Security Policy Overview

Cloudli is committed to providing a safe and secure environment where businesses, institutions, and individuals use its services, knowing that their assets, such as personal data, are protected, and that such services are available in a consistent and timely manner.

The security policies, best practices, and enforcement mechanisms in place at Cloudli are derived from the Payment Card Industry Data Security Standard (PCI/DSS) which is used as a guideline.

Privacy Statement

Our Privacy Statement is here to help you understand how Cloudli uses and safeguards the personal information you provide to us, or that is generated by your use of our VoIP communications products and services. If you have any questions concerning this Privacy Statement, please email us at

Application Security

As part of its policies and procedures framework, Cloudli developed secure coding guidelines and appropriate standards based on practices we follow at Cloudli to deliver high quality software. Our main goal is to deliver secure, high-quality, reliable, and scalable telephony and messaging services that meet customer needs. The Cloudli development process follows industry best practices, including controlled releases, versioning of source code and all configuration data, automated testing, and regular vulnerability assessments.

Patch and Change Management policies are in place as well as guidelines for secure coding covering a range of topics including security automation, access control, error handling and logging. Cloudli software is based on programming languages that have been historically less subject to common security weaknesses.

Network and Infrastructure Security

Cloudli installs and maintains a secure configuration to protect customer data. Firewalls and/or Session Border Control (SBC) platforms are deployed across the Cloudli network, including at its headquarters, Network Operating Center (NOC) and hosted secure service centers, and are managed from a central location, by a select few individuals. Segmentation is leveraged to minimize exposure to sensitive data. In addition, servers that are used in production or for testing have their own individual firewalls. Intrusion detection mechanisms are in place and audit logs are maintained for forensic and troubleshooting purposes. Authorized individuals within Cloudli monitor equipment, systems and network traffic at all times.

Data Security

Cloudli uses appropriate technologies and measures to ensure the security and safety of all customer transactions, sensitive traffic and information with Cloudli products.

Sensitive customer data is protected through use of encryption mechanisms, including when at rest and in transit. To prevent unauthorized access or disclosure, maintain data accuracy, and ensure the appropriate use of information, Cloudli established safeguards to secure sensitive information. We use industry-recognized standards in transaction security to protect the information provided by our customers. Servers holding sensitive information are secure and accessed by authorized personnel only. All portal and management access to our systems use secure TLS connections.

Call traffic from our SIP Trunking voice or T.38 SIP Trunking fax customers is never at rest or accessed other than on a random or infrequent basis, as necessary to perform troubleshooting services requested by customers, or as required by law. Robust AES encryption is used for our call traffic between our facilities, and for our customers who need to comply with regulations such as HIPAA in the USA or PIPEDA in Canada.

When at rest, sensitive traffic is encrypted and stored in a virtual environment architecture that protects data from unauthorized access with strictly controlled roles and continuous tracking of all access attempts.

Access to customer data is restricted by business need-to-know rules. Strict controls leveraging roles associated with each individual are in place.

Physical and Environmental Security

Cloudli deploys its solution platforms at data centers that are state-of-the-art facilities designed to host and manage business-critical environments around-the-clock. The centers utilize the latest technologies to provide the highest levels of infrastructure security, reliability, and availability. These hosted service centers are under strict surveillance, with physical access controls and a dedicated 24x7 NOC facility that provides a strictly controlled maintenance and support scheme on all systems.

Periodic Operational Security Procedures

In addition to having tools in place for continuous security monitoring, such as automatic detection of unauthorized wireless devices in use, Cloudli performs different types of periodic operational security procedures, where the frequency varies depending on the type of procedure. Examples include, but are not limited to:

  • Performing scans for file integrity, virus and malware
  • Reviewing logs for intrusion detection and security events
  • Executing vulnerability scans and penetration testing
  • Analyzing audit system access controls and terminated employee access

Cloudli also performs enterprise-wide risk analysis and security awareness training on a regular basis.

Anti-virus software on all systems at risk of malware attacks is used and regularly updated. Several levels of anti-virus and anti-spam software is used throughout Cloudli’s infrastructures, and specialized systems have their own security mechanisms. Cloudli develops and maintains secure systems and applications consistent will well-established security policies and guidelines. Regular vulnerability scans are performed, and results are promptly analysed and addressed.

Cloudli engages a third party Approved Scanning Vendor (ASV) security firm that specializes in proactive threat and vulnerability preparedness. As part of its mandate, the ASV performs monthly vulnerability testing and produces related to audit reports, which Cloudli reviews and uses to mitigate activity as necessary.

Fraud Mitigation

Cloudli implements multiple measures to prevent and detect toll fraud, including access controls, usage policies, and customer-controlled settings that help minimize the risk of fraud. Leading-edge detection mechanisms with automated alerting and active monitoring is also utilized to identify, notify and address anomalies and suspicious activity.

We are dedicated to helping our customers take the necessary precautions to ensure the security of their telecommunication equipment is not compromised. We help our customers setup their IP devices for proper interoperability with sufficient bandwidth/throughput for good call quality. We also provide guidance and best practices to consider related to the security of their deployment, such as:

Network Security

  • Protect wireless connections with a password
  • Detect rogue devices connected to your network via Ethernet or WiFi
  • Ensure you have a well-managed firewall and a hardened perimeter

Telephony Security

  • Never give out your SIP credentials
  • Never use default passwords for user accounts including web and voicemail
  • Harden your phone system against intruders
  • If an extension is not in use, disable it
  • Ensure you have an administrative password on your phone system
  • Remove line appearance keys from phones in common areas and restrict outbound calling on them
  • Never disclose your SIP passcodes in emails or forums
  • If you are managing your own SIP device, ensure it rejects unauthorized requests safely by indicating invalid passwords instead of unknown users, letting the requester know whether there was a matching user for their request.

Call Traffic Security

  • Review your call patterns and call volumes regularly by checking your phone system’s Call Detail Records (CDRs) to see all calls, including calls that were attempted but blocked; the records show call times and extensions used
  • Block international calls from your Cloudli account, if not required
  • Block long distance calls from your Cloudli account, if not required
  • Use your Cloudli usage policy to prevent new calls once the usage policy limits are reached; you can request your Cloudli usage policy to be adjusted to a reasonable level
  • Review your Automated Attendant and voicemail outbound dialing capabilities
  • Block routing to high-risk destinations like 900 numbers

High Availability and Disaster Recovery

Cloudli has implemented a redundant, high-availability and disaster recovery architecture.

Cloudli designed its service for high availability with core network elements deployed in redundant, scalable configurations. Failover strategies quickly deal with network device malfunctions or communication link breakdowns. For example, if an outbound route fails Cloudli automatically re-routes the failed call to a functioning route. Cloudli achieves near perfect outbound availability by use of different routes from multiple carriers.

Cloudli also provides its customers with the tools they need to guard against failures. As they deploy their own high-availability solution, customers can make use of Cloudli’s dual-path redundancy technology which allows them to register multiple devices with multiple registration points on the Cloudli network. The ‘Service Continuity’ feature provides customers with the ability to automatically redirect incoming calls to other destinations, should Cloudli be unable to reach their VoIP device for any reason.

While disasters happen rarely, it is important to realize that having a contingency plan in the event of a disaster gives Cloudli a competitive advantage. Disasters are not limited to adverse weather conditions. Any event that could likely cause an extended delay of service is considered. Disaster Recovery Plans are part of the business continuity planning at Cloudli. These describe the processes to recover IT Systems, Applications and Data from any type of disaster that causes a major outage. They include, but are not limited to, Emergency Response & Succession Plans, Data & Services Restoration Plans, Equipment Replacement Plans as well as media management plans and guidelines. These plans are practiced, tested, reviewed, and updated on an annual basis.