Advanced Industry-Leading Security and Compliance
8x8 maintains industry-leading security and compliance based on the understanding that protection of customer data is critical to the survival of any organization.
Cloud Security Alliance (CSA)—Star Compliant
8x8 has achieved international Cloud Security Star Alliance (CSA) requirements through the CSA Cloud Security Alliance Cloud Controls Matrix (CCM). This is generally accepted as the most accurate and detailed Cloud Software as a Service (SaaS) security and regulatory compliance questionnaire required by major audits frameworks. The CSA CCM provides audit attestations specifically designed to provide the compliance evidence required by all major worldwide regulatory compliance and control frameworks. This includes HIPAA, FISMA/ FedRAMP/NIST, various ISO regulations including 27001/27002, COBIT5, PCI-DSS v3.2, CSA Star, Jericho Forum, NERC CIP and many more regulatory compliance standards.
Industry Leading Advanced FISMA/NIST 800-53 Third Party Verified Compliance
In order for 8x8 to be accepted and granted an authority to operate with various sensitive strategic entities and defense contractors in the US and elsewhere, we were certified as fully FISMA/NIST 800-53 compliant. This is a superset of FedRAMP, SOC Types I and II and most other major compliance regulations. Our FISMA/ NIST 800-53 validations are expert opinions which do not expire. FISMA/NIST 800-53 compliance includes 2,500 areas we must maintain compliance, so 8x8 has 49 policies, procedures and standards in place related to security as well as 141 controls and more. Our FISMA attestations came as a result of more than two years of work with both IBM and a top DOD security consulting firm in Washington D.C. We provide our services to many strategic US entities. FISMA/NIST 800-53 is thought by many to be the most thorough, intensive form of compliance worldwide.
All our Data Centers maintain at least SSAE 16/18, SOC Type I and Type II, ISAE 3402, ISO 27001:2013 or Equivalent Compliances
We own and manage our software and hardware and only contract with highly secure top-tier data centers. We place additional contractual requirements on these data centers to not only meet SSAE 16 SOC I and SOC II but also our internal security standards of administrative, technical and physical safeguard standards to maintain the confidentiality, integrity and availability of all systems.
Vulnerability Management and Application Security
We practice secure coding with Veracode SAST and other tools as part of our secure software development life cycle (S-SDLC) DevSecOps process. Our various IT groups rotate their Qualys, Tenable Nessus Pro and Veracode DAST and SAST scans throughout our systems on a continuous basis. We have a team of internal pen testers and we bring in one of the major global pen testing firms to ethically hack our systems prior to major releases. We remediate critical and high findings right away, remediate medium findings within weeks and stay current with major vendor patches.
We brought in Stephen Wu, a nationally known attorney who is a leading HIPAA data privacy and security legal authority and author of the legal reference guide book, A Guide to HIPAA Security and the Law. After extensive audits of our back-end systems and the software solutions we provide, he provided a legal attestation of our compliance. Stephen wrote a second edition of his book and mentions 8x8 as a positive example of HIPAA compliance. In addition, 8x8 has provided hundreds of business associate agreements (BAA) agreements, protecting our customers from any risk of HIPAA data exposure from their 8x8 implementation.
UK Government Authority to Operate, ISO 27001, ISO 9001, Cyber Essentials Plus
In the UK, 8x8 has an “Authority to Operate” from the government to work with their most secure agencies. 8x8 is also listed in the UK government’s G-Cloud as a compliant Cloud SaaS vendor. These require several other compliances including ISO 27001:2013, ISO 9001:2015, and Cyber Essentials Plus.
We maintain US/EU and Swiss Privacy Shield Compliance. We are also fully GDPR-ready to ensure compliance with UK, EU and EEA regulatory law.
Learn more about manufacturing communications solutions and how you can increase operational efficiencies and enhance the customer experience.