Customer experience FAQs

Customer experience FAQs

Read our FAQs below for insight into the Blackchair platform and how it works

What technology languages/platforms are utilized in the application? 

We use several components to optimize each part of the Blackchair platform.

Does the Blackchair platform operate on-premise or on the cloud?

The Blackchair solution can be customized to run on the cloud, on-premise or a combination of both, depending on how you want to run the setup.

What cloud providers do you use to support your services?

Our clients require consistent, high-quality performance, so we work with only the best cloud providers - Amazon, Google, and Microsoft

What security practices are you following?

We have researched the best security practices recommended by Amazon, Google, and Microsoft and built our data policies around these security practices.

What countries are you deployed in, if any?

We are not restricted to any country, geography or data center; we operate based on our client's requirements.

Do you offer an on-premise solution for your customers?

Yes, on-premise is an option available for clients who want it, alongside our cloud deployment offerings.

When was your most recent application code reviewed or penetration tested conducted by a third-party?

Our most recent code review took place on 9th May 2023 .

What methodology do your penetration tests follow?

Our penetration test assessments follow methdologies like ISSAF and PTES.

Do you require personal data? If so, can you describe what you need?

No, Blackchair does not require or carry any personal company data for services rendered.

How does your organisation decide who does and does not have access to data?

We follow the purview of the client's administrator controls. However, it is important to repeat that we do not request any sensitive data from our clients.

Which class of employees have access to personal data - full-time staff or third-party contractors?

No, we do not have any access to personal or sensitive data because we do not request that kind of information from our clients.

Do you keep sensitive data in hard copy? If so, please describe.

No, we do not request any sensitive data or store it in hard or soft copy.

What are the processes for taking out customer data?

We do not store any customer data.

Do you have an internal password policy?

Yes, we have a strict internal password policy.

Do you have complexity or length requirements for passwords?

Yes, at least 7 characters with one uppercase, lowercase and a special unicode character.

Do you hash passwords? If so, please describe how passwords are hashed.

We encrypt passwords using both Advanced Encryption Standard (AES) and Rijndael encryption algorithm.

Can your employees/contractors remotely connect to your production systems? (i.e. VPN)

If the system runs on-premise access, then production systems are accessible through the desktop share session supervised by your staff. If the system runs in the cloud, then access is only possible via desktop share session supervised by staff. However, If the system runs in cloud managed by Blackchair, we will connect to the system for support activities only.

Can third-party vendors access your customers' information? If so, please list the vendors who access your customers' information.

No, third-party vendors cannot access customer systems and information. 

How often do you review your information security policies?

We review and update our information security policies once a year.

What actions do you take to protect against security risks?

We have security management support and a security management forum to help take action on security risks.

Are your information security and privacy policies aligned with industry standards?

Yes, our policies are in line with industry standards like ISO-27001, NIST Cybersecurity Framework, ISO-22307, and CoBIT.

Do you have an option that allows for an exception in extenuating circumstances?

We have a policy exception process to better support our clients.

Do you have disciplinary procedures in place for employees who violate policies?

Yes, we follow a formal disciplinary or sanction process for employees who violate security procedures. 

Do you conduct background checks on your employees?

Yes, all our employees - including third-party contractors - are subject to background verification.

Are all personnel required to sign confidentiality agreements to protect customer information, as a condition of employment?

Yes, all personnel must sign a confidentiality agreements as part of their contract.

Are all personnel required to sign an Acceptable Use Policy? Please attach the policy.

Yes, all employees need to sign a user policy.

How would you handle a change in employment status or a termination?

Following a change in employment status or termination we include timely revocation of access and return of assets.

Do internal or third-parties perform network security?

Our network security testing is performed by third-party organizations.

What is your timeframe for patching critical vulnerabilities?

What is your timeframe for patching critical vulnerabilities?

Describe the tools you use for vulnerability management.

Our third-party penetration testers use all the tools necessary to conduct a detailed, comprehensive test.

Do you have application vulnerability management processes and procedures in place? If so, what are they?

Yes, we have processes and procedures in place for application vulnerability management. Our third-party penetration testers must follow these procedures when conducting an application vulnerability test.

Do you use tools for application vulnerability management? If so, please detail the tools you use for application vulnerability management.

Our third-party penetration testers use all the tools necessary when managing application vulnerabilities.

Do you regularly evaluate patches and updates for your infrastructure?

Not applicable.

What systems do you use to mitigate classes of web application vulnerabilities? (for example: WAF, proxies, etc.)

We have several systems in place to help mitigate the different attacks on web applications. Some of the procedures include, but are not limited to, input validation, proxied DB access, parameterized queries, and escaping.

Have you uniformly configured the host where the service is running?

Yes, we have uniformly configured the hosts.

How many engineers/operations staff review changes to the production environment?

Yes, we make sure that any changes made to the production environment are reviewed by two engineers.

Are all security events production logged?

Yes, all security events - authentication events, SSH session commands, privilege elevations - are production logged.

What is your process for making changes to the network configuration regularly?

No, we do not make changes to the network configuration regularly.

How do you protect network traffic travelling from public networks to the production infrastructure?

Yes, any network traffic going through the production infrastructure are cryptographically encrypted connections like TLS, VPN, IPSEC, etc

What measures do you take to protect network traffic over public networks and production infrastructure?

We use the AES-128 framework cyptographic frameworks to store passwords.

How do you monitor the network for potential security vulnerabilities and threats that may affect your service?

We use several procedures to monitor potential vulnerabilities that may affect service. Some of these procedures include static code analysis and subscribing to updates in third-party libraries.

What process do you have for logging all security events?

We maintain a log of all security events. When an event is flagged we will log in and conduct an internal review.

Do you have a Security Incident Response Program in place?

Yes, we have a Security Response Program. When a security breach occurs, the incident is logged in our incident management system. We will then investigate the breach and take remedial action, if necessary.

Do you test your Incident Response Plan? If so, please describe how it is tested.

We have an incident response plan in place. We simulate security incidents and study how the incident management team responded.

Do you have a formal service level agreement (SLA) for incident response?

Yes, we have prepared a formal service level agreement, specifically for incident responses.

What is your criteria for notifying cilents about incidents related to security? Do the SLAs mention the terms of the notification?

In the event of a security breach, our incident management system will automatically notify customers to minimize downtime when giving out alerts.

Do you do static code analysis?

Yes.

What processes do you have in place to ensure code is developed securely?

A set of tools is used to perform static code analysis securely. In case of vurnerabilitiy the results will be selected for further analysis, and broken down by source code language, issue type, and priority.

Do you incorporate threat modeling into the design phase of development? What are the processes involved?

Yes, the threat modeling is part of our agile process. When the system changes, we measure the security impact those changes might have during a sprint/feature build.

Do you train developers in SSDLC/ Secure Coding Practices?

Yes, we train developers in Secure Coding Practices, especially those who are doing code reviews, architecture analysis, and design reviews.

What percentage of your production code is covered by automated tests?

A set of tools is used to perform static code analysis securely. In case of vurnerabilitiy the results will be selected for further analysis, and broken down by source code language, issue type, and priority.

What system do you have in place to validate build artifacts from promotion to production?

We have a pre-production system to validate build artifacts for promotion and production.

Do you maintain a bill of materials for third-party libraries or code in your service?

Yes, we maintain a bill of materials for third-party libraries or code.

Do you outsource development to third-parties or is there open source project inclusion?

Yes, we contract third-parties on certain projects.

What types of security reviews do you perform on custom-built software?

We perform different security reviews on custom-built software, including code reviews, QA, mixed team development, and in-house testing.

What is the process for authenticating users?

The method of authenticating users changes based on whether the system is integrated into the cloud or in on-premise windows. If the system is installed on-premise, then we use pass-through authentication. However, if the system is installed on the cloud, we utilize an internal authentication process. This applies for both public and private cloud platforms, the only exception being when we use third-party authentication.

Does your application allow user MFA to be enforced by admins?

Yes, admin users can enforce multi-factor authentication provided they have purchased the option.

What audit trails and logs are used to access customer data?

We do not store any customer data.

Does your application allow for custom data retention policy for customer data?

We do not store any customer data.

Does your application provide a sandbox environment to customers for testing?

Yes, applications provide a sandbox environment to customers for testing provided they have purchased the option.

Do you conduct internal audits of the service? If so, please describe the scope, remediation process, and frequency of audits.

Our internal audits cover system performance, security incidents, and customer raised incidents. We conduct the audit on a quarterly basis.

What IT operational, security, privacy related standards, certifications and/or regulations do you follow?

We follow the regulations associated with ISO 27001 and 27701.

Are your confidential data access controls in line with your data classification matrix?

Yes, we have taken special care to ensure that the data classification matrix is in line with data access controls

Book a demo and see for yourself!


Automate contact center capabilities, free up resources, and achieve cloud migration excellence.