Voxtelesys Services Compliance

As Cybersecurity continues to be of paramount importance, especially in highly regulated industries, Voxtelesys will always strive to provide our customers with secure and robust services.

A team of people checking items of a checklist
Illustration of a man ensuring loading upgrades on a computer to ensure compliance

Our Compliance Capabilities

The Voxtelesys solution for 3CX Hosting is only established in facilities that hold and maintain a ‘Passed’ rating in compliance assessments with the following certificates:

  • SSAE-18/SOC1/SOC2
  • GDPR-PrivacyShield
  • ITAR
  • StateRAMP
  • NIST Certified

These assessment results are not publicly attainable records. If documentation of Voxtelesys’ DC’s HIPAA Compliance assessment is required, such files can be arranged contingent of an NDA. Please note, the Voxtelesys solution for 3CX Hosting has not gone through ITAR/HIPAA/SOC2/SOC2 assessments.


Voxtelesys participates in the Cybersecurity and Infrastructure Security Agency’s Cyber Hygiene Service (CISA). The CISA is maintained by the Department of Homeland Security (DHS) to track new critical and/or high vulnerabilities, and potentially risky services.

CISA has conducted Cyber Hygiene, Remote Penetration Testing, and Tailored Risk & Vulnerability Assessments of Voxtelesys’ Critical Systems to identify compliance gaps, as well as provided recommendations for remediation. A few Cyber Hygiene tests include:

  • Web Application Scan
  • OWASP Top 10 Vulnerability scanning
  • Architecture Design Review
  • Persistent scanning service of internet-accessible systems for configuration errors and suboptimal security practices.
Our CISA Partnership
Illustration of a laptop with a shield on the display to indicate security

What can be done to improve security?

Changes to our default 3CX deployment can be made to increase system image security through encryption, process & policy. The following are some examples.


HIPAA - Health Insurance Portability and Accountability Act

Is 3CX HIPAA Compliant?

HIPAA compliance does not apply to software vendors directly but to the organizations that may store, process, and transmit electronically through it PHI/health data of users. Although 3CX is not audited for HIPAA compliance specifically, both 3CX Communication System and the 3CX Video Conferencing software are secure by design.

Is VoxFax (Fax2Email) HIPAA Compliant?

Yes, all resting data is stored via AES256 encryption. All transitional data is sent via TLS encryption. Furthermore, we offer the ability to password protect PDFs for both sending / receiving faxes.

Department of State ITAR logo

ITAR - U.S. International Traffic in Arms Regulations

While Voxtelesys is not registered with the Defense Trade Controls Compliance (DDTC), we still have taken the following measures to deter offshore security vulnerabilities:

  • Operated by employees who are U.S. Citizens on U.S. soil.
  • Provide an environment that is physically located in the U.S.
  • Access by VTS Personnel is limited to U.S. Citizens.
  • U.S. Based in Fargo, North Dakota. Other Office Locations: Nebraska, Montana, and Minnesota.
  • Account Holders are Only Permitted to U.S. Entities and Organizations that pass a screening process.
  • Technical data is not inadvertently released to foreign persons or nations without proper authorization.

GDPR - European Union’s (EU’s) General Data Protection Regulation

Currently, GDPR applies to citizens/members of corporations that directly have a presence within the EU.

Customers should seek their own legal Counsel regarding their own compliance status, jurisdiction requirements, and further actions that may need to occur.

3CX Compliance Check Mark

Is 3CX GDPR Compliant?

GDPR, as such, does not apply to products directly. Its regulation is based on how customer and employee data is protected and what procedures are in place on the company’s policy level, as well as good practices.

In regard to data protection, the 3CX Communication System has multiple security features built-in that ensure protection. The following are some examples:

  • The 3CX PBX database is not exposed to the WAN nor the LAN. It can only be accessed by the local system. (protection of the data storage)
  • The management console blacklists any offender who inputs more than 3 wrong credentials. (protection against brute force)
  • The management console access can be done only through HTTPS externally. (protection against middle man)
  • The 3CX SSL certificate, included when using a 3CX FQDN, is signed by a trusted authority and transport has strong encryption ciphers. (protection against middle man)
  • 3CX Call Reports, voicemails, or recordings can be accessed only from authenticated users.

Furthermore, the configuration can be tweaked to strengthen accesses or clear periodically old data:

  • Access rights segregation exists to delegate management console partial access.
  • Passwords can be renewed at any time.
  • 3CX log files have low verbosity by default. It can even be done off any logging. (from Dashboard / Activity Log / Parameters)
  • Call history can be purged manually by the administrator for a given period. (e.g everything older than X days, from Call Reports / Settings)
  • 3CX voicemail and recording quotas can be set to delete automatically. (e.g everything older than X days or disk space used passes more than X GB)
  • 3CX voicemails can be sent by email and deleted after so it’s not stored locally at all. (option in Extensions / VM)
Federal Communications Commission Logo


Voxtelesys signs all calls originating on its service using STIR/SHAKEN, and is in compliance with the FCC Rules for STIR/SHAKEN (See Voxtelesys Robocall Mitigation Database Entry).

Voxtelesys is compliant with FCC requirements for protecting Consumer Proprietary Network Information.

Top secret folder illustration

3CX: Secure Communication at Every Step

3CX takes your communication security seriously, employing a robust multi-layered encryption strategy to protect your data throughout its journey. Whether you're accessing the system remotely, making calls from the mobile app, or sending emails, rest assured that your information is shielded from unauthorized access.

  • HTTPS/TLS encryption: Secure web communication for various functionalities like management access, web client usage, and phone provisioning.
  • Strong ciphers and authentication: Enforced by default for best-in-class protection.
  • Mobile app security: Calls encrypted through custom protocols and industry standards.
  • Web-based communication: Static content, notifications, and video calls secured with HTTPS, Websocket Secure, and WebRTC with DTLS/SRTP.
Secure server illustration

Multi-level Encryption Across Different Channels

Beyond web and mobile security, 3CX protects other communication channels too:

  • IP Phones: Configurable for secure signaling and media encryption.
  • Push notifications: Secured via Apple APN and Google FCM protocols.
  • Email notifications: Encrypted in transit using TLS 1.2.
  • Backups: Password protected and encrypted with AES CBC 128 bit.
  • Credentials: No default passwords, only random and complex unique identities.