Appropriate Security Required by Data Privacy Regulation
To avoid data breaches and to limit the exposure in the event of a data breach, privacy regulation requires several security measures, such as data minimization, encryption, and others.
The following table lists the security and privacy measures that Oracle® Session Delivery Management Cloud (Oracle SDM Cloud) employs to comply with data security regulations.
| Security and Data Privacy Measures | Description |
|---|---|
| Data minimization | Oracle SDM Cloud does not manage or process the phone numbers, IP addresses, or device ID. For recent calls, this data is fetched from the user's Network Functions (NF) on customer premises for viewing and diagnostic purposes. For managing call flow routing, the user can create local route tables (LRT) and add the phone numbers to specify routing policies. Oracle SDM Cloud only provides the editor to manage the files but does not do any further processing of this data. |
| Deletion of Oracle SDM Cloud end-user data | Oracle SDM Cloud removes call data
from the tenant when the service contract expires and you do have
not or do not plan to renew the service.
Oracle SDM Cloud automatically removes (destroys) personal information in the call data stored by Oracle SDM Cloud after 30 days. |
| Deletion of Oracle SDM Cloud customer data at contract term end or termination | Oracle SDM Cloud, along with other Oracle cloud services, utilizes Oracle Identity Cloud Service (IDCS) for subscribers to manage their user access accounts and security features. Subscribers must manage any IDCS access deletions. |
| End-user Data Access Request | Regarding end-users, Oracle SDM Cloud does not collect the end-users' phone numbers or IP addresses. This information is retrieved from NFs by the user when processing diagnostics. Oracle SDM Cloud does store the end-users' phone numbers and IP addresses that the customer can use in creating the LRT tables to manage call flows through their networks to provide end-users with Quality of Service (QoS). The LRTs are owned and managed by the user. |
| End-user request for correction and deletion for individual end-user data records | You can create, modify, and delete the phone numbers and IP addresses used to specify routing policies using the Route Manager when you have access control list privileges to do so. You can only view phone numbers and IP addresses in recent calls if you have the correct access control list privileges. |
| Right to be Forgotten | For Recent Call Data, neither the user nor Oracle can delete an end-user's phone number from the Oracle SDM Cloud tenant data. For LRTs, the user owns the LRT creation and can create, modify, and delete phone numbers and IP addresses for LRT. The user controls the retention policies for LRT. Oracle does not manage the LRT data. |
| Support multi-factor and Single Sign On authentication | Oracle Identity Cloud Service (IDCS), which is utilized by Oracle SDM Cloud, supports the ability to require Multi-FactorAuthentication as well as federated identity. |
| Anonymization and Pseudonymization | The personal information processed by Oracle SDM Cloud is not anonymized or pseudonymized. Oracle SDM Cloud provides the ability to view recent calls that have phone numbers and IP addresses for the purpose of diagnostics. Oracle SDM Cloud also allows you to create, modify, and delete phone numbers and IP addresses for the purpose of defining routing policies for call flows, all of which the user owns. |
| Masking | Oracle SDM Cloud does not add phone numbers or their associated IP addresses to Oracle SDM Cloud micro services logs. |
| Truncation | Oracle SDM Cloud does not process the phone numbers or IP addresses. The user owns and is responsible for truncating numbers in a managed caution list on either the NFs in their network or in routes the user creates to control call flows under Route Manager. |