Trust Office

Smart businesses won’t use a product until they can trust it with their most valuable asset, their customers. At inContact, we recognize how important trust is and we know it doesn’t come simply because someone says “trust me”. Trust is earned and it comes from seeing and experiencing a product or service firsthand. That is why we created the Trust Office.

The mission of the Trust Office is threefold. Our first goal is service reliability. The Trust Office works closely with engineering and operations to ensure our systems and networks are designed, managed and able to support 99.99% uptime. This ensures you have a service you can always count on.

The second mission of the Trust Office is security. We know how valuable our customers’ data is and as a result, the Trust Office creates, approves and audits security processes.  We uphold the highest security standards and are certified with PCI, SOX, FCC and CPNI. We are also certified as a Safe Harbor Partner.

The third and final mission of the Trust Office is to ensure performance and scalability. To achieve this, we work closely with network planning and network operations to ensure that network growth and design matches our customers' growing demands. This gives you the systems you need to get ahead now and over the long-term life of your business.

PCI

PCI (Payment Card Industry) standards have several designations: Merchant, Service Provider and Hosting Provider which fall under the PCI DSS (Data Security Standard). The designations for both the Merchant Level and Service Provider are determined by the number of transactions processed, stored or transmitted on a merchant account.

inContact falls under the Merchant Level 3 designation. This designation requires the company to complete: Self Assessment and Attestation of Compliance annually, quarterly vulnerability scans, an annual penetration test and an audit of the controls. The Self Assessment and Attestation of Compliance along with the vulnerability scans are submitted to our Merchant Bank (Wells Fargo). Additionally, inContact has completed its Attestation as a Service Provider Level 2. The Service Provider Level 2 Attestation is submitted annually to our Merchant Bank. As a Level 2 Service Provider, the company is not subject to an annual QSA (Qualified Security Auditor) audit; however, an internal audit is required by a certified Internal Security Assessor. 

404 SOX Certification

As a publicly traded company, inContact is subject and has completed its annual 404 Certification for Sarbanes-Oxley (SOX). inContact is designated as a Accelerated Filer and has been since June 2007. IT security and controls are included in this annual certification to evaluate the controls over financial reporting.  PCI and SOX both require the protection of private information. inContact defines private information as any consumer or employee information (i.e. credit card numbers, name, SSN, phone number). The protection requirements for PCI cross over from paper to electronic data and the routing of that information. inContact is required to comply with PCI standards and report on compliance  annually.

FCC and CPNI

inContact maintains compliance with all Federal Communications Commission (FCC) regulations. The FCC monitors and regulates the rules to protect Customer Proprietary Network Information (CPNI) or the information obtained by a telecom provider during the course of providing services to the customer.

CPNI encompasses where, when and to whom a customer places a call, as well as the types of service offering/products to which the customer subscribes including the extent to which they are used.

Under FCC guidelines, all customer data is required to be housed in a secure, monitored database. inContact must not sell, lend or license CPNI information to a third-party. Third-party contractors must sign Non-Disclosure Agreements and cannot improperly use CPNI information. Additionally, employees must adhere to security checks and CPNI policies.

Safe Harbor

The company was certified as a Safe Harbor partner on April 21, 2009. As such, we have the proper policies (privacy, network and computer security, hosting, and change management) and controls in place to ensure that storage and transmission of customer information is secure according to best practices of the industry, PCI, Safe Harbor and section 404 standards. Additionally, in conjunction with the certification, the company is required to complete an annual audit of compliance.

HIPAA

inContact is not required to be HIPAA compliant. The Health Insurance Portability and Accountability Act (HIPPA) of 1996 applies primarily to health care providers, health care clearinghouse and health plans. However, our product, based on the needs and type of client, may require HIPAA ready status, meaning that we must use reasonable efforts to protect customer information.

SOC2, formerly known as SAS70

On 15 June 2011, the SAS 70 Audit was replaced by two new standards: (i) a reporting standard for service organizations, the “Statement on Standards for Attestation Engagements No. 16” (referred to as SSAE); and (ii) an audit standard for customers of service organizations, “SAS Audit Considerations Relating to an Entity using a Service Organization”.

As with the SAS 70, SOC ("Service Organization Control") audits require a service provider to provide assurance about whether its internal controls relating to security, availability, processing integrity, confidentiality and the privacy of its system and information meet AICPA Trust Services principles and criteria and are performed by third-party entity.  inContact's audit on the new standard will cover the year full year of 2011 but will not be issued until the first quarter 2012.

inContact did complete a SAS 70 Type II audit which provided assurance over controls from July through December 2010.