i360 Cloud Services - 3CX Privacy Statement

3CX Privacy Statement

This privacy policy, will explain how our organization uses the personal data we collect from you, while using 3CX WebMeeting. 3CX ensures it manages your personal data in line with the principles of Regulation (EU) 679/2016 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (known as “GDPR”), the applicable local legislation as amended from time to time and any other legal and/or regulatory obligations and as such we are committed to use the minimal amount of data needed in order to provide reasonable functionality in 3CX WebMeeting. We will not disclose your information to any person outside our organisation, except as described in a separate policy section below.

What data we collect?

Our Company collects the following data:

Personal identification information (i.e. names, email address, meeting friendly names(vanity URL), PBX extension, PBX conference number, PBX WebMeeting Dial-In numbers, Meeting Title, Meeting Note, PBX IP Address)

How we collect your data?

We collect information in 2 ways: from the PBXs (Private Branch Exchange) syncing with the WebMeeting service, and from the use of WebMeeting.

PBX - WebMeeting Sync

The personal identifiable data are synced from your 3CX PBX to the webmeeting.3cx.net service upon activation to provide users with WebMeeting functionality. This sync occurs once you activate your PBX, and restart the 3CX System Service and re-synchronisation occurs every 8 hours. Whilst meetings are created on the PBX, they take place both on webmeeting.3cx.net and the appropriate MCU for each PBX. All data pertaining to a meeting must not only exist on the PBX but also be synced on webmeeting.3cx.net. For the reasons mentioned, the personal identifiable data below are required to be mirrored copied/synced from a user’s PBX to webmeeting.3cx.net

Personal identifiable data synced are shown below:

PBX IP - PBX IDENTIFICATION DATA

After activating your PBX, an activation request via WebMeeting API is sent to webmeeting.3cx.net. This request contains the PBX’s public IP and is required to be stored in the WebMeeting portal for the purpose of authenticating and allowing the PBX to use the full set of WebMeeting API’s and hence the full use of the WebMeeting platform’s features and capabilities.

PBX FQDN and WebMeeting FQDN - PBX IDENTIFICATION DATA

After activating your PBX, an activation request via WebMeeting API is sent to webmeeting.3cx.net. This request contains the PBX’s PBX FQDN and is required to be stored in the WebMeeting portal for the purpose of allowing the PBX to use the full set of WebMeeting API’s and hence the full use of the WebMeeting platform’s features and capabilities.

PBX License Key - PBX IDENTIFICATION DATA

After activating your PBX, an activation request via WebMeeting API is sent to webmeeting.3cx.net. This request contains the PBX’s License Key and is used for the purpose of authenticating and validating that the sender of this request is a valid 3CX customer as well as for the purpose of correctly setting the limitations and benefits attributed to this license key pertaining to the use of 3CX WebMeeting.

Extension Email - PBX USER IDENTIFICATION DATA

In order to provide users with the ‘Meeting Report’ functionality, the e-mail bound to each user’s extension is used as the receiving address received for all meeting reports this user will receive from meetings upon their conclusion. The email field is set as a requirement for the use of WebMeeting in order to ensure WebMeeting users receive their meeting reports and meeting cancellation notifications. In the case that an email is not specified in an extension, WebMeetings will not work for that extension until one is specified. Additionally, this email is required for the Quick Meeting feature of WebMeeting to work. A Quick Meeting is a user’s default meeting is created upon creating an extension on the PBX.

Meeting vanity URL name - PBX USER IDENTIFICATION DATA

In order to provide the vanity URL name functionality to WebMeeting admins and users, the friendly name (vanity name) entered in an extension’s field for said feature is synced with the WebMeeting portal and stored for each user. As the vanity URL name can contain contain any characters (names, emails, numbers, anything) it can be considered user identifiable data.

Extension First and/or Last Name - PBX USER IDENTIFICATION DATA

In order to provide users with the ‘Meeting Report’ functionality as well as ease of use of WebMeeting by automatically using the extension’s name as each user’s default meeting alias/name, the name and or last name bound to each user’s extension is used as the ‘Organizer Name’ in meetings this user creates and reports OR as a meeting participant’s name in internal meetings where this user has been invited via any 3CX Client software where he appears as a contact. In the case that neither a name nor last name are specified in an extension, WebMeetings will not work for that extension until one of the two is specified. Additionally, a Quick Meeting which is a user’s default meeting is created upon creating an extension on the PBX. In order for this Quick Meeting or default meeting to work correctly as well as for consequently created meetings, the name or last name is required for the previously stated reasons.

Extension Number - PBX USER IDENTIFICATION DATA

A user’s extension is stored in the WebMeeting Portal (webmeeting.3cx.net) along with the previously mentioned data in the previous paragraphs and serves as a way of ensuring the uniqueness of each user in the WebMeeting portal’s database as PBX extensions on 3CX Phone System are absolutely unique and only one of each can exist at any given time.

WebMeeting Use

Before and during the usage of WebMeeting certain data is required in order to deliver a full set of WebMeeting features to all users.

List of Personal identifiable data collected for this purpose and for what exact reasons:

Meeting Participant Names

Meeting Participant emails

Organizers can invite users from inside a WebMeeting by adding a user’s email in the appropriate fields. This data is stored as part of this meeting. After a meeting has ended, all users’ meeting names are stored in the WebMeeting Portal to be used as part of the organizer report.

Meeting Names

When a meeting is created, it is created on the user’s PBX and then synced instantly to webmeeting.3cx.net where it is served to anyone trying to access it via the URL automatically generated after the meeting’s creation. The meeting name is used in email invitations to participants or other meeting organizers for that meeting as well as in the meeting report and inside the meeting itself for informational purposes for the meeting participants.

Meeting Comments

Meeting Participant IPs

Participant IP’s are logged and stored for information purposes.

Uploaded files or Documents & Names Of

Files shared using the WebMeeting File Share functionality are temporarily stored on a server in a data center in Frankfurt.

File names are anonymized on upload and given a random name instead of their original name.

Polls

Polls are created and stored on the WebMeeting portal at webmeeting.3cx.net

Dial-In Data

When a meeting starts, the PBXs conference number and dial-in data from the user’s PBX is retrieved via a connection from the WebMeeting Portal & WebMeeting MCU(s) to the target PBX. If successful, the relevant section inside the active WebMeeting is populated with said data and is available only to meeting users with the ‘Organizer’ role assigned.

DATA PROCESSING AND HOW DO WE STORE YOUR DATA?

3CX securely stores your data in datacenters Google App Engine, Google Compute Engine, Google Storage, Google SQL, Google Redis and other Google services, OVH Hosting, Amazon AWS, Amazon Lightsail and ICTGlobe for hosting its platform and services. User data is securely stored in a Google Datacenter in Frankfurt accessible only via secure communication channels by authorized 3CX relevant systems and networks. Data processing occurs throughout all the above data centers.

3CX also ensures that all unnecessary user data is completely deleted from its active production service logs and database(s) within these timelines for each data type:

Recordings

User video and audio recordings are deleted after 7 days of the creation date of the recording.

PDF Share

Files uploaded via the PDF Sharing feature are available until the meeting in which this PDF is shared in is deleted or when the extension owning this meeting is deleted from the related PBX.

Meeting participant’s names

Participant names are used for displaying one’s alias or name in a meeting as well as for reporting purposes. After a meeting has ended, all users’ meeting names are stored in the WebMeeting Portal to be used as part of the organizer report. This data is stored for 7 days after the meeting was scheduled to take place. After this time has passed, this data is deleted automatically.

Meeting participant’s emails

Meeting names

Meeting comments

When a meeting is created, it is created on the user’s PBX and then synced instantly to webmeeting.3cx.net where it is served to anyone trying to access it via the URL automatically generated after the meeting’s creation. The meeting comments/notes (if any) are shown inside email invites and in the owner’s 3CX Webclient.

Meeting comments are deleted after 7 days from their respective meeting's scheduled date.

Meeting participant IPs are logged and stored

Participant IP’s are logged and stored for information purposes for up to 7 days after a meeting occurs after which point they are deleted via automatic cleanup.

File Share

Files uploaded via file sharing are deleted immediately after a meeting session finishes, i.e. when all participants have left a meeting / when the server-side meeting participant counter reaches 0. As an extra security measure to ensure all relevant uploaded files are deleted, further checks for possible leftover files from inactive sessions are triggered on each successive file upload.

Polls

Polls can be used between different meeting sessions of the same user and are only deleted from webmeeting.3cx.net once that user's extension is deleted from the PBX or when a user explicitly deletes that poll.

Meeting Reports

Meeting reports contain the amount of time a user was connected in TOTAL in a meeting as well as the amount of times the user reconnected to the meeting. These reports are synced from webmeeting.3cx.net to the user's PBX. Meeting reports are kept and automatically sanitized by removing ALL personal identifiable data, such as names and emails, every 2 months and again once a year for good measure. Before meeting reports have been sanitized, they are accessible by the platform admin or support staff with relevant access but with user identifiable data being partially redacted.

PBX Sync Data

All PBX Sync data such as: PBX IP, PBX FQDN and WebMeeting FQDN, PBX License Key, Extension Email, Meeting vanity URL name, Extension First and/or Last Name and Extension Number are stored only for the purpose of providing the features of the 3CX WebMeeting. This data is stored and kept only as long as the PBX transmitting this data is registered in the 3CX ERP and while this PBX can be resolved by the 3CX WebMeeting platform at least once every 29 days and while the PBX syncs the above data at least once every 59 days.

All The Above

All the above data is also deleted in the following cases:

When a PBX FQDN is unbound from its license in the 3CX ERP.
When a PBX fails to contact webmeeting.3cx.net for 60 concurrent days.
When a PBX FQDN DNS cannot be resolved by webmeeting.3cx.net for 30 days in a row.
When a 3CX employee deletes the above data manually or automatically

Historical Data

All historical data pertaining to meeting sessions are kept for up to 1 year for statistical and performance monitoring purposes. All such data is anonymized from personally identifiable information 2 months after it was gathered in order to make the data only usable for platform performance and other basic statistics gathering purposes. For service optimization purposes the above historical data will be deleted sooner than the 1 year mark. Such an event will be mentioned on status.3cx.net.

WebMeeting Server Logs

System logs for the MCU, Portal, File Share, Converter servers are retained for 7 days after which they are automatically deleted. In specific cases, the log retention period will be increased up to 1 month for general platform debugging, testing and performance tuning purposes.

3CX WebMeeting does not use cookies.

Statistical Information

3CX undertakes to apply discretion and caution when disclosing information for statistical purposes so as to guard against disclosing information by which users can be identified personally by any means whatsoever. Platform usage statistic data is anonymous.

=Data Integrity & Confidentiality

3CX employees associated with the WebMeeting platform are given access to information on a need to know basis. 3CX and brand representatives undertake to not disclose personal data where not reasonably necessary or reasoned. 3CX will take all appropriate legal, organizational and technical measures to protect the personal data of Users, site visitors, employees, agents, officers and end-users within or outside of 3CX with access to personal data will be held responsible for any privacy violations in terms of this Policy and, where appropriate, institute terminations of contracts and employment.

Notwithstanding the terms of this Policy set out above, you submit that 3CX may share public information and anonymized aggregated data when involved in a merger, acquisition or sale of company. You further submit by consenting to our data processing, that 3CX may retain personal information in back-ups for up to a year even after termination of the relationship between the latter party and the User or site visitor, unless erasure is otherwise requested.

Data Centers, Services, Security & Data Flow

3CX WebMeeting uses Google App Engine, Google Compute Engine, Google Storage, Google SQL, Google Redis and other Google services, OVH Hosting, Amazon AWS, Amazon Lightsail and ICTGlobe for hosting its platform and services. User data is securely stored in a Google Datacenter in Frankfurt accessible only via secure communication channels by authorized 3CX relevant systems and networks whilst data processing occurs throughout all the above data centers.

Privacy and Security followed by Datacenters

Amazon.com, Inc

https://www.privacyshield.gov/participant?id=a2zt0000000TOWQAA4 & https://aws.amazon.com/compliance/ & https://aws.amazon.com/compliance/data-privacy/

Laws, Regulations, Coalitions, Certifications:

Argentina Personal Data Protection Law 25,326, California Consumer Privacy Act (CCPA), Personal Information Protection and Electronic Documents Act (PIPEDA), Hong Kong Personal Data (Privacy) Ordinance (PDPO), GR 71, Act on the Protection of Personal Information (APPI), Personal Information Protection Act (Act No. 14839) (“PIPA”), Act on Promotion of Information and Communications Network Utilization and Information Protection, ETC (Act No. 16021) (“IT Network Act”) and Use and Protection of Credit Information Act (Act No. 16188) (“UPCIA”), Personal Data Protection Act 2010 (PDPA), Philippines Data Privacy Act 2012, Cloud Infrastructure Services Providers in Europe (CISPE), GDPR

Google LLC

https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI & https://cloud.google.com/security/

Laws, Regulations, Coalitions, Certifications:

Cloud Computing Compliance Controls Catalog (C5), CSA STAR, Spain Esquema Nacional de Seguridad (ENS), FedRAMP, FIPS 140-2 Validated, HDS, HITRUST CSF, Higher Education Cloud Vendor Assessment Tool (HECVAT), Independent Security Evaluators (ISE) Audit, IRAP (Information Security Registered Assessors Program), ISO 27001, ISO 27017, ISO 27018, MTCS (Singapore) Tier 3, OSPAR, PCI DSS, SEC Rule 17a-4(f), CFTC Rule 1.31(c)-(d), and FINRA Rule 4511(c), SOC 1, SOC 2, SOC 3, TISAX, U.S. Defense Information Systems Agency Provisional Authorization, Argentina Personal Data Protection Law 25,326, Australian Privacy Principles (APPs), COPPA (U.S.), EU Model Contract Clauses, FERPA (U.S.), GDPR, HIPAA, My Number Act (Japan), The Personal Information Protection and Electronic Documents Act (PIPEDA), Sarbanes-Oxley Act (SOX), South Africa POPI

OVH US LLC

https://www.privacyshield.gov/participant?id=a2zt0000000L0ivAAC

https://www.ovh.co.uk/personal-data-protection/

ICTGlobe Management
https://ictglobe.com/privacy-policy & R.I.C.A, Regulation of Interception of Communications and Provision of Communication-related Information Act

-MCUs

3CX has proprietary software (MCU) running in the data centers around the world that it uses to forward video, audio and other signaling to and from users using 3CX WebMeeting. All video, audio and signaling is secured using standard methods of encryption that are constantly kept up to date as necessary. Transmitted video and audio data are only available within the relevant meeting session and accessible only to meeting participants i.e. Platform Admins and/or others do not have access to this data. Platform admins do have access to identifiable signaling data to troubleshoot platform issues on demand, monitor and ensure the smooth operation of the platform.

Recordings created during a meeting session are stored temporarily on the MCU and then transferred to a preferred converter in the same region OR a random one when the first step is not available OR to a random one set by the platform admin in case of conversion failure. In general, same region data transfer is preferred, but overridden only when necessary for failover purposes when no other options are available. These servers are hosted in Amazon, Google, OVH and ICTGlobe datacenters all around the world.

-PBX - MCU Geolocation

Upon installing, configuring and activating your 3CX PBX and consequently performing a PBX Sync with webmeeting.3cx.net, your PBX’s IP is geolocated and compared to a Geolocation Database where approximate coordinates are extracted. A closest MCU match is then performed on the WebMeeting Portal (webmeeting.3cx.net). The resulting MCU will be used as the default (Automatic) MCU for all users using WebMeeting from that PBX. If this MCU becomes unavailable or is deprecated, upon the next PBX sync or after a 3CX System Service restart, the next closest available MCU will be set as the user’s default (Automatic) MCU. Within the gap of 8 hours between the last MCU deprecation and the PBX sync, meetings taking place from users from this PBX are redirected to the closest available MCU to the PBX.

-Recording Converters

3CX has proprietary software running in the data centers it uses to convert raw meeting recordings to MPEG4 video format on the fly. Recording converters receive raw recordings from the MCU and convert it to MPEG4 video format. After this the recording is uploaded to Google Storage, given a complex public link and then consequently deleted from the recording converter. In rare cases where recording conversions can fail, the development team responsible for the WebMeeting project is automatically notified of the conversion failure and manually work is undertaken by a developer to identify the reason for the failure, perform a fix it on the converter itself and have the converter retry the conversion until it’s successful. Recordings will also be reviewed manually when support is requested for a specific WebMeeting and a meeting key pertaining to that WebMeeting or PBX FQDN and/or license key owning that meeting and recording are provided to a 3CX employee via the 3CX Forums or 3CX Support channel(s). These are hosted primarily in OVH, Amazon and Google datacenters.

-WebMeeting Portal

Data such as user emails, extension number, First and Last name, PBX FQDN, WebMeeting FQDN, PBX IP, connecting user IP’s, meeting names, meeting comments, poll names, poll questions, poll PDF reports, PDF shared files, PDF names are all stored here. The server and related databases currently run in a Google Datacenter in Frankfurt Europe.

=Granular Data Retention Timelines for WebMeeting Data

All of the above data is also subject to be deleted in the following cases:

When an organizer deletes a meeting or when the extension owning them is deleted or when a PBX’s FQDN continuously fails to resolve via DNS for 14 consecutive days or if the PBX fails to contact the webmeeting.3cx.net or 3CX Portal for 2 months or if the PBX FQDN is manually released.

3CX WebMeeting website contains links to other websites such as www.3cx.com. Our privacy policy applies only to our website, and not to any other websites that you would access. For the privacy policy for www.3cx.com, please follow this link: https://www.3cx.com/company/privacy/

CHANGES TO THE PRIVACY POLICY

3CX reserves the right to change their privacy policy at any time in order to be compliant with the governing laws . This privacy policy was last updated on 21/11/2019

How to contact us

If you have any questions about 3CX privacy policy, the data we hold on you, or you would like to exercise one of your data protection rights, please do not hesitate to contact us.

-For more information, contact 3CX at:

Email: dpo@3cx.com

Phone no: +35722444032