8x8 Security and Compliance Assurance Packet
Prepared by the 8x8 Security Team | April 2025 | Version 4.0
Welcome
Welcome to 8x8! 8x8 connects people and organizations through seamless communication on the industry's most integrated platform for Customer Experience, combining Contact Center, Unified Communication, and CPaaS APIs. Recognized as a leader in Gartner's Magic Quadrant for UCaaS and CCaaS for consecutive years, 8x8 empowers businesses with strong, strategic partnerships.
8x8 is proud of its best-in-class information and cybersecurity framework, reflecting continuous investment in leading technologies and thought leadership. Independent evaluation and certification against international compliance frameworks demonstrate a commitment to providing services that set the benchmark for trust, integrity, and reliability.
This Security and Compliance Assurance Packet provides comprehensive information regarding the technologies, supporting processes, and certifications that affirm 8x8's commitment to protecting customer data, driving confidence and transparency in its security strategies, and supporting customers in achieving their regulatory obligations.
Darren Remblence
Chief Information Security Officer
8x8, Inc.
Why 8x8?
The 8x8 Experience Communications Platform™ is the first and only true XCaaS platform, optimizing omnichannel customer experience with data-driven insights and enabling robust employee engagement for a work-from-anywhere world. 8x8 XCaaS bridges UCaaS and CCaaS to help organizations deliver modern communications experiences that drive revenue, cut costs, and optimize operations.
Secure & Compliant
8x8 protects businesses with stringent security requirements for data security, privacy, and compliance, verified by third-party certifications.
Integrated
An integrated platform provides the highest reliability, security, and value, bridging employee and customer experience gaps. The 8x8 XCaaS platform unifies contact center, voice, video, chat, and APIs on a single cloud-native platform.
Reliable
The 8x8 Experience Communications Platform™ is designed for high availability, delivered from top-tier, redundant, geographically diverse cloud locations. It utilizes patented Global Reach™ technology and built-in software intelligence to mitigate common cloud communication challenges. The platform offers a financially-backed, platform-wide 99.999% uptime SLA across UCaaS and CCaaS.
Insightful
From call activity reporting to AI-driven speech analytics, 8x8's ability to analyze communication data provides unique insights that drive productivity improvements, cost savings, and revenue growth.
Message from 8x8 Security and Compliance
Built on the 8x8 Experience Communications Platform™, 8x8 addresses new business needs with a single-vendor, integrated, cloud-native platform for contact center, voice, team chat, meetings, and CPaaS. XCaaS advances customer EX and CX-focused communications, collaboration, and engagement.
The 8x8 Platform Offers:
- 8x8 Contact Center: Omnichannel solution for voice and digital channels, including conversational AI for self-service and Workforce Engagement Management applications.
- 8x8 Work: Enterprise-grade PBX features, SMS/MMS, internet fax, end-to-end encrypted video meetings, 1-1/team chat, and robust analytics. Supports over 100 countries.
- 8x8 Communications Platform as a Service (CPaaS): Cloud-based infrastructure to integrate real-time communications (SMS, chat, voice, video) into applications, websites, and workflows via APIs.
8x8 also offers unified administration for license management, number porting, provisioning, and configuration, along with integrations for over 40 popular business apps like Microsoft Teams and Salesforce.
Security Foundations
System Hardening
8x8 designs its XCaaS platform to meet regulatory commitments, laws, and standards, following NIST guidelines and CIS hardening standards.
Encryption
All subdomains and IPs require Transport Layer Security (TLS) 1.2 and above. Key length requirements are reviewed annually. Technical and operational requirements are maintained for system design.
Network
8x8's network design emphasizes interconnectivity and perimeter security using policy enforcement points (PEPs) and firewalls. The XCaaS architecture utilizes segmentation for Confidentiality, Integrity, and Availability monitoring.
Cloud Storage
The XCaaS environment leverages Amazon Web Services (AWS) and Oracle Cloud Infrastructure (OCI) for its technology stack, using services like Load Balancers, VPCs, EC2, S3, Route53, CloudWatch, CloudTrail, and GuardDuty. Connectivity between cloud providers is managed by Megaport and secured by VPNs.
Data Centers
Data centers and points-of-presence are globally distributed to accommodate processing capacity and data jurisdiction. Internet connectivity is provided by multiple ISPs. Connectivity between 8x8 offices and data centers, and between data centers and cloud environments, is secured via IPSEC VPNs and dedicated routes.
Cyber Insurance Coverage
8x8 Inc. recognizes the importance of managing cybersecurity risks. Comprehensive cyber insurance coverage provides financial protection against data breaches, cyber extortion, business interruption, and network damage. This policy is tailored to the tech industry, aligning with best practices and regulatory requirements, underscoring 8x8's commitment to trust and reliability.
Certificate of Liability Insurance Summary:
Insured: 8x8, Inc.
Producer: Aon Risk Insurance Services west, Inc.
Insurers: American Guarantee & Liability Ins Co, American Zurich Ins Co, Columbia Casualty Company, Fortegra Specialty Insurance Company.
Policy Period: 07/01/2024 - 07/01/2025
| Type of Insurance | Policy Number | Limits |
|---|---|---|
| Commercial General Liability | CPO 0926405 | $1,000,000 Each Occurrence / $2,000,000 Aggregate |
| Automobile Liability | CPO 0926405 | $1,000,000 Combined Single Limit |
| Umbrella/Excess Liability | AUC188579305 | $20,000,000 Aggregate |
| Workers Compensation and Employers Liability | WC092640305 | $1,000,000 Each Accident / $1,000,000 Disease-Each Employee / $1,000,000 Disease-Policy Limit |
8x8's 3rd Party Validations
PCI Data Security SAQ D
The Payment Card Industry Data Security Standard (PCI DSS) outlines security requirements for handling credit card information. 8x8's XCaaS services have been reviewed by a Qualified Security Assessor (QSA) and assessed as PCI compliant.
HIPAA Security Rule Compliance
The Health Insurance Portability and Accountability Act (HIPAA) protects Personally Identifiable Information (PII) in the healthcare industry. 8x8's controls were assessed for SOC 2 Type 2 compliance and mapped to HIPAA requirements by A-Lign, confirming that 8x8's environment protects HIPAA data.
| HIPAA Ref | HIPAA Regulation | SOC 2 Criteria ID | Control Activity Specified by the Service Organization |
|---|---|---|---|
| 164.312 (e)(1) | Transmission security: Implement technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network. | CC6.1; CC6.6; CC6.7 | VPN, TLS and other encryption technologies are used for defined points of connectivity. Server certificate-based authentication is used as part of the TLS encryption with a trusted certificate authority. Mobile devices are protected through the use of secured, encrypted connections. |
| 164.312 (e)(2)(i) | Integrity controls: Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of. | CC6.1: CC6.6; CC6.7 | VPN users are authenticated via multi-factor authentication prior to being granted remote access to the system. VPN, TLS and other encryption technologies are used for defined points of connectivity. Server certificate-based authentication is used as part of the TLS encryption with a trusted certificate authority. Mobile devices are protected through the use of secured, encrypted connections. |
| 164.312 (e)(2)(ii) | Encryption: Implement a mechanism to encrypt ePHI whenever deemed appropriate. | CC6.1; CC6.6; CC6.7 | VPN users are authenticated via multi-factor authentication prior to being granted remote access to the system. VPN, TLS and other encryption technologies are used for defined points of connectivity. Server certificate-based authentication is used as part of the TLS encryption with a trusted certificate authority. VPN users are authenticated via multi-factor authentication prior to being granted remote access to the system. Data is stored in an encrypted format using software supporting SSE-S3. Mobile devices are protected through the use of secured, encrypted connections. |
When properly configured, 8x8 products and services are HIPAA compliant.
HITRUST
HITRUST is a framework that meets multiple regulations and standards for organizations handling sensitive data. 8x8's controls were assessed for SOC 2 Type 2 compliance and mapped to HITRUST requirements by A-Lign, validating that the environment protects data.
| HITRUST CSF Control | COSO Principle 1: Integrity and ethical values | COSO Principle 2: Board independence and oversight | COSO Principle 3: Management structures and objectives | COSO Principle 4: Competent individuals | COSO Principle 5: Internal control responsibilities |
|---|---|---|---|---|---|
| 00.a InfoSec Management Program* | |||||
| 01.a Access Control Policy | |||||
| 01.b User Registration* | |||||
| 01.c Privilege Management* | |||||
| 01.d User Password Management* | |||||
| 01.3 Policy on Use of Network Services | |||||
| 01. User Auth for Ext. Connections* | |||||
| 01.k Equip Ident. in Networks | |||||
| 01.1 Remote Diagnostic & Config Port Protection* | |||||
| 01.m Segregation in Networks* | |||||
| 01.0 Network Routing Control | |||||
| 01.q User Identification and Authentication* | |||||
| 01.s Use of System Utilities | |||||
| 01.w Sensitive System Isolation* | X | ||||
| 02.a Roles and Responsibilities* | X | ||||
| 02.b Screening | X | ||||
| 02. Terms and Conditions of Employment* | |||||
| 02.d Management Responsibilities* | X | ||||
| 02.e InfoSec Awareness, Education, and Training* | X | X | X | X | X |
Cyber Essentials Plus
Cyber Essentials Plus is a UK government-backed scheme providing basic security controls against common cyber attacks. 8x8 has successfully completed a Cyber Essentials Plus security assessment.
Certification: Cyber Essentials Plus
Organization: 8x8 UK Limited
Assessor: Chris Mcgee
Certificate Number: 053ec56b-dd8d-435-8720-894373c6f25c
Profile Version: 3.1 (Montpellier)
Scope: Whole Organisation
Date of Certification: 2025-01-17
Recertification Due: 2026-01-17
SOC 2 Type 2
System and Organization Controls (SOC) reports validate internal controls. 8x8's XCaaS services have been reviewed by a Qualified Security Assessor (QSA) and passed a SOC 2 Type 2 audit.
Certification: SOC 2 Type 2
Organization: 8x8, Inc.
Examination Period: September 1, 2023 to August 31, 2024
Auditor: A-LIGN
ISO 27001 / ISO 27017
ISO 27001 is an international standard for Information Security Management Systems (ISMS). 8x8 is compliant with ISO 27001:2022, incorporating ISO 27017:2015 controls.
Certification: ISO 27001:2022 and ISO 27017:2015
Organization: 8x8 Inc.
Certification Body: Alcumus ISOQAR
Certificate Number: 13884-ISMS-001
Scope: Information Security Management System (ISMS) governing the design, deployment, and operation of cloud-based unified communication and Fuze product services globally.
Current Expiry Date: 30/10/2027
FISMA / NIST SP 800-53 R5
NIST Special Publication 800-53 provides security and privacy controls for federal agencies. 8x8 is NIST SP 800-53 R5 compliant at the FISMA Moderate level, as assessed by a Qualified Security Assessor (QSA).
Assessment: FISMA Moderate Policy and Procedure assessment
Organization: 8x8
Auditor: A-LIGN
Assessment Period: September 23, 2024 - October 11, 2024
Findings: Verified 8x8's Federal Information Processing Standards Publication (FIPS) 199 to ensure Moderate was the appropriate system categorization. Reviewed 212 artifacts.
Cyber Trust mark
The Cyber Trust mark is a cybersecurity certification from the Cyber Security Agency of Singapore (CSA) for organizations with extensive digital business operations. 8x8 is CSA Cyber Trust mark (Advocate Level) certified.
Certification: CSA Cybersecurity Certification - Cyber Trust Mark (2022) at Advocate Tier
Organization: 8X8 INTERNATIONAL PTE. LTD.
Certification Body: TÜV SÜD PSB Pte Ltd
Scope: Information Security Management for the Design, Development, Deployment, and Operation of Cloud-Based Communications Platform As A Service from 8x8 Head Office in Singapore.
Validity: 2025-06-16 to 2028-07-26
ISO 9001
ISO 9001 sets requirements for quality management systems. 8x8 offices in the UK are compliant with ISO 9001:2015.
Certification: ISO 9001:2015
Organization: 8x8 UK Ltd
Assessed by: The Certification Group
Scope: Quality Management System for the deployment, operation and support of cloud based unified communication services from 8x8 head office.
Certificate Expiry Date: 12/03/2026
ISO 14001
ISO 14000 provides standards and guidelines for environmental management. 8x8 offices in the UK and Paris are compliant with ISO 14001:2015.
Certification: ISO 14001:2015
Organization: 8x8 UK Ltd
Assessed by: The Certification Group
Scope: Environmental Management System for the design, deployment and operational support of cloud-based unified communication services from 8x8 offices in the UK and France.
Certificate Expiry Date: 24/08/2026
NHS-DSPT
The NHS Data Security and Protection Toolkit (DSPT) is a framework for organizations working with the NHS. 8x8 has completed a Data Security and Protection Toolkit self-assessment and is deemed to exceed the required standards.
Framework: NHS Data Security and Protection Toolkit (DSPT)
Organization: 8X8 UK LIMITED
Assessment Status: Standards exceeded
Publication Date: 26 June 2024 (valid to: 30 June 2025)
For more information, visit www.dsptoolkit.nhs.uk.
Strengthening Security with 8x8's Bug Bounty Program
Since January 2020, 8x8 has partnered with a third-party Bug Bounty program to proactively identify and address potential vulnerabilities across its platforms (8x8 Work, Contact Center, CPaaS, and Jitsi). This program leverages a global network of ethical hackers and security researchers to enhance in-house security efforts and third-party penetration testing. By offering monetary rewards, 8x8 reinforces its commitment to continuous improvement and strengthens its security posture against evolving cyber threats.
Want to learn more?
Contact 8x8
Learn more about 8x8 XCaaS and how it can supercharge your business communications.
Connect with 8x8 to discuss security and compliance in more detail by filling out this easy form.
Learn more about 8x8 CPaaS and how it can transform the future of your business communication by visiting this page.
