Security & Compliance


At Balboa Digital, we take the security and privacy of our clients’ data very seriously. Keeping our clients’ data protected at all times is our highest priority. This document provides a high-level overview of the security practices put in place to achieve that objective. Have questions or feedback? Feel free to reach out to us at:

Security & Compliance Team

Our Security & Compliance Team is a cross-functional team spanning our leadership, technology, and human resources teams. This team designs, implements, trains staff and monitors activity to ensure compliance with regulations, policies, and procedures. Our employees are trained on how to handle incidents, escalation, and resolution. We stay current with the rapidly changing regulatory environment, review risks, and enhance our security and compliance disposition on a regular basis.

Infrastructure & Security Protection

We utilize tier-one service providers to support our custom contact and reporting platform, including Amazon Web Services, Twilio, and Commio.

  • HTTPS/SSL/FTPS is required for staff, client, and external systems communication access to our systems.
  • Firewall controls manage white-list access to specific system port resources.
  • All internal infrastructure access is controlled by the user role and, a VPN is required for direct server access.

Data Retention

We retain our clients’ data indefinitely unless requested to destroy it. All data is kept in the primary data repository for 4 months and then moved to a data archive with greater data access restrictions. Call recordings are maintained for 90 days and then deleted. We honor consumer data privacy requests for record-level information requests and deletion (e.g., California Consumer Privacy Act).

Business Continuity and Disaster Recovery

We maintain redundant database and application server capabilities within two Amazon Web Services regions. If the primary region becomes unavailable or impaired, we can utilize the backup region within hours. All database and application server backups are updated daily and encrypted while at rest. All staff members are currently remote and have a primary and secondary ISP connection. We can relocate staff members for better access to company systems on an emergency basis.

Network Security Monitoring

  • As identified in our security policies and procedures, specific alerts and log reviews are monitored on a real-time or recurring basis.
  • We utilize our incident management system to investigate, identify root causes, and resolve exceptions to the expected system, application, and operational parameters.

Responsible Disclosure

By policy and procedure, we are transparent with our clients regarding issues that may interrupt services and any consumer issues/requests. Also, of course, if we were to encounter any attack or exposure within our systems that might impact the integrity or privacy of any data that we manage on our clients’ behalf.

User Protection

2-Factor Authentication – We utilize 2-factor authentication for accounts and logins, when possible, to protect our clients and agents.

Role-Based Access Control – We utilize role-based access control, when possible, to define users, roles, and permissions.

Suspicious Activity Monitoring – We monitor systems availability, performance, and user activity to detect anomalous activity.


Federal Regulations

The contact center industry is subject to a number of broad-based Federal laws and regulatory standards designed to prevent unwanted phone charges and nuisance/fraudulent calls. Some of these regulations include the Federal Trade Commission’s (FTC) “Telemarketing Sales Rule,” the Federal Communications Commission’s (FCC) “Telephone Consumer Protection Act,” the FTC’s Do-Not-Call Implementation Act, and the FCC’s TRACED Act.

Our systems & applications apply business rules to maintain compliance to meet these regulatory requirements.

State Regulations

Many states have further clarified or enhanced the federal requirements for privacy and calls and texts made to citizens within their state. These include laws and regulations that restrict dialing hours that require the use of state Do Not Call lists, restrict the use of automated dialing systems, and prohibit pre-recorded voicemail, artificial voices, and the use of ringless voicemail to mobile phones (and more).

We regularly monitor for regulatory changes at the state-level so that we can update our systems to maintain compliance.

Carrier Regulations

The FCC’s TRACED Act has extended the responsibility of blocking unwanted calls, especially “Robocalls,” to the telephone carriers. In response to these regulations, carriers have begun implementing content standards & monitoring, initially on SMS messages. Non-compliance with these standards can result in fines, termination of service, and filings to the Justice Department for legal action.

We follow the carrier-designation processes for pre-approval of text message content to avoid any negative outcomes.


Specifically, to support our medical clients, we are compliant with the Health and Human Services’ (HHS) Health Insurance Portability and Accountability Act (HIPAA). This act requires specific security and privacy controls be implemented, trained with all staff members, and monitored on an on-going basis.

Employee Access

  • Our employees sign a Non-Disclosure and Confidentiality Agreement to protect our clients’ sensitive information.
  • Access to specific client data is limited by each user’s role and need.