Security & Compliance
Security Standards that Protect Customer Data
We built our cloud infrastructure to meet the security standards of our customers and the industries that they serve. We’ve also gone through rigorous audits to achieve PCI-DSS, SOC2 and HIPAA compliance, as well as, being a Visa Verified vendor. That means that our customers don't need to worry about the security of data that moves through their applications on Plum’s platform. By meeting these standards we’re particularly well-equipped to serve the finance/banking, and health care industries.
Using both hardware and software, Plum Voice established and maintains physical and technical safeguards that protect the confidentiality and integrity of your electronic business information.
Learn more about what it takes to become PCI-DSS or HIPAA compliant.
Payment Card Industry (PCI) Compliance
- Plum Voice has achieved Level 1 compliance with Payment Card Industry Data Security Standards (PCI DSS).
- Plum Voice’s Level 1 compliance designation is certified by an approved Qualified Security Assessor (QSA).
- Plum Voice systems are scanned externally by an Approved Scanning Vendor (ASV) every 90 days to ensure there are no vulnerabilities.
- Plum Voice systems are also subjected to an external network penetration scan to ensure that access is not easily allowed into the secure environment.
- Only a specific set of authorized Plum Voice employees have access to Plum Voice’s secure environment.
- Plum Voice QSA has verified that any PCI data entering Plum Voice’s secure hosting environment was handled securely.
- Plum Voice QSA also verified that firewalls and systems were secure and that only authorized individuals for Plum Voice had access to the secure hosting environment.
- Plum Voice’s services and products operate in tier 3 data center facilities that maintain the physical security of the systems and network equipment of its secure cloud environment. The facility requires bioscan (fingerprint) verification along with a physical badge to gain access.
- Plum Voice has an Incident Response Team to respond to any emergencies or disasters should one occur.
SOC 2 Compliance
- Plum Voice complied with AT101 standards for the security, availability, and processing integrity principles of Trust Services Principles (TSP) section 100.
- Plum Voice also underwent testing by an external auditor to examine the suitability of the design and operating effectiveness of Plum Voice’s internal policies and procedures for security, availability, and processing integrity.
- There is no electronic protected health information (ePHI) stored within Plum Voice's secure cloud environment. All ePHI that we transmit as a result of delivering our IVR services within our secure cloud environment is treated as confidential and private.
- Access to network equipment and systems within the Plum Voice secure cloud environment is provided only to authorized Plum Voice employees within our operations team. These systems and network devices can be accessed only via two-factor authentication.
- Plum Voice does not share any patient or provider information with any of our vendors, clients, partners, contractors, or temporary or part-time employees.
- Plum Voice has a designated Information Security Officer who has the responsibility for the development and implementation of Plum Voice’s information security policies, procedures, and technology.
- Plum Voice has established secure audit logging and tracking mechanisms that document any access to the secure cloud environment. Plum Voice has established training programs focused on privacy policies to inform employees on the handling of electronic protected health information data as required by HIPAA protocols.
Notice of Privacy
Under HIPAA, Plum is not a “Covered Entity”, but rather a “Business Associate” and also does not store any Protected Health Information (PHI) within its secure environment. Therefore, Plum does not retain the ability to disclose any PHI to individuals because of this operating model.
Visa Global Registry of Service Providers
The Visa Global List of Service Providers is a mechanism for service providers to showcase their compliance efforts with various security standards.
Being listed on Visa’s Global Registry of Service Providers, is a quick way to ensure merchants that Plum Voice is compliant with the most current version of the Payment Card Industry Data Security Standards, and with the Visa Inc. security standards.
To view a list of all Visa-compliant service providers, click here.
Cyber Essentials is a UK-government-backed scheme that assesses a company’s cyber-security preparedness. It was created to give companies a way to demonstrate that they are taking the necessary steps to mitigate and control common risks to cyber-security.
To achieve certification, Plum Voice was assessed on the following five controls:
- Boundary firewalls and internet gateways;
- Secure Configuration;
- Access Control;
- Malware Protection; and
- Patch Management
The European Union implemented the General Data Protection Regulations (“GDPR”), to better protect the personal data of EU data subjects, on May 25, 2018. Although the GDPR is a set of European Union-mandated regulations, its scope covers both companies that are physically present in the EU, as well as, all companies outside of the EU that handle the personal data of EU data subjects.
The GDPR requires that service providers who transmit the personal data of EU citizens must guarantee the existence of technical and organizational safeguards, outlined in the regulations, to ensure the lawful transfer of data.
To ensure that Plum Voice appropriately responds to the implementation of these regulations, Plum Voice has updated its policies and procedures to be in line with the GPDR, and now offers its customers a Data Processing Addendum(.pdf) (“DPA”) that outlines Plum Voice’s security responsibilities regarding safe data transfer. This DPA also includes contractual language (“Standard Contractual Clauses”) approved by the European Commission, which provide further assurances of the proper transfer of personal data that belong to EU data subjects.
How to Enforce the DPA
To enforce this DPA, both parties must sign an unmodified version of this DPA.
To request a signed version of this DPA, on Plum Voice’s behalf, or to submit a signed copy of this DPA, on the Customer’s behalf, please email: Compliance@plumgroup.com.
The ISO/IEC 27001 standard is an internationally recognized standard that sets requirements for an information security management system (ISMS). It provides guidelines for the secure management of important company assets such as financial information, intellectual property, employee details or information entrusted by third parties.