Security at Zonitel

1. Our Commitment to Security

At Zonitel Solutions LLC, security is not an afterthought — it is a foundational principle that informs every aspect of how we design, build, and operate our cloud communications platform. We understand that our customers entrust us with their business communications and sensitive data, and we take that responsibility seriously.

Our security program is aligned with SOC 2 Trust Services Criteria, which provides a comprehensive framework for managing customer data based on five principles: security, availability, processing integrity, confidentiality, and privacy. We employ a defense-in-depth approach, implementing multiple, overlapping layers of security controls so that no single point of failure can compromise the integrity or confidentiality of your data. Our security posture is continuously evaluated, tested, and improved to address the evolving threat landscape facing cloud-based communications providers.

Security at Zonitel is a shared responsibility. We protect our infrastructure, platform, and the data we hold, while our customers are responsible for securing their own access credentials, configuring appropriate user permissions within their accounts, and ensuring their own networks and devices meet security requirements. We provide the tools and guidance to help our customers uphold their end of this shared responsibility.

2. Infrastructure Security

Zonitel's platform is hosted on enterprise-grade cloud infrastructure across geographically distributed, redundant data centers. Our architecture is designed to eliminate single points of failure and to maintain service availability even in the event of regional disruptions. Key infrastructure security features include:

• Geographic Redundancy: Our systems are replicated across multiple data center regions, enabling automatic failover and ensuring continuous service availability if one region becomes unavailable due to hardware failure, natural disaster, or network disruption.
• DDoS Protection: We deploy industry-leading distributed denial-of-service (DDoS) mitigation solutions that automatically detect and absorb volumetric and application-layer attacks, protecting the availability of our platform and your communications services.
• Network Monitoring: Our network operations center (NOC) monitors the Zonitel platform 24 hours a day, 7 days a week, 365 days a year. Automated alerting systems detect anomalies and route incidents to on-call engineers for immediate investigation.
• Segmented Architecture: Our infrastructure uses network segmentation and isolation to separate customer data environments and to limit the blast radius of any potential security incident. Production systems are logically isolated from development and staging environments.
• Redundant Connectivity: We maintain redundant internet connectivity through multiple tier-1 carriers, reducing the risk of service disruption due to carrier-level network issues.

3. Data Encryption

Zonitel protects your data through strong encryption at every stage of its lifecycle — whether it is being transmitted across networks or stored on our systems.

• Encryption in Transit: All web and API communications between your devices and Zonitel's platform are protected using TLS 1.2 or higher with strong cipher suites. Older, insecure protocol versions (SSL, TLS 1.0, TLS 1.1) are disabled. Voice communications are encrypted end-to-end using SRTP (Secure Real-time Transport Protocol) and SIPS (SIP over TLS).
• Encryption at Rest: All data stored on Zonitel's systems — including customer account data, call logs, message records, call recordings, and backups — is encrypted using AES-256 encryption. Database-level and storage-level encryption ensures data remains protected even in the unlikely event of physical media theft or unauthorized access to raw storage.
• Encrypted Backups: All backup data is encrypted using the same AES-256 standard and is stored in geographically separate locations from primary data to support disaster recovery objectives.
• Key Management: Encryption keys are managed through a dedicated key management system with strict access controls. Keys are rotated regularly and are never stored alongside the data they protect. Our key management practices follow industry-standard guidelines for cryptographic key lifecycle management.

4. Authentication & Access Control

Zonitel employs rigorous authentication and access control mechanisms to ensure that only authorized individuals can access the platform, customer accounts, and sensitive systems.

• Multi-Factor Authentication (MFA): MFA is available for all Zonitel customer accounts and is strongly recommended. When enabled, users must provide a second form of verification — such as a time-based one-time passcode (TOTP) via an authenticator app — in addition to their password. MFA is required for all Zonitel employee access to production systems.
• Role-Based Access Control (RBAC): Zonitel's platform supports granular, role-based access controls that allow account administrators to define what each user can see and do within the account. Roles can be customized to match your organization's internal permissions structure.
• Principle of Least Privilege: Both within Zonitel's internal systems and within the customer-facing platform, access is granted only to the minimum level necessary for each user's specific role and responsibilities. Administrative access to production systems is tightly controlled and monitored.
• Admin Audit Logs: All administrative actions performed within a Zonitel account — including user additions, permission changes, feature configuration, and settings modifications — are logged with timestamps and user attribution. Audit logs are retained and tamper-evident, supporting compliance and forensic investigations.
• Single Sign-On (SSO): Enterprise customers may integrate Zonitel with their existing identity provider (IdP) via SAML 2.0 or OAuth 2.0 for centralized identity management and single sign-on capabilities.

5. Call & Communications Security

The security and integrity of your business communications are central to our mission. Zonitel implements multiple layers of protection for voice, messaging, and fax traffic:

• SRTP Encrypted Voice: Voice calls are encrypted using SRTP (Secure Real-time Transport Protocol), ensuring that call audio cannot be intercepted and decoded by unauthorized parties in transit between endpoints and Zonitel's media servers.
• STIR/SHAKEN Compliance: Zonitel implements the STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) caller ID authentication framework as required by FCC mandate. This technology digitally signs outbound calls to verify caller identity, reducing the risk that your numbers will be spoofed and helping protect your business reputation.
• Fraud Detection: Our platform employs automated fraud detection algorithms that monitor call patterns for anomalies indicative of account compromise, toll fraud, or unauthorized usage — such as sudden spikes in international call volume, unusual time-of-day activity, or calls to known high-risk destinations. Suspicious activity triggers automated alerts and may result in temporary holds pending customer verification.
• SIP TLS: SIP signaling is protected by TLS encryption, preventing eavesdropping or tampering with call setup and control messages between devices and Zonitel's SIP servers.

6. AI Data Handling

Zonitel offers optional AI-powered features including call transcription, sentiment analysis, keyword detection, and call coaching tools. The security of customer data used in these AI workflows is governed by strict controls:

• Secure Processing Environments: All AI processing — including transcription and analytics — is performed in isolated, secure computing environments that are logically and physically separated from other workloads. Data used for AI processing is not accessible to other customers.
• No Training on Customer Data: Zonitel does not use your call recordings, transcriptions, or any other customer content to train or fine-tune AI models without your explicit, written consent. Your data is your data.
• Data Minimization: AI workflows are designed to process only the minimum data necessary to produce the requested output. Intermediate data generated during AI processing is not retained beyond the processing session unless explicitly stored as part of the feature's output.
• Output Security: AI-generated outputs (transcripts, summaries, analytics reports) are stored with the same encryption and access controls as other sensitive account data and are accessible only to authorized users within your account.

7. Network Security

Zonitel's network security architecture is designed to defend against threats at every layer of the network stack. Our controls include:

• Enterprise Firewalls: Next-generation firewalls with deep packet inspection and application-layer filtering protect all entry and exit points of Zonitel's network infrastructure.
• Intrusion Detection and Prevention (IDS/IPS): Automated intrusion detection and prevention systems continuously analyze network traffic for signatures of known attacks and anomalous behavior, providing real-time blocking of identified threats.
• Vulnerability Scanning: We conduct regular automated vulnerability scans of internal and external-facing systems to identify and remediate security weaknesses before they can be exploited.
• Penetration Testing: Zonitel engages independent third-party security firms to conduct penetration testing of our platform and infrastructure on at least an annual basis. Critical vulnerabilities identified during testing are remediated within defined SLA windows.
• Web Application Firewall (WAF): All public-facing web applications and APIs are protected by a WAF that detects and blocks common web application attacks, including SQL injection, cross-site scripting (XSS), and OWASP Top 10 vulnerabilities.

8. Physical Security

Zonitel's services run on data center infrastructure that maintains rigorous physical security controls:

• SOC 2 Type II Certified Data Centers: Our infrastructure is hosted in data centers that hold SOC 2 Type II certifications, providing independent attestation of the effectiveness of their security, availability, and confidentiality controls over time.
• Biometric and Multi-Factor Physical Access: Access to data center facilities is restricted to authorized personnel using multi-factor physical authentication, including biometric verification (fingerprint or iris scan), key cards, and PIN codes. Visitor access is strictly controlled and escorted.
• 24/7 On-site Security: Data center facilities are monitored by trained security personnel 24 hours a day, 7 days a week. Comprehensive CCTV surveillance covers all access points, server floors, and common areas, with footage retained per data center policy.
• Redundant Power and Cooling: Facilities maintain redundant uninterruptible power supply (UPS) systems, backup diesel generators, and N+1 redundant cooling infrastructure to ensure continuous operations in the event of utility failures or extreme environmental conditions.

9. Employee Security

Our people are a critical part of our security posture. Zonitel implements comprehensive personnel security measures to ensure that all staff who handle customer data do so responsibly:

• Background Checks: All Zonitel employees, contractors, and third-party personnel with access to production systems or customer data undergo pre-employment background screening, including criminal history, identity verification, and (where applicable) employment verification.
• Security Awareness Training: All staff complete comprehensive security awareness training at onboarding and at least annually thereafter. Training covers phishing recognition, password security, data handling best practices, social engineering, and incident reporting procedures.
• Confidentiality Agreements: All employees, contractors, and partners with access to confidential information are required to sign non-disclosure agreements (NDAs) covering customer data and Zonitel proprietary information.
• Access Revocation: Upon termination or role change, employee access to systems, applications, and customer data is revoked promptly — typically within the same business day. This includes deactivation of all credentials, VPN access, email accounts, and physical access badges.

10. Incident Response

Zonitel maintains a documented security incident response plan that defines the procedures for detecting, containing, investigating, and recovering from security incidents. Our incident response framework is designed to minimize impact and restore normal operations as quickly as possible.

• Breach Notification: In the event of a confirmed data breach affecting personal data, Zonitel will notify affected customers as quickly as reasonably practicable and, where required by law, will notify relevant regulatory authorities within 72 hours of becoming aware of the breach (as required by GDPR and other applicable regulations).
• Incident Triage: Security events are triaged by our security team according to severity, with critical incidents escalated to senior engineering and management immediately. Dedicated on-call personnel are available around the clock to respond to high-severity incidents.
• Post-Incident Review: Following the resolution of any significant security incident, Zonitel conducts a thorough post-incident review (PIR) to identify root causes, assess the effectiveness of our response, and implement improvements to prevent recurrence. Key findings from PIRs inform updates to our security controls and incident response procedures.

If you suspect a security incident or believe your account has been compromised, please contact our security team immediately at info@zonitel.com or call 833-966-4835.

11. Business Continuity

Zonitel's business continuity and disaster recovery (BC/DR) program is designed to ensure that our Services remain available and recoverable even in the event of significant disruptions. Our program includes:

• Recovery Objectives: We target a Recovery Point Objective (RPO) of less than 4 hours (meaning no more than 4 hours of data loss in a worst-case disaster scenario) and a Recovery Time Objective (RTO) of less than 2 hours (meaning service restoration within 2 hours of a declared disaster). These targets are validated through regular DR testing.
• Automated Failover: Our infrastructure is configured for automated failover between redundant systems. In the event of a primary system failure, traffic is automatically redirected to standby systems with minimal service interruption.
• Regular DR Testing: We conduct scheduled disaster recovery exercises at least annually, simulating various failure scenarios including infrastructure failures, data corruption, and regional outages. Results are used to validate and improve our recovery capabilities.
• Geographic Redundancy: Data and services are replicated across geographically separated data center locations, protecting against localized events such as natural disasters, power grid failures, or regional network outages.

12. Vulnerability Disclosure

Zonitel believes in the responsible disclosure of security vulnerabilities. We appreciate the efforts of security researchers and members of the community who identify and report security issues in our platform.

If you have discovered a potential security vulnerability in Zonitel's systems, services, or website, please report it to us promptly at info@zonitel.com. We ask that you:

• Provide a detailed description of the vulnerability, including the steps required to reproduce it.
• Avoid accessing, modifying, or deleting any customer data beyond what is necessary to demonstrate the vulnerability.
• Do not publicly disclose the vulnerability until Zonitel has had a reasonable opportunity to investigate and remediate it (typically 90 days).
• Act in good faith and avoid any actions that could disrupt Zonitel's services or harm its customers.

Zonitel commits to acknowledging receipt of your report within 48 business hours, keeping you informed of our investigation progress, and publicly crediting researchers who responsibly disclose valid vulnerabilities (if they wish to be credited). A PGP public key for secure communications with our security team is available upon request at info@zonitel.com.

13. Compliance

Zonitel's security and compliance program addresses applicable regulatory requirements across the telecommunications and data privacy landscape:

• FCC Regulations: We comply with all applicable FCC telecommunications regulations, including CPNI protection (47 C.F.R. Part 64), E911 service requirements, and network reliability standards.
• TCPA: Our platform includes built-in tools to assist customers with TCPA compliance, including opt-out management, consent tracking, and messaging controls.
• STIR/SHAKEN: Zonitel is fully compliant with FCC-mandated STIR/SHAKEN caller ID authentication requirements for combating illegal robocalling and caller ID spoofing.
• HIPAA-Ready: While Zonitel is not a HIPAA Covered Entity, our platform is designed to support customers operating in healthcare environments. Healthcare customers requiring HIPAA compliance may request a Business Associate Agreement (BAA). Please contact info@zonitel.com for more information.
• State Telecom Regulations: Zonitel holds all required telecommunications certificates and registrations in the states in which we operate and complies with applicable state-level regulations governing voice, messaging, and telecommunications services.
• PCI-DSS: Payment card processing is handled exclusively through PCI-DSS Level 1 compliant third-party processors, and Zonitel does not store cardholder data on its systems.

14. Third-Party Security

Zonitel recognizes that the security of our platform depends not only on our own practices but also on the security posture of the third-party vendors and service providers we engage. We manage third-party risk through the following measures:

• Vendor Security Assessments: All third-party providers with access to Zonitel's systems or customer data undergo a security assessment prior to engagement and periodically thereafter. Assessments evaluate their security controls, certifications, and compliance posture.
• Contractual Security Requirements: All subprocessors and vendors handling customer data are required to enter into data processing agreements (DPAs) that impose security, confidentiality, and data handling obligations consistent with Zonitel's own standards and applicable law.
• Subprocessor List: We maintain an updated list of subprocessors engaged in processing customer data. This list is available to customers upon request. We notify customers of material changes to our subprocessor list through our standard communication channels.
• Ongoing Monitoring: We continuously monitor subprocessors for security incidents, compliance status, and changes to their security posture that could affect our customers' data.

15. Contact the Security Team

For security inquiries, vulnerability reports, or questions about Zonitel's security practices, please reach out to our security team:

For privacy-related inquiries, please visit our Privacy Policy page or email info@zonitel.com. For legal matters, please review our Terms of Use.