Zello's Technical and Organizational Security Measures

These are the current technical and security measures employed by Zello, Inc for Zello Work customers.

Last Updated: 06/19/2020

1. Organization Of Information Security

  • Zello has a comprehensive set of information security policies, approved by senior management and disseminated to all Personnel.
  • The information security function reports directly to the Chief Security Officer.

2. Physical Access

  • Zello utilizes bare metal servers hosted in the IBM Cloud. Points of presence are located throughout the world. AWS is the failover cloud provider should IBM fail.
  • Zello Work allows for a solution hosted on-premise, please see Zello Work On-premise Server Requirements for more information.
  • Physical access to our office is controlled after hours via key access or electronic badge access.

3. System Access

  • Zello has a password policy that prohibits the sharing of passwords and requires passwords to be changed on a regular basis. All passwords must meet complexity requirements and are stored in encrypted form.
  • Server access is logged at the machine level and controlled through shared keys that may be revoked at any time.

4. Data Access

  • Access to customer data is limited to approved team members under strict controls.
  • All administrative actions performed by staff through the Zello Work console on behalf of the customer are captured and searchable in an audit log.
  • Server access is logged at the machine level and controlled through shared keys that may be revoked at any time.

5. Data Transmission/Storage/Destruction

  • 1024 bit RSA for authentication, digital signatures and secure media session keys exchange.
  • 256 bit AES for audio, images, text and call alerts.
  • TLS for control traffic encryption between Zello client and Zello server
  • IBM Cloud erases data using DOD 5220.22-M grade algorithm. This ensures that any residual drive data is destroyed. This process is monitored and logged and is tracked. Once complete the drive is ready to be redeployed to a new customer.
  • If a drive fails the wipe process or reaches end of life, it is taken out of commission and physically destroyed
  • Data is encrypted during transmission
  • All API communication occurs over HTTP/S; the channel API is offered over secure websockets.

6. Confidentiality And Integrity

  • Customer data is not shared with 3rd parties in accordance with Zello’s Terms of Service and Privacy Policy
  • Zello uses a consistent hiring process that includes multiple reference checks as well as a background check that verifies employment and education history, along with any criminal history. Zello makes hiring decisions based on the results of these in accordance to applicable law.
  • Personal Information is classified according to GDPR standards
  • Per compliance with the GDPR, we have a designated data protection officer who is responsible for notifying all affected users of any material breach within 72 hours. In the event of such a breach, we will work with one of our security partners to evaluate the impact and undertake necessary remediation as quickly as possible.

7. Availability

  • Our standard service SLA is 99.9%, achieved through redundancy at every layer of the stack. The platform is capable of operating at various levels of degraded service, so if a single component is failing (ie, the Message Vault feature), voice communication will continue operating normally.
  • All critical data stores are replicated across machines and in some cases across cloud providers (IBM to AWS). Additionally, backups of databases and search indexes are performed regularly and stored across multiple redundant servers.
  • In the event of a data center failure, we have the ability to bring up a replacement service platform in less than 4 hours on an alternate cloud provider (AWS). We would notify customers of changes in DNS associated with such a switch in order to synchronize appropriate firewall rules, as applicable.

8. Data Separation

  • Customers maintain access to all of their individual data via their own unique identifiers

9. Incident Management

  • We provide 24×7 support for the platform, including critical security issues. Response times will meet our contractually agreed SLA; resolution times will depend on the issue.
  • Per compliance with the GDPR, we have a designated data protection officer who is responsible for notifying all affected users of any material breach within 72 hours. In the event of such a breach, we will work with one of our security partners to evaluate the impact and undertake necessary remediation as quickly as possible.
  • Up to date status checks available here

10. Audit

  • All administrative actions performed by staff through the Zello Work console on behalf of the customer are captured and searchable in an audit log.
  • We periodically perform penetration testing and system fuzzing at the API layer. We maintain a number of unit tests that exercise specific code paths with bad data.
    Regularly tested upon by 3rd parties for security compliance