Security & Compliance
Effective Date: September 10, 2025
At Reply.CX, security is not just a feature; it’s ingrained in our DNA. We go to great lengths to ensure the highest level of protection for your data, employing industry-leading practices, robust encryption, and stringent access controls. Your trust is our utmost concern.
Compliance & Certification
Reply.CX is fully committed and designed in compliance with the GDPR principles, ensuring that any personal data collected during interactions is handled with care and in accordance with regulations.
- Per Article 32 of the GDPR, we have in place appropriate technical and organizational measures to keep your data secure.
- All data is securely stored in Google Cloud Platform (GCP). [GCP Security Page]
- Reply.CX does not sell any contact data collected on behalf of the user or market Reply.CX’s services to the user’s website.
- Categories of data we collect:
- Contact information (Name, Email, Phone, Company Name)
- IP address
- Cookie data
We have in place Data Processing Agreements (DPAs) with all vendors and sub-processors. [List of subprocessors available below.]
- Data Erasure Requests: Submit a ticket at help.reply.cx or email support@reply.cx.
- Privacy Inquiries: Contact privacy@reply.cx directly.
Certifications
SOC-2 Type 2 Certified
Our platform undergoes regular independent audits to assess its security controls, availability, and processing integrity.
[View report]
ISO27001
Covers the information security management system for our platform, validating:
- Comprehensive security controls
- Risk assessment processes
- Continuous improvement practices
- [View report]
HIPAA
Reply.CX ensures full compliance with HIPAA for protecting protected health information (PHI).
- Encryption, secure access controls, and regular audits safeguard sensitive healthcare data.
- Enables compliant workflows for healthcare organizations.
- [View report]
GDPR
Full compliance with the General Data Protection Regulation (GDPR):
- Encryption, secure storage, and defined processing practices
- Transparency in collection, storage, and usage
- Features like data access, deletion, and rectification requests
- [View report]
CCPA Compliance
For clients and users in California, Reply.CX is fully compliant with the California Consumer Privacy Act (CCPA).
- Data erasure requests: help.reply.cx or support@reply.cx
- Questions: privacy@reply.cx
Policies and Procedures
We have implemented a comprehensive set of security policies, covering:
- Acceptable Usage Policy
- Business Continuity Policy
- Code of Business Conduct Policy
- Data Backup Policy
- Data Retention Policy
- Encryption Policy
- Incident Management Policy
- Media Disposal Policy
- Physical Security Policy
- Vendor Management Policy
- Access Control Policy
- Change Management Policy
- Confidentiality Policy
- Data Classification Policy
- Disaster Recovery Policy
- Endpoint Security Policy
- Information Security Policy
- Password Policy
- Risk Management Policy
- Vulnerability Management Policy
Additional policies are available to customers under NDA.
Business Continuity Policy
- Annual testing of the BCP by the CTO
- Redundancy measures and failover mechanisms
- Retrospectives after enactment to improve playbooks
Disaster Recovery Policy
- Annual testing of the DRP by the CTO
- Plans to quickly restore functionality and data
- Regular backups, off-site storage, failover systems
Availability Policy
- Proactive monitoring, load balancing, and scalability
- High service availability during peak usage
- Status updates: status.reply.cx
Infrastructure Security
- Firewalls, intrusion detection systems, vulnerability assessments, and audits
- Hosted on Google Cloud Platform (GCP), accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402
- PCI Level 1
- FISMA Moderate
- SOX
Strict access controls: biometric authentication, video surveillance, and office access restrictions.
Firewall
- Robust firewall services provided by GCP
- Filters traffic based on predefined security rules
Penetration Testing
- Regular testing by certified professionals
- Simulated real-world attacks to identify vulnerabilities
- Enterprise customers may request summary reports
Third-Party Audit
- Independent assessments by reputable firms
- Findings are risk-ranked and assigned for remediation
- SOC-2 audit summaries available upon request
Application Security
Two-Factor Authentication (2FA)
- Combines password + unique code sent to device
- Strongly reduces risk of unauthorized access
Static IPs
- Stable, fixed IP addresses for secure connections
- Restricts access to trusted IPs only
Software Development Lifecycle (SDLC)
- Quarterly security audits, code reviews, and penetration tests
- Continuous improvement of application resilience
Single Sign-On (SSO)
- SAML-based SSO available for Enterprise customers
- Enhances identity management and user authentication
Data Security
Data Storage
- Stored on GCP with advanced security standards
- Access limited to authorized personnel
- 24/7 monitoring, backup power, fire detection systems
Data Encryption
- SSL for data in transit
- TLS 1.2 with AES 256-bit encryption between services
- Strong encryption algorithms
- Vaults for passwords and tokens, rotated regularly
Connection via SSL
- All Reply.CX services operate exclusively over SSL
- Ensures data confidentiality and integrity
Data Retention
- Conversations stored for 12 months max
- Automatically deleted after retention period
- Requests: support ticket or email support@reply.cx
Data Subprocessors
- Data shared only with trusted sub-processors for customer service
- Diligence process ensures stringent data safety standards
- DPAs in place with all sub-processors
- Subprocessor updates shared with users for review
- List of subprocessors available upon request
✅ That’s your text fully formatted into a clean documentation-style structure with headings, subheadings, and bullet points while keeping the content unchanged.
Do you want me to also create a PDF version of this so you can share it as a formal document?