging and tracking mechanisms that document any access to the secure cloud environment. Plum has established training programs focused on privacy policies to inform employees on the handling of electronic protected health information data as required by HIPAA protocols.

Notice of Privacy

Under HIPAA, Plum is not a “Covered Entity”, but rather a “Business Associate” and also does not store any Protected Health Information (PHI) within its secure environment. Therefore, Plum does not retain the ability to disclose any PHI to individuals because of this operating model.

Visa Global Registry of Service Providers

The Visa Global List of Service Providers is a mechanism for service providers to showcase their compliance efforts with various security standards.

Being listed on Visa’s Global Registry of Service Providers, is a quick way to ensure merchants that Plum Voice is compliant with the most current version of the Payment Card Industry Data Security Standards, and with the Visa Inc. security standards.

To view a list of all Visa-compliant service providers, click here.

Cyber Essentials

Cyber Essentials is a UK-government-backed scheme that assesses a company’s cyber-security preparedness. It was created to give companies a way to demonstrate that they are taking the necessary steps to mitigate and control common risks to cyber-security.

To achieve certification, Plum Voice was assessed on the following five controls:

  • Boundary firewalls and internet gateways;
  • Secure Configuration;
  • Access Control;
  • Malware Protection; and
  • Patch Management

GDPR

The European Union implemented the General Data Protection Regulations (“GDPR”), to better protect the personal data of EU data subjects, on May 25, 2018. Although the GDPR is a set of European Union-mandated regulations, its scope covers both companies that are physically present in the EU, as well as, all companies outside of the EU that handle the personal data of EU data subjects.

The GDPR requires that service providers who transmit the personal data of EU citizens must guarantee the existence of technical and organizational safeguards, outlined in the regulations, to ensure the lawful transfer of data.

To ensure that Plum Voice appropriately responds to the implementation of these regulations, Plum Voice has updated its policies and procedures to be in line with the GPDR, and now offers its customers a Data Processing Addendum(.pdf) (“DPA”) that outlines Plum Voice’s security responsibilities regarding safe data transfer. This DPA also includes contractual language (“Standard Contractual Clauses”) approved by the European Commission, which provide further assurances of the proper transfer of personal data that belong to EU data subjects.

How to Enforce the DPA

To enforce this DPA, both parties must sign an unmodified version of this DPA.

To request a signed version of this DPA, on Plum Voice’s behalf, or to submit a signed copy of this DPA, on the Customer’s behalf, please email: Compliance@plumgroup.com.