A Appropriate Security Required by Data Privacy Regulation
To avoid data breaches and to limit the exposure in the event of a data breach, privacy regulation requires several security measures, such as data minimization, encryption, and others. Oracle Communications Security Shield Cloud Service(Security Shield)
Table A-1
| Security and Data Privacy Measures | Description |
|---|---|
| Data minimization | Security Shield processes only header information from SIP INVITE and BYTE messages and considers only information in the call signaling, such as phone numbers and IP addresses. |
| Deletion of Security Shield end-user data | Security Shield removes call data from
the tenant when the service contract expires and you do have not or do
not plan to renew the service.
Security Shield automatically removes (destroys) personal information in the call data stored by Security Shield after 30 days. |
| Deletion of Security Shield customer data at contract term end or termination | Security Shield, along with other Oracle cloud services, utilizes Oracle Identity Cloud Service (IDCS) for subscribers to manage their user access accounts and security features. Subscribers must manage any IDCS access deletions. |
| End-user Data Access Request | Regarding end-users, Security Shield
collects only the end-user's phone number, name, and IP addresses. Each
entry is stored for a period of 30 days.
Using the Analysts reports the you can find all records for a given phone number, noted in the third URL. |
| End-user request for correction and deletion for individual end-user data records | You can modify the related configuration through the Security Shield Dashboard and you can put an
end-user's phone number on an allow-list using the Access Control list
capability as noted in the second URL.
You cannot delete individual entries, as noted in the first URL. |
| Right to be Forgotten | Neither you nor Oracle can delete an end-user's phone number from the Security Shield tenant data. When the Security Shield tenant does not see a phone number for 30 days, it automatically removes the tenant data. |
| Support multi-factor and Single Sign On authentication | Oracle Identity Cloud Service (IDCS), which is utilized by Security Shield, supports the ability to require Multi-FactorAuthentication as well as federated identity. |
| Anonymization and Pseudonymization | The personal information processed by Security Shield is not anonymized or pseudonymized. Security Shield requires the phone numbers to be available in call signaling. Device identifier and IP address may be used as well. No other personal information is collected or stored. |
| Masking | Security Shield masks phone numbers when added to Security Shield microservices logs. You cannot access these logs. |
| Truncation | Security Shield truncates the numbers on an Oracle managed caution list. These numbers typically reflect high cost destination or high risk destinations such as so-called Premium Rate Service Numbers, for example, 900 numbers in the U.S. |