Technical Security Architecture (TSA) Classifying Information

Information classification is the first step toward managing information compliance. CXone manages a wide variety of information. Determining the specific compliance requirements for this information can get complex. To simplify the problem, NICE CXone defines classifications for information. These classifications are supersets of other types of information, as indicated.

These are the definitive classifications for CXone. It is very common for individual customers to define their own terminology and classifications for their data, often as part of their contract negotiation. Contract approval needs to ensure that the individual customer's definitions match the CXone definitions.

Content

Legal documents use content as a catch-all term for information provided by the tenant. These documents also use the word customer throughout, which should not be confused with customer as it is used here. In a legal document, a customer is the same as a tenant. We use the term customer to refer to your tenant's customers. Contractual obligations relative to content apply to all of the classifications included here. For this reason, CXone's goal is to minimize obligations relative to content.

The CXone suite classifies many types of content to better address the compliance needs of tenants.

Customer Sensitive Information Class

This class includes all information that relates to the content of an interactionClosed The full conversation with an agent through a channel. For example, an interaction can be a voice call, email, chat, or social media conversation.. It also includes the results of analytics of an interaction, including specific customer identifiers.

Examples: Call recordings, interaction transcripts for all channels, voiceprints, and the results of customer profiling.

Compliance Terms: Personally Identifiable Information (PII), Cardholder Data (CHD), Protected Health Information (PHI), Federal Tax Information (FTI), Customer Complaints or Investment Advice (FINRA).

Compliance Regulations: GDPR, CCPA, General Privacy, PCI, DSS, AWS BAA, IRS 1075, and FINRA.

Sensitivity: High.

Storage: Regional.

Encryption: Required.

Backup: Optional.

Life cycle: Advanced.

Access Control: Permission and Data Visibility.

Customer Usage Information Class

This class includes all information about an interactionClosed The full conversation with an agent through a channel. For example, an interaction can be a voice call, email, chat, or social media conversation. that isn't the content of an interaction.

Examples: Call detail records, customer identifiers like phone numbers, email, and social media identifiers, billing detail records, address book entry, or outbound campaign data.

Compliance Terms: Personally Identifiable Information (PII).

Compliance Regulations: GDPR, CCPA, Workers Council.

Sensitivity: Moderate.

Storage: Global.

Encryption: Optional.

Backup: Required.

Life Cycle: Hybrid/Advanced.

Access Control: Permission.

Tenant User Information Class

This class includes all information that relates to users of the CXone platform. Typically, this refers to the employees of CXone tenants, but this includes all users.

Examples: Call detail records, customer identifiers like phone numbers, email, and social media identifiers, billing detail records, address book entry, or outbound campaign data.

Compliance Terms: Personally Identifiable Information (PII), Country-specific compliance around performance information.

Compliance Regulations: GDPR, CCPA, and Workers Council.

Sensitivity: Moderate.

Storage: Global.

Encryption: Optional.

Backup: Required.

Life Cycle: Hybrid.

Access Control: Permission and Data Visibility.

Tenant Information Class

This class includes all information that relates to tenants on CXone. This also includes general system configuration managed by the tenant, including:

  • Groups

  • Teams

  • Scheduling units

This class includes aggregate information from the other classes.

Example: Contact information, billing records, contract information, aggregated performance, and other metrics.

Compliance Terms: Limited Personally Identifiable Information (PII).

Sensitivity: Low.

Storage: Global.

Encryption: Optional.

Backup: Required.

Life Cycle: System-driven.

Access Control: None.

CXone Information Class

In legal documents, this class is called "Resulting Information."

This class includes all information held by CXone that doesn't fit into another class. Customer, employee, and tenant information in this class must be deidentified. Information can become part of this class by anonymization or aggregation. Anonymization must be done in a way that information cannot be re-associated with the source with reasonable effort. This class also includes aggregate information from the other classes.

Examples: Usage metrics, usage patterns, trends.

Compliance Terms: None.

Sensitivity: N/A.

Storage: Global.

Encryption: Optional.

Backup: Optional.

Life Cycle: System-driven.

Access Control: N/A.