Skip to main content
Skip table of contents

Security Policy - UCX Platform Cloud

1. Scope and Architecture

This document provides a comprehensive overview of the security controls, certifications, and processes that Imagicle applies to protect customer data across all Imagicle Cloud services.

1.1 Service Scope

The security controls described in this document apply to the entire Imagicle UCX Platform Cloud, covering all services available under the Imagicle UCX Platform Cloud Service Agreement:

UCX Core Services: Cloud-hosted unified communications applications including Call Recording, Attendant Console, Advanced Queuing and Auto Attendant, Digital Fax, Call Analytics, and Contact Manager.

Virtual Receptionist: A configurable conversational voice assistant leveraging Third-Party AI Providers for speech-to-text transcription, audio synthesis, and intent recognition.

Smartflows: A multi-channel customer interaction automation service, integrating with external Digital Channels (WhatsApp, Facebook Messenger, Apple Business Chat, Telegram, SMS, web chat, email) and leveraging Third-Party AI Providers for speech-to-text, intent recognition, and response generation.

Voice Analytics: A transcription and AI-powered analysis service for voice conversations, including sentiment analysis and interaction insights.

Cloud Platform Shared Services: Common platform capabilities including SSO, directory synchronization, cloud licensing, telemetry, and presence.

1.2 Architecture Overview

Imagicle Cloud services are deployed on Amazon Web Services (AWS) and Microsoft Azure, using two distinct architectural models depending on the service category.

Imagicle UCX Suite (Single-Tenant Architecture): The UCX Core Services — including Attendant Console, Call Recording, Digital Fax, and Call Analytics — are deployed on AWS using a single-tenant model. Each customer receives one or more dedicated virtual machine instances, ensuring complete isolation of compute, storage, and networking resources at the tenant level. This architecture can also be deployed in additional AWS regions worldwide via the Dedicated Cloud option.

This single-tenant architecture provides the following benefits:

  • Security: Complete separation ensures full isolation of each customer’s data and processing environment.

  • Reliability: The performance of one customer’s instance is never impacted by activity on other customers’ instances.

  • Geo-proximity: Instances are deployed across AWS regions worldwide, allowing customers to select the region that best meets their latency and data residency requirements.

  • Version isolation: Customers can schedule updates independently, in coordination with Imagicle.

Cloud-Native Multi-Tenant Services: The following services are deployed as cloud-native, multi-tenant platforms:

  • Imagicle UCX Platform (AWS): Voice Analytics, Virtual Receptionist, User Sync, Single Sign On, Call Control, Presence, and Analytics services.

  • Imagicle Smartflows (AWS): The comprehensive platform to build digital and voice conversations, human and virtual.

  • SBC Media Edge (AWS): Session Border Controller service to securely handle voice media to/from Cloud Calling platforms.

  • Webex Rec SBC (AWS): Session Border Controller service to integrate natively over dedicated private network with Webex Calling.

  • MS Teams Rec Engine (Azure): Native recording engine for Microsoft Teams, based on the official Microsoft SDK, requiring Azure infrastructure.

These multi-tenant services employ logical isolation at the application, database, and network layers, ensuring strict separation of customer data and configurations. The multi-tenant architecture is designed for horizontal scalability, high availability, and rapid deployment of updates across all customers simultaneously.

1.3 Deployment Models

Cloud-native multi-tenant services (UCX Platform, Smartflows, SBC Media Edge, Webex Rec SBC, MS Teams Rec Engine) are delivered exclusively via the Public Cloud model.

The Imagicle UCX Suite is available in the following 2 deployment models, as specified in the applicable Order Form:

Public Cloud: Customer accesses the Service via the Internet for both web UI and voice engines, through shared computing resources. This model provides high availability and is the standard option for most deployments.

Dedicated Cloud: The Service is provided through a private connection and dedicated computing and database resources for each Customer, granting maximum security, isolation, availability, and scalability. Connectivity to the Dedicated Cloud instance can be established through:

  • VPN – standard site-to-site IPSec virtual private network to the Service instance.

  • SD-WAN – adding the Service as an additional node of the Customer virtual WAN via supported equipment termination.

  • Equinix – dedicated links from Customer premises via Equinix Cloud Exchange.

1.4 Deployment Regions

Imagicle Cloud services are deployed across multiple geographic regions on both AWS and Azure infrastructure.

AWS Regions (UCX Platform, UCX Suite, Smartflows, SBC Media Edge, Webex Rec SBC):

  • Europe (Frankfurt)

  • United Kingdom (London)

  • United States (Northern Virginia, Ohio)

  • Middle East (UAE)

  • Canada (Montreal)

  • Asia Pacific (Tokyo)

  • Asia Pacific (Sydney)

Azure Regions (MS Teams Recording Engine):

  • Europe (Frankfurt)

  • United States (East US)

  • Middle East (Dubai)

  • Asia Pacific (Sydney)

Additional AWS regions are available for Dedicated Cloud deployments upon request. This geographic coverage enables compliance with data residency requirements across jurisdictions, including GDPR and regional data localization regulations.

1.4.1 Regional Services Limitation

Imagicle delivers its cloud services through a controlled regional infrastructure designed to support information security, cloud security governance, and personal data protection requirements. In line with the principles of ISO/IEC 27001, ISO/IEC 27017, and ISO/IEC 27018, service availability is organized by region and by service type, so that customers can clearly understand where services are hosted and which capabilities are available in each geography.
The diagram below provides an overview of Imagicle Cloud Services, their regional deployment model, and any applicable Regional Services Limitations, supporting transparency, risk assessment, and informed customer decision-making.

ImagicleCloudServices.png

2. Infrastructure Security

2.1 Cloud Data Centers

Imagicle Cloud services are hosted on AWS and Microsoft Azure data centers, both designed and operated in accordance with the most rigorous industry standards. These facilities feature multiple layers of physical security, including perimeter controls, professional security staff, video surveillance, intrusion detection, and multi-factor access controls.

AWS: Hosts the UCX Platform, UCX Suite, Smartflows, Voice Analytics, SBC Media Edge, and Webex Rec SBC services. AWS maintains compliance certifications including ISO 27001, SOC 1 Type II, SOC 2 Type II, SOC 3, FedRAMP, PCI DSS Level 1, and CSA STAR.

Microsoft Azure: Hosts the MS Teams Recording Engine, which is built on the official Microsoft SDK and requires Azure infrastructure for native integration with the Microsoft Teams platform. Azure maintains compliance certifications including ISO 27001, SOC 1 Type II, SOC 2 Type II, FedRAMP, PCI DSS, and CSA STAR.

2.2 Compute Isolation

Imagicle applies isolation controls appropriate to each service’s architectural model.

UCX Suite (Single-Tenant): Each customer instance runs on dedicated virtual machines, with full operating system, database, and application-level isolation. No software components, storage, or network interfaces are shared across customer instances. This architecture eliminates the risks associated with multi-tenant environments and noisy-neighbor effects.

Cloud-Native Multi-Tenant Services (UCX Platform, Smartflows, SBC Media Edge, Webex Rec SBC, MS Teams Rec Engine): These services run on shared cloud-native infrastructure with strict logical isolation enforced at the application, database, and network layers. Each customer’s data is segregated through dedicated database schemas or partitions, tenant-scoped API access controls, and network-level segmentation. Resource quotas and rate limiting prevent noisy-neighbor effects, ensuring consistent performance across tenants.

2.3 Virtual Machine Hardening

Imagicle applies hardening measures to virtual machines and operating environments used in the delivery of cloud services, particularly for single-tenant deployments based on dedicated virtual machine instances. Hardening is implemented as a structured process intended to strengthen the security posture of the cloud environments used to provide services to customers.

Imagicle follows two complementary hardening approaches:

  • One-time hardening: performed during the initial provisioning and first setup of the environment, in order to establish a secure baseline configuration before the service becomes operational.

  • Recurring hardening: performed during the lifecycle of the environment whenever significant changes occur, including major operating system upgrades, installation of additional modules or libraries, or other relevant configuration changes that may affect the security posture of the system.

Hardening activities include, as applicable, the use of approved baseline configurations, restriction or removal of unnecessary services and components, secure operating system settings, controlled administrative access, and alignment with internal security standards for system configuration and maintenance.

Virtual machine images and configurations are maintained under change control and are reviewed and updated regularly to address security vulnerabilities, software defects, and configuration risks. Hardening measures are complemented by patch management, access control, vulnerability assessment, and monitoring processes in order to maintain the security of hosted workloads over time.

2.4 Patch Management

Imagicle maintains responsibility for operating system and middleware patching on all customer instances. Critical security patches are assessed and deployed within established SLAs based on CVSS severity scoring. Patch schedules are coordinated with customers to minimize service disruption.

3. Data Security

3.1 Data Ownership

The Customer is the exclusive owner of all Customer Data loaded on and processed by the Service. Imagicle personnel are not permitted to access Customer Data unless explicitly authorized by the Customer’s designated contacts for troubleshooting or support purposes.

3.2 Data Encryption

Imagicle applies a comprehensive encryption strategy across all layers of data handling, covering data in transit, data at rest, voice media, key management, and certificate governance.

Encryption in Transit: All data exchanged between the customer environment and Imagicle Cloud is encrypted using TLS 1.2 or higher. Imagicle enforces strong cipher suites and disables legacy protocols (SSLv3, TLS 1.0, TLS 1.1). Certificates are issued by public Certificate Authorities for all HTTPS endpoints. Internal service-to-service communication within the cloud environment is also encrypted using TLS.

Voice and Media Encryption: Voice signaling crossing Internet (Public Cloud) is encrypted via SIP over TLS (SIPS) for all voice applications. Real-time media streams are protected using SRTP (Secure Real-time Transport Protocol) with AES-128 or AES-256 encryption, ensuring confidentiality and integrity of voice communications between endpoints and the Imagicle Cloud platform.

Encryption at Rest: Customer data stored on cloud infrastructure is encrypted at rest using AES-256 encryption. On AWS, encryption leverages AWS Key Management Service (KMS) for key lifecycle management. On Azure, encryption leverages Azure Storage Service Encryption with Azure Key Vault for key governance. Encryption at rest covers all storage layers including databases, file systems, and backup volumes.

Key Management: Encryption keys are managed through the respective cloud provider’s native key management services (AWS KMS and Azure Key Vault). Keys are rotated automatically on an annual basis, or more frequently as required by policy. Customer-managed keys (CMK) are available upon request for Dedicated Cloud deployments. Key access is restricted to authorized services and personnel through IAM policies and access control lists. All key usage events are logged and auditable.

Certificate Management: TLS certificates are issued by trusted public Certificate Authorities and managed through automated lifecycle processes including provisioning, renewal, and revocation. Certificate expiration is monitored continuously, with automated alerts triggered ahead of renewal deadlines to prevent service interruptions.

3.3 Data Isolation

Data isolation is enforced through controls appropriate to each service’s architectural model. For UCX Suite (single-tenant), each customer’s data is isolated at the virtual machine, database, and application layer, with dedicated storage volumes not accessible from other instances. For cloud-native multi-tenant services (UCX Platform, Smartflows, SBC Media Edge, Webex Rec SBC, MS Teams Rec Engine), customer data is logically isolated through dedicated database schemas or partitions, tenant-scoped access policies, and application-level enforcement. In both models, no data, configurations, or application components are shared across tenants.

3.4 Data Retention and Deletion

Data retention policies are defined in the applicable Service Agreement and Data Processing Addendum (DPA). Upon contract termination, customer data is securely deleted within the timeframe specified in the DPA. Deletion is performed using industry-standard secure erasure methods, and confirmation is provided upon request.

3.5 Backup and Recovery

Data and configuration backups are performed regularly and stored in dedicated, isolated storage areas within the respective cloud provider (AWS or Azure). Backup data is encrypted at rest using AES-256 encryption. Backup schedules and retention periods are defined based on the service tier. Backup integrity is verified through periodic restoration tests.

4. Access Control and Identity Management

4.1 Administrative Access

Access to Imagicle Cloud infrastructure is restricted to the Cloud Operations team through a role-based access control (RBAC) model. All administrative access requires:

  • Multi-factor authentication (MFA)

  • SSL VPN with personal encryption certificates

  • Privileged Access Management (PAM) controls

All administrative sessions are logged and recorded. Session recordings are available for customer audit upon request.

4.2 Customer Access

Customer access to the Imagicle management portal is controlled via username/password authentication, with support for Single Sign-On (SSO) integration via SAML 2.0 and OAuth 2.0. Customers are encouraged to enforce MFA within their identity provider.

4.3 Principle of Least Privilege

Access rights are granted based on the principle of least privilege. Permissions are reviewed periodically and revoked promptly upon role change or employment termination. Privileged access is subject to approval workflows and periodic recertification.

5. Network Security

5.1 Network Architecture

Imagicle Cloud employs a defense-in-depth network architecture designed to protect cloud services against unauthorized access, network-based attacks, and service disruption. Security controls are implemented across network boundaries, internal service communications, and connectivity paths between customer environments and Imagicle Cloud services.

Depending on the service architecture and deployment model, network protections include segmentation between customer environments, controlled exposure of public-facing services, restricted management access paths, and isolation of production, administrative, and supporting service components.

5.2 Network Protection Controls

Imagicle applies multiple layers of network protection controls, including:

  • Network segmentation and isolation between customer instances and service components

  • Firewalls and security groups restricting traffic to authorized ports, protocols, and communication flows

  • Secure administrative access paths protected through VPN, encryption, and access control mechanisms

  • Intrusion detection and prevention measures, where applicable, to identify and block malicious traffic patterns

  • DDoS protection capabilities provided through cloud-native services such as AWS Shield and equivalent provider controls

  • Encrypted network communications using secure protocols for customer access, service connectivity, and voice signaling over public networks

These controls are configured and maintained in accordance with the service architecture, risk profile, and operational requirements of each cloud service.

6. Logging and Monitoring

6.1 Logging and Monitoring Framework

Imagicle applies centralized logging and monitoring controls across its cloud services and supporting infrastructure to support security operations, service reliability, incident investigation, and customer transparency. Logging and monitoring activities are designed to provide traceability of relevant events across infrastructure, systems, applications, administrative interfaces, and security controls.

Logging and monitoring mechanisms are implemented in accordance with the service architecture and deployment model, taking into account the distinction between single-tenant and cloud-native multi-tenant services. These controls support the detection of anomalous activities, operational faults, security events, and unauthorized actions that may affect the confidentiality, integrity, or availability of customer data or cloud services. These controls also support the monitoring of service health and availability across Imagicle Cloud services. Where applicable, customer-facing information regarding service availability, incidents, and scheduled maintenance is made available through Imagicle’s status portal at status.imagicle.cloud.

6.2 Event Logging

Imagicle generates event logs for relevant systems, applications, and cloud resources. Event logs record, as applicable:

  • User activities, including authentication attempts, access to management interfaces, and administrative actions

  • Privileged operations and changes to security-relevant configurations

  • Application exceptions, processing errors, and service failures

  • Infrastructure faults and platform events affecting service availability or integrity

  • Information security events, including access control violations, suspicious activities, and other security-relevant alerts

The scope and granularity of logging may vary depending on the specific service, architecture, and technical function performed, while maintaining alignment with security, operational, and compliance requirements.

6.3 Security Monitoring and Review

Logged events are continuously monitored through a combination of automated detection mechanisms, alerting processes, and operational review activities performed by authorized personnel. Security-relevant events are collected, correlated, and analyzed to identify anomalous patterns, operational issues, and potential information security incidents.

Event logs are reviewed regularly in accordance with internal procedures and the criticality of the monitored systems. Where appropriate, alerts are generated automatically and escalated to the relevant operational or security teams for investigation and response. Monitoring outputs are used to support incident detection, troubleshooting, root cause analysis, continuous improvement of security controls, and service availability management. Where applicable, information regarding service status, availability, ongoing incidents, and scheduled maintenance is published through Imagicle’s status portal at status.imagicle.cloud.

6.4 Log Protection and Integrity

Imagicle protects log data against unauthorized access, modification, deletion, or disclosure through technical and organizational controls. Access to logging platforms and log records is restricted to authorized personnel on a need-to-know basis and is governed by role-based access control mechanisms.

Centralized logging systems are configured to preserve the integrity and availability of collected log data. Where applicable, systems rely on time synchronization mechanisms to ensure the consistency and reliability of timestamps across events, thereby supporting event correlation, auditability, and forensic investigation.

6.4.1 Clock Synchronization

Imagicle systems use synchronized time sources to support the consistency, reliability, and correlation of logged events across cloud infrastructure and services. Where applicable, system clocks are synchronized through the native time synchronization services provided by the relevant cloud provider or equivalent trusted time sources.

Information regarding the reference time used by Imagicle cloud systems and the applicable time standard for customer-facing logs, reports, or audit records is made available to customers through service documentation or upon request.

Where customer environments exchange logs, events, or operational records with Imagicle Cloud services, customers may align their local system clocks with the same standard time reference used by Imagicle, in accordance with the technical guidance provided for the relevant service.

6.5 Log Retention

Log retention periods are defined according to the nature of the service, the security relevance of the events, applicable contractual obligations, legal and regulatory requirements, and internal policies. Logs are retained for a period sufficient to support security monitoring, incident investigation, audit activities, and compliance needs.

At the end of the applicable retention period, log data is securely deleted or disposed of in accordance with Imagicle’s data lifecycle management procedures and the controls implemented by the relevant cloud provider.

6.6 Customer Logging Capabilities

In accordance with the applicable service model, technical architecture, and contractual scope, Imagicle provides logging capabilities to cloud service customers. Depending on the specific cloud service, these capabilities may include access to audit trails, service activity records, administrative event history, usage information, troubleshooting records, or log extracts and reports made available through the service interface or upon request to Imagicle support.

The type, format, granularity, and retention period of customer-accessible logs may vary depending on the service category, deployment model, security design, and applicable data protection constraints. Where direct access to raw logs is not provided, Imagicle may provide relevant logging information through reports, controlled extracts, or support-mediated access mechanisms.

6.7 Use of Logs for Incident Response and Compliance

Logging and monitoring records are used by Imagicle to support incident identification, containment, investigation, remediation, and post-incident analysis. Relevant log evidence may also be used to support internal audits, management reviews, compliance verification activities, and customer-requested assessments, subject to confidentiality, security, and data protection constraints.

Through these controls, Imagicle supports traceability, accountability, and operational visibility across its cloud services, in alignment with the principles reflected in ISO/IEC 27001 and the cloud-specific guidance of ISO/IEC 27017.

7. AI and Third-Party Service Security

7.1 AI-Enabled Services

Three services within the Imagicle UCX Platform Cloud leverage Third-Party AI Providers for specific processing functions:

  • Virtual Receptionist: Uses Third-Party AI Providers for speech-to-text transcription, text-to-speech audio synthesis, and intent recognition to power conversational voice interactions.

  • Smartflows: Uses Third-Party AI Providers for speech-to-text transcription, intent recognition, and response generation across voice and digital channel automation flows.

  • Voice Analytics: Uses Third-Party AI Providers for transcription of call recordings and AI-powered analytics including sentiment analysis and interaction insights.

These integrations are implemented through secure API calls and are subject to strict contractual and technical safeguards. The same security baseline applies to all AI integrations regardless of the service.

7.2 Digital Channels Security (Smartflows)

Smartflows enables automation across third-party Digital Channels (WhatsApp, Facebook Messenger, Apple Business Chat, Telegram, SMS, web chat, and email). The following security considerations apply:

  • Data routing: Messages exchanged through Digital Channels transit through the respective third-party platform’s infrastructure before reaching Imagicle. Imagicle is not responsible for Customer Data once it leaves the Imagicle Cloud environment for a third-party Digital Channel platform.

  • Third-party terms: Customers enabling Digital Channel integrations are subject to the terms and conditions of the respective platform provider, which may have access to data exchanged through their platform.

  • Data minimization: Only data required to route and process the customer interaction is exchanged with Digital Channel platforms.

7.3 Third-Party Sub-Processor Controls

All third-party providers used in the delivery of Imagicle Cloud services — including AI providers and Digital Channel integrations — are listed in the Sub-Processor register maintained at imagicle.com/legal/sub-processors. Each sub-processor is subject to:

  • Due diligence assessment prior to onboarding, covering security posture, data protection practices, and compliance certifications

  • Contractual obligations including Data Processing Agreements with appropriate Standard Contractual Clauses (SCCs) for international transfers

  • Ongoing monitoring and periodic reassessment of compliance status

7.4 AI Data Processing Principles

The following principles govern all AI-related data processing within Imagicle Cloud, across all services:

  • No training on customer data: Customer data is never used to train, improve, or fine-tune AI models operated by Imagicle or its sub-processors.

  • Transient processing: Audio and text data sent to AI providers is processed in real time and not retained beyond the time necessary to return the result.

  • Encryption in transit: All data exchanged with AI service providers is encrypted using TLS 1.2 or higher.

  • Data minimization: Only the minimum data necessary for the requested function is transmitted to the AI provider.

7.5 Transfer Mechanisms

Where AI sub-processors are located outside the European Economic Area, data transfers are governed by appropriate safeguards under GDPR, including EU-US Data Privacy Framework adequacy decisions (Art. 45 GDPR) and/or Standard Contractual Clauses (Art. 46(2)(c) GDPR), as detailed in the Sub-Processor register.

8. Software Development Lifecycle and Vulnerability Management

8.1 Secure Development Practices

Imagicle follows an Agile development methodology with security integrated at every stage:

  • Analysis and Design: Security requirements are identified during feature analysis. Threat modeling is performed using a security-by-design approach, and countermeasures are defined before development begins.

  • Development: All code is developed in accordance with a dedicated IT Security checklist. The codebase is protected against OWASP Top 10 threats, verified through automated scanning tools.

  • Testing: Test cases include security-specific scenarios at the system, feature, and penetration levels. End-to-end testing is performed on each release to identify vulnerabilities before deployment.

8.2 Vulnerability Assessment

Imagicle maintains a continuous vulnerability assessment program using industry-standard scanning tools. Before any new software version is deployed to the Cloud environment, a dedicated vulnerability assessment is performed on a sandbox environment. Vulnerability remediation follows a risk-based prioritization aligned with CVSS scoring.

8.3 Penetration Testing

Imagicle conducts periodic penetration testing, both internal and through qualified third-party firms, to validate the effectiveness of security controls. Findings are tracked to resolution and verified through retesting. Summary reports are available to customers upon request under NDA.

8.4 Security Vulnerability Response

Upon identification of any security vulnerability, Imagicle applies commercially reasonable efforts to address it based on severity. Priority is established using the Common Vulnerability Scoring System (CVSS). Imagicle is responsible for patching the server operating system and all middleware running on customer instances.

All activities related to addressing security issues and enhancing the usability of the cloud-based services provided by Imagicle are conducted by Imagicle personnel with the appropriate permissions and delegations.

9. Incident Response

9.1 Incident Management Framework

Imagicle maintains a documented incident response procedure aligned with ISO/IEC 27001 requirements and applicable cloud security practices. The incident management framework covers the identification, reporting, assessment, containment, eradication, recovery, communication, and post-incident review of information security events and incidents affecting Imagicle Cloud services.

The framework is designed to support timely handling of security events, minimize service impact, protect customer data, and ensure appropriate coordination between operational, security, legal, and privacy functions where required.

9.2 Shared Responsibilities and Customer Cooperation

As part of the delivery of Imagicle Cloud services, responsibilities for information security incident management are allocated between Imagicle and the customer according to the applicable service model, deployment architecture, and contractual scope.

Imagicle is responsible for managing security incidents affecting the cloud infrastructure, hosted applications, managed service components, and the security controls operated by Imagicle as part of the service. This includes incident detection within Imagicle-managed environments, internal escalation, containment, investigation, remediation, and customer notification where applicable.

Customers remain responsible for security incident management activities within their own environment, including the protection of their endpoints, identity providers, local networks, user devices, and any third-party systems or integrations under their control, unless expressly included within the scope of the Imagicle service.

Where an incident involves both customer-controlled and Imagicle-controlled components, Imagicle cooperates with the customer to support coordinated analysis, containment, remediation, and communication activities. The respective roles, communication paths, and cooperation procedures may be further defined in service documentation, support procedures, or contractual agreements.

9.3 Reporting of Information Security Events

Imagicle makes available to customers mechanisms to report information security events, suspected vulnerabilities, misuse, or other security-related concerns affecting Imagicle Cloud services. Customers may report such events through authorized support channels, including the Support Portal, Support email, account manager contacts, designated service contacts, or other documented communication mechanisms made available as part of the service relationship. For security-related reports, customers may also contact the Security and Trust team at trust@imagicle.com.

Reported events are assessed and routed through Imagicle’s internal incident management process according to their nature, severity, and potential impact. Where appropriate, reported events are escalated to the relevant operational, security, privacy, or management functions for investigation and response.

Imagicle maintains procedures to record, track, and manage reported information security events to support timely evaluation, response, and resolution.

9.4 Incident Notification

In the event of a personal data breach or other reportable security incident affecting customer data or the availability, confidentiality, or integrity of the service, Imagicle notifies the affected customer without undue delay and, where required by applicable law, within the relevant regulatory timeframe.

Where the incident constitutes a personal data breach under GDPR, Imagicle provides notification in accordance with Article 33 obligations applicable to processors and controllers, and supports the customer in meeting its own regulatory obligations where required.

Such notification, as applicable, includes:

  • Nature and scope of the incident or breach

  • Categories and approximate number of affected data subjects or records, where known

  • Likely consequences of the incident

  • Measures taken or proposed to contain, mitigate, and remediate the impact

  • Contact details of the Data Protection Officer or designated point of contact

9.5 Remediation and Post-Incident Review

Following identification of a confirmed incident, Imagicle coordinates containment, eradication, recovery, and service restoration activities in accordance with internal procedures and the nature of the affected service. Where relevant, a shared remediation plan is developed and implemented in collaboration with the affected customer.

Root cause analysis is conducted following significant incidents, and corrective actions are documented, assigned, and tracked through completion. Lessons learned are incorporated into Imagicle’s security and operational processes to support continuous improvement and reduce the likelihood of recurrence.

10. Disaster Recovery and Business Continuity

10.1 Disaster Recovery Options

Imagicle Cloud services are designed for resilience following AWS and Azure best practices. Two disaster recovery tiers are available:

  • Warm Standby (Standard): A duplicate of the customer’s core environment is maintained on standby. In the event of a disaster, the standby instance is activated with minimal data loss.

  • Hot Standby (High Availability Option): Data and applications are fully replicated across two or more active locations. In the event of a failure, traffic is automatically rerouted to the unaffected location, providing near-zero downtime.

10.2 Backup Isolation

All data and configuration backups are stored in a dedicated, isolated storage area within the respective cloud provider (AWS or Azure), separate from the production environment, to guarantee integrity and availability in disaster scenarios.

10.3 Recovery Testing

Disaster recovery procedures are tested periodically to validate recovery time objectives (RTO) and recovery point objectives (RPO). Test results are documented and used to refine recovery plans.

11. Compliance and Certifications

11.1 ISO/IEC 27000 Standards

Imagicle has maintained ISO/IEC 27001 certification since 2021 for its Information Security Management System (ISMS). The certification scope covers the design, development, sale, and support of software solutions and services for Unified Communication and Collaboration platforms.

Compliance with ISO/IEC 27001 is verified through independent annual surveillance audits and a full recertification audit every three years, supporting the ongoing effectiveness and continuous improvement of the management system.

In addition to its certified ISO/IEC 27001 framework, Imagicle adopts security and privacy practices aligned with the principles and best practices reflected in ISO/IEC 27017 and ISO/IEC 27018. This includes the application of cloud-specific security controls and measures aimed at strengthening transparency, governance, and the protection of personal data processed within cloud environments.

Imagicle is continuously evolving its control framework to further enhance its cloud security and privacy posture in line with internationally recognized standards and industry best practices.

The current ISO/IEC 27001 certificate is available to customers and prospective customers upon request.

11.2 GDPR Compliance

Imagicle processes personal data in compliance with the General Data Protection Regulation (EU Regulation 2016/679). The organization maintains a Data Processing Addendum (DPA) governing data processing activities, a Sub-Processor register with notification mechanisms, and appropriate transfer safeguards for international data flows.

11.3 NIS2 Directive

As a provider of cloud computing and unified communications services, Imagicle monitors the implementation of the NIS2 Directive (EU Directive 2022/2555) across EU Member States and aligns its security controls with the Directive’s requirements for supply chain security, incident reporting, and risk management.

11.4 Information Security Management System

Imagicle maintains an organization-wide ISMS based on the ISO 27001 framework. The ISMS includes policies, procedures, guidelines, work instructions, and checklists that are distributed to all employees and reviewed regularly by the Information Security Manager. The ISMS is subject to continuous improvement through internal audits, management reviews, and corrective action processes.

11.5 Governance and Risk Management

Imagicle performs an annual risk assessment covering security threats to information assets. The process includes risk identification, likelihood and impact analysis, control evaluation, and treatment planning. Measures and controls are implemented to mitigate identified risks to acceptable levels. The ISMS control environment is monitored on an ongoing basis, with security issues, audit findings, and corrective actions tracked to completion.

12. Employee Security

12.1 Hiring and Onboarding

Security responsibilities are defined in employment contracts. Background verification checks are conducted for personnel in sensitive roles. All employees in the R&D department are required to sign confidentiality and non-disclosure agreements.

12.2 Security Awareness and Training

Imagicle maintains a comprehensive security awareness program aligned with the organization’s information security policies. The program covers:

  • Applicable information security rules, policies, regulations, and contractual obligations

  • Personal accountability for securing organizational and third-party information

  • Baseline security controls including password management, endpoint protection, and clear desk/screen policies

  • Secure development practices for engineering staff

Training is delivered upon onboarding and refreshed annually, with additional targeted training in response to emerging threats or policy changes.

12.3 Offboarding

Upon termination of employment, all access rights are revoked promptly. Company assets are returned, and separation procedures are documented in accordance with the ISMS.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close