Security Architecture

1. Security Overview

We deploy a defense-in-depth framework across our hosted services, network layers, and physical BPO offices. Our Contact Center OS has been engineered to maintain data privacy and compliance under strict regulatory bodies including SOC2, HIPAA, and GDPR.

2. Encryption & Keys Management

Data processed through our CRM modules and dialers is encrypted both in transit and at rest:

• In Transit: Telephony dashboards, API payloads, and WebRTC signaling sessions utilize TLS 1.3 encryption with strict HSTS policies.
• At Rest: Physical databases, call details tables, and audio files are encrypted using hardware-accelerated AES-256 standards.
• Key Management: We utilize Key Management Services (KMS) with automatic annual key rotation. Tenants can also configure Bring Your Own Key (BYOK) for dedicated Azure clusters.

3. VoIP & WebRTC Security

Traditional VoIP trunking can be vulnerable to packet sniffing. We safeguard outbound and inbound voice streams using secure protocols:

• SRTP & DTLS: Live in-browser WebRTC agent calls are encrypted using Secure Real-time Transport Protocol (SRTP) combined with Datagram Transport Layer Security (DTLS).
• SIP Digest Authentication: SIP credentials and trunk registration protocols require strong password algorithms and IP-based firewalls.
• Network Firewalls: Upstream carrier connections are established via secure IP tunnels (IPsec VPN) or dedicated Twilio Interconnect ports.

4. Database & Namespace Isolation

Nexdial leverages a multi-tenant cloud architecture that prevents cross-tenant data leaks:

• Data Separation: Each tenant organization resides in an isolated logical schema or database container. Tenant routing scripts cannot execute queries across database boundaries.
• Container Isolation: Microservices run within separate Kubernetes namespaces with restricted pod-to-pod network policies.
• API Protection: Every inbound gateway request is validated against JWT signatures and Tenant ID parameters.

5. Access Controls & Audit Logging

Platform access requires authorization corresponding to tenant roles:

• Role-Based Access Control (RBAC): Standard roles include Agent, Supervisor, Tenant Admin, and System Super-Admin. Access to system configurations is limited based on roles.
• Single Sign-On (SSO): We support SAML 2.0 and OpenID Connect (OIDC) integrations (e.g. Azure AD, Okta, Google Workspace) to enforce corporate MFA policies.
• Audit Logging: Every action taken by administrators (e.g., uploading contact CSVs, altering IVR routing nodes, downloading call recordings) is recorded in immutable compliance logs.

6. Business Continuity & Disaster Recovery

We maintain active-passive replica clusters in geographically separated cloud zones to provide high availability:

• Database Backups: Automated daily snapshot backups are encrypted and stored in durable cloud repositories with 35-day retention.
• Failover Recovery: Telephony gateways auto-route connections to backup SIP trunks if primary lines encounter latency spikes.
• RTO / RPO: Our Recovery Time Objective (RTO) is < 2 hours, and our Recovery Point Objective (RPO) is < 15 minutes for critical transaction tables.

7. Audits, Certifications & Pentesting

To provide transparency, we undergo regular security audits:

• Penetration Testing: Annual third-party penetration testing is performed on our API gateways, database clusters, and WebRTC signaling servers.
• Vulnerability Management: Automated CI/CD dependency scans are run to identify code vulnerabilities before deployment.
• Physical Security: Our Navi Mumbai HQ and branch delivery offices enforce strict access controls, including biometric scanning, CCTV, and isolated workspace restrictions.