Security and Compliance – Contact Center Platform

The Payment Card Industry Data Security Standard (PCI DSS) assesses the security and data privacy of cardholder data traversing across information systems. We commit to offering contact center services that adhere to data security controls approved by the Payment Card Industry Security Standards Council as, we understand the commitment and trust we need to have with customers across the globe when protecting sensitive customer cardholder data.

As a telecommunications services provider, we fully comply with the Federal Communications Commission in protecting Customer Proprietary Network Information (CPNI). Your customer’s information call types are securely stored and continuously monitored; further, it is our commitment to you that we will not sell, lend, or license CPNI data to a third-party.

The System and Organizational Controls (SOC) 2 Type 2 attestation is designed to measure how well a given service organization conducts and regulates its data and organizational security programs by providing an industry-hardened report that details procedures and controls. Further, we have committed to the supplemental Health Information Trust (HITRUST) addition to SOC 2, which means we offer the assurance to process sensitive protected health information (PHI) in accordance with the HITRUST Common Security Framework mapped with the AICPA’s Trust Services Criteria to streamline reporting while ensuring data privacy confidence.

The Global Data Protection Regulation (GDPR) aims to protect all European Union citizens from privacy and data breaches. As a data processor acting and serving our customers as data controllers, we place an extreme high importance of ensuring all GDPR Articles are enforced and audited by offering security features to use our contact center services to better protect data this is most sensitive. In fact, before the EU regulatory agencies mandated external compliant assessments, we elected to prove our GDPR commitment with a third-party qualified security assessor to validate our strong security measures, offering confidence and trust to users around the world.

Cyber Essentials is an information assurance protocol operated by the United Kingdom’s National Cyber Security Centre (NCSC) that ensures information risk management by using an assurance framework and set of security controls to indicate an organization’s ability to protect its customers’ data from threats coming from the Internet. NICE inContact has received the Cyber Essentials Certificate of Assurance following an independent assessment of its infrastructure and technical controls, such as boundary firewalls and gateways, secure configuration, access control, malware protection and patch management.

The California Consumers Protection Act (CCPA) was designed to enhance data privacy for residents of California by disclosing customer information handling as it pertains to individual data verification, opt-out procedures and general overviews of selling customer information, and methods of requests submission criteria. By offering transparency of our privacy policies and customer data handling and processing controls via our contact center solutions, we value the importance of customer data privacy by offering CCPA-compliant based controls.

Publicly traded under NICE Ltd. (NASDAQ: NICE), we annually undergo SOX auditing to protect shareholders of the company and the general public from any accounting errors or fraudulent practices and to improve the accuracy of our corporate disclosures. We fully comply with SOX electronic record rules and security controls to address data storage and processing flows for compliant data handling.

In support of our GDPR commitment and transatlantic commerce, we are an active and certified participant in the EU to US Privacy Shield Framework to process EU member state customer data to the US, and other locations. Maintaining Article 45 of GDPR, provisions a continuity of adequacy determinations under the EU Data Protection Directive in complying with the secure means of collecting, storing, and processing sensitive data.

We support and fully comply with Section 508 of the Rehabilitation Act of 1973, requiring all federal agencies to make information technology accessible with disabilities. In demonstrating our compliance, we will offer a completed Voluntary Product Accessibility Template (VPAT) upon request.

When a HIPAA compliant solution is requested, the resulting discussion centers around privacy and security protections under HIPAA and the Health Information Technology for Economic Clinical Health (“HITECH”) Act. For covered entities and business associates subject to HIPAA, NICE inContact offers solutions for processing, transmitting, and storing protected health information (“PHI”). Upon request, NICE inContact will sign a business associate agreement (“BAA”) according to the services NICE inContact provides our customers.

Congress enacted the Telephone Consumer Protection Act (TCPA) in 1991 to address the growing number of telephone marketing calls being made in the US. To reduce the number of hang-up and dead air calls consumers experience, the Commissions telemarketing rules also contain restrictions on the use of auto-dialers and requirements for transmitting caller ID information. Most recently, The FCC introduced the STIR/SHAKEN Protocol, designed to combat robocalls by requiring grading call integrity before it hits the public internet or PSTN. NICE inContact offers full A-level attestation for calls originating from our platform, before they even reach the carrier. This means that all CXone calls have the thumbs-up to travel to your customer. We can then work with you on ensuring your databases meet evolving TCPA standards.