XCALLY Compliance & Security

Open

Since first projects, our approach focused towards a strong commitment to privacy, transparency and safety in order to protect our Clients personal data. 

To confirm the trust of our Clients and our Partners, our analyses and procedures are built to guarantee the conformity of XCALLY Motion with the UE General Data Protection Regulation (GDPR): the overall architecture, as well as of the single components of the solution, always follows the prerequisite of protecting the data.

For this purpose, we put into action several activities to guarantee the maximum safety of the product: 

• Specific tests of intrusion detection at several levels of complexity are periodically executed

• Adopting the last version of the software and of the safety patches of all the base components, configuring the system firewalls and checking the Asterisk system protections are considered fundamental to manage and develop the solution

• We use safe protocols as SSL/TLS for external functions of reading and feeding 

• The WebRTC technology used for XCALLY Motion supports safe protocols as WSS and HTTPS

• Information containing personal data (such as sent and received messages, account information, contacts, calls recordings) are saved in the database using Transparent Data Encryption (TDE)

• Relating to Phonebar, we use SIPS and SRTP TLS protocols.

 In order to enhance the agent password security and privacy according to the GDPR rules, we provide specific features (under General Settings section) and we strongly recommend to enable them:

• The Security Suite enables a set of rules for Administrators, Agents, Telephones and Users accounts concerning the password format, reset and expiration after 90 days

• XCally Motion Phonebar allows Agents passwords reset and management, according to the Security Suite

• The Voice Recording Encryption protects your recorded calls from unauthorized use or file system breach. The encryption is highly recommended if the stored call recordings contains sensitive or personal data. The encryption is turned off only if the files containing the voice recordings are accessed from the Motion user interface

• Enforce Single Sign On, SAML, or Multi-factor Authentication for state of art security practices.

Open

To make XCALLY Motion work properly, we place small data files called cookies on your device only for technical purposes.

A cookie is a small text file that a website stores on your computer or mobile device when you visit the site.

Cookies are built to be a reliable mechanism for websites to remember stateful information (such as language or type size) or to record the user’s browsing activity (including clicking particular buttons, logging in, or recording which pages were visited in the past). 

The purpose is to enable the site to remember your preferences (such as user name, language, etc.) for a certain period of time. That way, you don’t have to re-enter them when browsing around the site during the same visit.

XCALLY Motion stores cookies for:

• Authentication: the cookie keeps the session active until the log out is performed

• Preferences and Filters: the cookies remember filters and other settings you applied before

XCALLY Motion Chat module uses HTML5 local storage to save:

• layout format data

• online customer's data

• data about the actual interaction

You can control and/or delete cookies as you wish.

You can delete all cookies that are already on you computer, but it is not recommended to turn off all cookie storing in web browser because it will cause authentication issues (if cookies are disabled, on the browser XCALLY shows an error)

Open

XCALLY uses open source codes. The Customer agrees that the open source software license subsists exclusively between the Customer and the relevant licensor of the open source software; however, for security reasons and protection of the Licensor's intellectual Property rights, the list of these licenses is not published on this page. 

For further information to access the full list of these licences, please note that this list is obtainable directly via the package.json contained in the compressed folder that is downloaded during XCALLY installation.

XCALLY S.r.l has obtained the prestigious UNI EN ISO 9001:2015 and ISO/IEC 27001:2022, important recognitions to attest our commitment to quality and information security.

• ISO 9001:2015 is an international standard that defines the criteria for a quality management system. It is based on a number of principles including a strong customer focus, motivation and involvement of top management, a process approach and continuous improvement. Specifically for XCALLY, it refers to software design and development with remote assistance;

• ISO/IEC 27001:2022 is an international standard for information security management. This certificate specifies the requirements for establishing, implementing, maintaining and improving an information security management system (ISMS). The main objective is to protect sensitive information in a systematic and proactive manner. For our company, this refers to software design and development with remote assistance.

When a company holds the UNI EN ISO 9001:2015 and ISO/IEC 27001:2022 certifications, its customers can benefit from several significant advantages:

1. Consistent quality assurance: ISO 9001:2015 ensures that the company has implemented a robust quality management system. Customers can expect high quality products and services that conform to international standards and consistently meet their needs and expectations;

2. Increased reliability and information security: ISO/IEC 27001:2022 ensures that the company takes strict measures to protect sensitive data. Customers can be confident that their data and information will be handled safely and securely against threats and breaches;

3. Operational effectiveness: The implementation of a quality and information security management system helps the company optimise its internal processes, reducing waste and inefficiency. This translates into more effective and timely services for customers;

4. Competitive advantage: Working with an ISO certified company can be a competitive advantage for customers, especially if they operate in regulated or highly competitive industries. ISO certifications can be a key element in winning tenders and obtaining new contracts.

• Transport Protocol: Communication between the agent’s browser and the XCALLY server takes place exclusively via HTTPS, secured by a valid SSL/TLS certificate issued by an official Certification Authority. The use of self-signed certificates is not supported for security reasons.

• Media Encryption: Voice calls managed through WebRTC are end-to-end encrypted using standard WebRTC protocols, specifically SRTP (Secure Real-time Transport Protocol) for encrypting audio/video streams.

• Signaling Channel Security: Call signaling and control are managed via secure WebSocket (WSS) on port 8089, also protected by TLS.

• Audio Codec: The Opus codec is used, supporting encryption and automatic bandwidth adaptation.

• Network Requirements: UDP ports 10000-20000 must be open for encrypted media traffic.

• Transport Protocol: The Phonebar communicates with the XCALLY server via SIP on TCP/UDP ports 5060/5061. For security, it is recommended to use SIP over TLS (port 5061) for signaling and SRTP for media encryption.

• Media Encryption: When configured, voice traffic uses SRTP, ensuring end-to-end encryption of calls.

• Proxy and Security: All traffic passes through an NGINX reverse proxy, which enforces HTTP to HTTPS redirection, ensuring all communications are encrypted.

• Network Requirements: TCP ports 443, 5060, 5061 and UDP ports 5060, 5061, 10000-20000 must be reachable from the client to the server.

The use of HTTPS/TLS is mandatory for all communications between client and server.

Voice stream encryption via SRTP is supported for both WebRTC and Phonebar, provided the server and client configuration enables it.

The infrastructure uses NGINX as a reverse proxy to ensure security and centralized certificate management.

Voice recordings in XCALLY Motion can be encrypted using the AES-192 algorithm to protect sensitive or personal data from unauthorized access or file system breaches. By default, encryption is disabled except when accessing files through the Motion user interface.
To enable Encryption for Voice Recordings, navigate to Settings > General > Global in the XCALLY Motion UI and enable the option for Voice Recordings Encryption (explore documentation General Settings | SecurityPreview).

Currently, only one subset of AES flavors is supported. Default value: aes192.

XCALLY Database is encrypted with MySQL InnoDB data-at-rest encryption by using the algorithm AES (Advanced Encryption Standard block-based encryption algorithm)
Find out more details: MySQL :: MySQL 8.0 Reference Manual :: 17.13 InnoDB Data-at-Rest Encryption