Skip to main content
Skip table of contents

Security Policy

1. Background

Imagicle is a software company specialized in the design, development, marketing and support of Unified Communications and Collaboration solutions, delivered as cloud services (SaaS) and on-premise software. The Imagicle product portfolio includes the UCX Suite (single-tenant, deployed on AWS) and a range of cloud-native, multi-tenant services — including Virtual Receptionist, Smartflows, SBC Media Edge, Webex Rec SBC, and MS Teams Rec Engine (deployed on AWS and Microsoft Azure). The company follows Agile SCRUM and Test Driven Development methodologies, and integrates its solutions with market-leading UC platforms including Microsoft Teams, Cisco, and others.

With the ever-increasing use of new technologies, it is necessary to provide guarantees not only on the quality of the services provided, but also on the processing of information concerning service delivery, internal staff, agents, partners, customers and suppliers. Information is a corporate asset which, like other assets, has a value to the organisation and therefore must be protected appropriately. Security is about protecting information from a wide range of threats so as to ensure business continuity, minimise damage and maximise return on investment and business opportunities. Preserving the trust that Customers have in Imagicle requires that everyone contributes to the respect, protection and security of all confidential data and information.

2. Principles

Imagicle recognizes information security as a fundamental element in the delivery of its products and services. In accordance with ISO/IEC 27001, the protection of information is based on the principles of confidentiality, integrity, and availability.

This means that Imagicle is committed to:

  • reducing information security risks to an acceptable level;

  • identifying security events in a timely manner and determining their impact on systems and services;

  • limiting the effects of incidents and restoring normal conditions as quickly as reasonably possible.

In addition to the principles set out in ISO/IEC 27001, Imagicle also adopts the cloud security and privacy principles reflected in ISO/IEC 27017 and ISO/IEC 27018.

ISO/IEC 27017 provides specific guidance for the application of information security controls in cloud services, including the clear allocation of responsibilities between provider and customer, the secure administration of cloud environments, and the protection of services delivered in shared infrastructures.

ISO/IEC 27018 provides guidance for the protection of personally identifiable information (PII) in public cloud environments, supporting transparency in data processing, protection of customer data, and the adoption of appropriate technical and organizational measures to prevent unauthorized access, disclosure, alteration, loss, or misuse of personal data.

Supported by leadership direction, Imagicle’s security program involves dedicated teams responsible for implementing, monitoring, maintaining, and continually improving security and privacy controls across the organization. This commitment extends throughout the entire lifecycle of products and services, from design and development to operational delivery and support.

Imagicle applies and documents its security program in line with its business objectives and with reference to ISO/IEC 27001:2022, while also aligning its cloud security and privacy practices with the principles of ISO/IEC 27017 and ISO/IEC 27018 as part of its ongoing commitment to risk reduction, customer trust, and responsible cloud service delivery.

3. Objectives

The Information Security Management System (ISMS), designed by Imagicle, is based on:

  • Management of information security risks in synergy with the overall corporate risk management and in compliance with the responsible use of corporate resources, achieved through the application of shared, repeatable and valid models, referable to recognised international standards

  • Identification of organisational roles and responsibilities specifically involved in managing information security

  • Raising staff awareness on information security, training and enhancing the skills of greatest interest for information security

  • Continuous monitoring of the effectiveness and efficiency of the ISMS through the definition of a system of indicators and their periodic measurement

  • Commitment of the Management to provide the resources deemed necessary for the implementation of corporate security policies, the pursuit of security objectives, the maintenance and continuous improvement of the ISMS

Imagicle’s cloud services and software products are designed with security and privacy in mind, following a security-by-design approach with ongoing assessment and improvement. The product development lifecycle includes threat modeling, security design reviews, and vulnerability assessments as standard practice within the development process. To ensure confidentiality of information, Imagicle manages both internal and external communications using industry-standard encryption protocols (TLS 1.2+, AES-256) and certificates issued by trusted Certificate Authorities. Up-to-date application security tools and methods are applied throughout the product lifecycle to reduce risks and address vulnerabilities in proportion to company needs and in compliance with relevant regulations. The cloud infrastructure, deployed on AWS and Microsoft Azure, is subject to continuous security monitoring and periodic penetration testing. The company’s security system is aligned with international best-practices and standards, and geared towards the ISO/IEC 27001:2022 standard, which includes implementing and enforcing strict information access control measures on a business-related need-to-know basis, and regular monitoring and testing of the ISMS.

For the implementation and delivery of cloud-based services, in accordance with ISO 27017, Imagicle is committed to adopting security requirements that take into account risks from internal staff, secure multi-tenancy  management, access to cloud assets by its and customers’ staff, access control (in particular administrators), communications to stakeholders when infrastructure changes occur, security of virtualization systems, data protection and access in the cloud, cloud account lifecycle management, data breach communication and information sharing guidelines to support investigation and forensic activities and ongoing security on the physical location of data in cloud servers.

Furthermore, Imagicle is constantly engaged in the protection of personal data, especially with regard to data related to its customers. With reference to the latter and in accordance with ISO 27018 and applicable privacy legislation (GDPR), the company is a Data Processor, declaring its status and the resulting obligations in contracts with customers. These obligations are also set out in the appointment as Data Processor.

4. References to regulatory aspects

All relevant mandatory and contractual requirements are identified by the organisation. The Regulatory Updates Procedure describes the activities to ensure that:

  • Regulatory updates relating to privacy (GDPR – EU Regulation 2016/679), cybersecurity (NIS2 Directive – EU Directive 2022/2555) and other applicable legislation are available and known to the various corporate functions concerned

  • The necessary updates are made to the company’s operating procedures and IT systems in order to comply with the regulations in force (Compliance)

The ISMS Coordinator ensures the monitoring and approval of the application of regulatory updates in the company.
 

5. Diffusion of security culture and policies

Security is a capillary process that concerns the whole company: individual awareness combined with a responsible use of resources plays a fundamental role in achieving the foreseeable security objectives. Imagicle personnel are constantly made responsible for distributing within the company a culture of information security, considered necessary for the type of services offered and data processed. This commitment involves first most of the top management, providing for the definition of roles and responsibilities and keeping awareness, culture and security alive throughout the organisation. Imagicle personnel are involved through the definition of comprehensive and easy-to-understand policies and procedures on data security, thanks to the presence of dedicated teams committed to IT and product security.
Employees and third parties involved in company processes collaborate, as far as their competence is concerned, by respecting the rules and operating procedures reported in the Information Security Management System documentation (available on the company intranet) and by applying best practices and behaviours. For this reason, communication of the company’s security policies is extended to its partners, suppliers and customers at the time of signing or periodically renewing the contract.
 

6. Leadership commitment

The Company Management favours the development of the corporate culture towards the application of the rules and requirements of information security (as a guarantee to the company, customers, third parties) and the awareness and involvement of all functions in contributing to the pursuit of security objectives. It also undertakes to provide the resources deemed necessary for the implementation of corporate security policies, the pursuit of the relevant objectives and the maintenance and continuous improvement of the Information Security Management System, providing for the review of such policies at least once a year or in the event of significant changes in business or infrastructure.
The Company Management is committed to spreading and maintaining awareness, culture and corporate security policies to all internal and external personnel through various internal communication channels.
 

7. Risk analysis and management methodology

Security is continuously monitored, which is why Imagicle has adopted both an information security risk analysis and management methodology and a periodic (annual or when a change is made, or a new application is implemented) risk management process to keep risks at an acceptable level by assessing and treating them. For this purpose, the following have been defined:

  • the criteria for assessing and accepting risk, and objectively and transparently identifying the potential threats and vulnerabilities that may arise from the design, implementation and management of systems and that could be exploited to compromise information security

  • the related direct and indirect damages

  • the protection measures in place, so as to highlight the most critical areas and provide for the implementation of appropriate countermeasures

 

 

 

 

 

 

 

 

 

 

 

 

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close