Security Plan

Contents

• 1Telecommunications Agency & Opta
• 2Data Retention
• 3Access to CDRs
• 4Destruction
• 5Wiretapping Obligation
• 6Termination of Employment
• 7Wiretap or Retention Requests
• 8Certificate of Conduct
• 8.1Variant 1
• 8.2Variant 2
• 9Supervision

Telecommunications Agency & Opta

The Telecommunications Agency strictly supervises data retention, data storage, data destruction, and wiretapping obligations. The agency has an excellent checklist covering all requirements for telecom providers. Below, we address the basics. The checklist can be requested from the agency.

Data Retention

By default, the IP platform stores all inbound and outbound data for all our clients. The data is redundantly written to two database servers that are physically separated. Both DB servers have two hard drives and two power supplies to ensure that data is always correctly stored and preserved.

Access to CDRs

Every login to the IP platform system has specific permissions. These permissions may include access to CDRs of a partner and/or client. Partners of the IP platform are responsible for securing these login credentials. The system can log users out if they have been inactive for more than 10 minutes, provided this option is enabled in the IP platform. When creating a new user, this option is disabled by default for usability purposes.

We recommend configuring user computers to automatically activate screen saver with password protection after 10 minutes of inactivity. We also recommend not allowing browsers to save passwords.

Destruction

All incoming & outgoing call data is anonymized after one year (the last 5 digits of a phone number are replaced by *****), unless a client indicates through the web interface that they want to retain the complete data.

Wiretapping Obligation

The wiretapping obligation is transferred to the operators we work with through a contract/SLA. When a wiretap request is received, the basic details of this wiretap are provided to the IP platform administrators. This information is logged. Partners who invoice under their own name can request this information annually.

Termination of Employment

When an employee leaves the company, an IP platform partner is required to immediately destroy that user's login credentials!

Wiretap or Retention Requests

Despite the wiretapping obligation & retention being transferred to the operators, a wiretap request may still be received. A special fax number is active for these requests. This fax number is linked to a fax-to-email account. Requests received through this channel should only be viewed by employees who have a Certificate of Conduct.

After a request is received, it is printed and the source email is deleted. The date of receipt is written on the document, as is the date of transfer. The unique identifier, handler, date of receipt, and date of transfer are logged in the system.

After the data is added to the document, it is faxed to the operator where the number is active. Once they confirm receipt of the document, feedback is provided to the appropriate authorities about the transfer. The confirmation is kept, and the date, time, and contact person for the transfer are added to the log. The request is then destroyed.

Certificate of Conduct

There are two ways to complete a Certificate of Conduct application form: Variant 1 is when the director/manager requests the Certificate for an employee:

Variant 1

Purpose (B.2): employment relationship
Screening (B.3): No
Function areas (B.4): 11, 12, 13, 14, 41
Special circumstances (B.5): Yes, explanation:
Execution of wiretapping orders as defined in the Telecommunications Act
and provision of data.

Article 4, second paragraph of the Telecommunications Data Security Decree states: The provider shall ensure that cooperation with the execution of the special orders referred to in Article 13.2, first and second paragraphs, of the Act (read: Telecommunications Act) and the obligation to provide information described in Article 13.4, first and second paragraphs, of the Act (read: Telecommunications Act) in cases other than in the interest of state security, is provided exclusively by persons who have submitted to him a certificate of conduct as referred to in the Act on Judicial Documentation and on Certificates of Conduct have been submitted to him."

The italicized section can be added as an attachment, as the form's input space is quite limited.

Variant 2

Variant 2 is when the director/manager requests the Certificate for themselves:

Purpose (B.2): other, Description (C): Execution of wiretapping orders as defined in the Telecommunications Act and provision of data. With the italicized section from the above frame attached.
Screening (B.3): No
Function areas (B.4): 11, 12, 13, 14, 41
Special circumstances (B.5): No

The difference between variants 1 and 2 is in B.2, the purpose of the application, and B.5, special circumstances. When there are multiple directors, one director can request the Certificate for another director using variant 1.

Supervision

An IP platform partner must designate a contact person who oversees the implementation and compliance with security measures. This person must have a Certificate of Conduct. Name, function, frequency of inspections, and inspection results must be documented.