Howto:GDPR innovaphone PBX V12

From innovaphone wiki
Revision as of 16:27, 2 May 2018 by Kwa (talk | contribs) (New page: ==Introduction== The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It als...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Introduction

The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

GDPR actually affects companies and how they comply with the GDPR standards, not products. The company has to demostrate compliance with the GDPR and should implement measures which meet the principles of data protection.

innovaphone take the protection of personal data very seriously, not only since GDPR. Concering the GDPR we have carefully evaluated, if we need to add features so that our customers can operate our PBX in a compliant way. Up to now we have not found any specific missing features.

If you think there are GDPR rules which can not fulfilled with our products, please don't hesitate to let us know.

This article describes the innovaphone PBX Version 12 to understand how this product behaves in relation to selected topics to the GDPR specifications.

Basically, the innovaphone PBX is a "GDPR by Design" product.

This does not mean that you can not use the product in such a way that GDPR specifications are violated. However, it is possible to operate the product GDPR conform, but this depends on partners and customers.

Personal Data

European data protection law utilise a wide concept of "personal data". Thus, e.g. name and telephone number or name and email address already GDPR critical information.

However, this information is typically used in a telephone system, please note that in principle, the innovaphone PBX can also be operated without these parameters: Instead of the name abbreviations or numbers can be used and also operation without mail address is possible.

Storage

All configurations for innovaphone devices are stored in local flash memory. The data is therefore stored directly in the device, this also applies to reporting and voicemail. The data lie directly in the device at the customer, so that access by third parties can be excluded. The data is or will not be matched or sincronized to any cloud or to external databases. No personal data are sent in any time to a web service (cloud) or to the manufacturer. The place of the data storage and thus the physical access is therefore clearly defined.

Access

innovaphone devices have no backdoor or secret default password; without correct credentials, an access is not possible.

The access to the data is password protected. Also the default password for the viewing account can be changed. The access can be secured using HTTPS.

PPTP connections have 128 bit payload encryption.

ISDN data calls and Telnet are disabled by default.

802.1X port security feature is on all products.

Since the data is stored on the device, it can be ruled out that there are additional administrators' access that can not be controlled by the partner and / or the customer.

Delete Data

When a user is deleted all his setup data are deleted. The deletion is thus final and not restorable.This also applies to deleted voicemail or reporting data. Reporting data can be deleted automatically after a defined time (for example after 6 month).

Privacy

The conversation and the data can be encrypted (TLS/SRTP), therefore no interception is possible.

A caller can hide his number/name to the remote party.

To display the presence state a mutual acknowledge is required, the user can set the visibility.

In the Call detail recording (CDR) the called number or a number of digits can be suppressed.

The Voice Mail is protected by password; the user can change this password.

It is possible to hide on the phone the call list of the received and performed calls. A phone can be looked.

Data breaches

The access from a public network to the PBX is possible. A reverse proxy (in addition to external firewalls) can protect this access. The reverse proxy is part of the innovaphone PBX. It is also possible to use a innovaphone gateway just for this scope and isolate the PBX from the external network. In the reverse proxy the access to services, ports and addresses can be defined.

Guessing credentials is detected and the attacker automatically moves to a blacklist. The re-release can be done manually by the administrator or automatically after a certain time. The attempts to bypass the reverse proxy are logged.


Related Articles

http://wiki.innovaphone.com/index.php?title=Howto:Security_works_with_innovaphone

Retrieved from "https://wiki.innovaphone.com/index.php?title=Howto:GDPR_innovaphone_PBX_V12&oldid=49674"