MAXimum Research,
Inc.
MAXimum Research's TCPA Compliance and Information
Technology
MAXimum uses only the highest caliber, state of the art security appliances& servers when it comes to the access of its information. Everything, from inbound traffic, to the webpages viewed by employees and the physical health of the servers, is monitored & logged on a 24/7 basis. The robust nature of the systems in place allows for a quick and effective reaction, should a leak/breach be detected or a machine malfunctions. All data sensitive servers are continuously backed-up using state of the art backup & recovery software hosted on a dedicated Backup & Recovery Server. This server actively creates snapshot backups of all the main file shares every 4 hours, 7 days a week. Snapshots are stored both locally and on the provider’s US-Based cloud archival site, for a period of 1 week, before being overwritten. Prior to the start of a new week, weekly “snapshots” are taken of all the daily backups, and stored for 4 weeks, before being converted to a monthly, and finally a yearly backup. This allows MAXimum Research administrators the ability to roll back to any date within the past year. In addition to the local and cloud daily snapshots, immutable full backups of core servers are performed nightly, in the event a full system recovery is required. These immutable backups are then stored off-site, at the cloud facility for a period of 1 month. Each backup has the ability to be “spun up” in the cloud, should operations on-site be interrupted, providing continual access to all core systems.
Security
For a more detailed description of our TCPA compliance steps, please download the following white paper: TCPA.PDF
MAXimum Research takes the security of its data and servers very seriously. The most important step in ensuring a secure environment starts with employee training and awareness. MAXimum Research employees undergo multiple training sessions a year, detailing the new security measures being utilized, how to identify potential data risks, and what to do in the event of a breach. Additionally, users are trained on the new technologies put in place and how to get the most effective results for their assigned tasks. The trainings are based on their position in the company, with administrative staff receiving the most training, and the interviewers the least. Trainings are mandatory, and a record is kept of who received training when, and what subjects were covered. The entire building, both inside and outside, is covered by several layers of access/safety surveillance. Window sensors, smoke/fire/heat sensors and internal motion sensors are monitored 24/7 via 3rd party monitoring companies, with direct lines to local law enforcement. Additionally, 16 cameras & 4 audio microphones are positioned around the interior and exterior of the facility, recording 24/7 and granting full video coverage of the facility, which is used reactively, should the need arise. Video is kept on DVR drives for a total of 7 days before being overwritten. MAXimum’s server array is kept in an environmentally controlled, locked office. Direct access to the server room is controlled via an electronic keycard/fingerprint reader, that logs all entries to a dedicated server. Logs are reviewed daily to monitor access to the server room. There are only 3 people with keycards to this office: the Systems Administrator, the Office & Facilities Manager, and the Owner. The server room is located in the back corner of the lower level of the building, with no direct external access, and a total of 3 security cameras covering the approach and entryway to the server room. All servers are equipped with multiple power supplies, and each power supply connects to a different battery backup, providing the most effective emergency power option available. MAXimum assigns one of three tiers to all of our employees, classified as: High-Level, Mid-Level, & Low-Level. These levels are based on their job title and assigned roles. Depending on the level of administrative need, computers will be assigned accordingly. High-Level employees are provided with a dedicated, company owner PC/Laptop. Mid-Level employees access a shared terminal server via thin clients and/or remote desktop sessions. Low-Level employees only access web-based pages/reports and have no direct access to any data or storage drives. All company owned assets are actively monitored via 3rd party, 24/7 for viruses, malware, phishing and other threats. In the rare occasion that something is detected on a machine, the monitoring company can initiate a remote shutdown within 30 seconds of detection, preventing more damage or the spread of the infection. Our employees are screener for federal OIG/GSA checks as well as criminal background checks.
Compliance
MAXimum Research has invested heavily to ensure TCPA compliance within the call center. We subscribe to a list management service that provides daily listings of known cell phone block identifier records (i.e. 8569069###) as well as monthly lists of numbers changed (ported) from a landline to a cellphone. These 2 lists are then used by the programming department to identify and flag any “cell” records within a sample file. Flagged records are then loaded into a separate study area on the call center operations server. This study area has NO KNOWLEDGE of our predictive dialer nor is the script used capable of using the dialer since all dialer logic is removed from the script. It is as if the dialer does not exist. Numbers that are not flagged as being a cell phone get loaded into our predictive dialer study area, when the system is connected to our predictive dialer. The only equipment used to dial cellphones is the “PBX” and “Phone”. The PBX is a custom-built Asterisk FreePBX system. It is a standard Voice Over IP system, like most others on the market. The phones are Polycom Soundpoint 331’s. These are basic level VoIP phones with just a handset, keypad and headset jack. Cell phone numbers are manually typed into the phone via the keypad, and then the line is connected to our provider to complete the call. No computer software is used to dial cellphone numbers, however our work from home employees do use a computer-based phone, referred to as a “soft phone” to connect to our PBX over the internet. This soft phone does not have any sort of auto-dial feature either, and just serves as a replacement for a physical phone. When the agent logs into our call center server, and selects the project they are working on, it will present them with a phone number to dial. The agent will pick up their phone’s handset/press the headset button, and key in the 10 digits of the phone number, followed by a #. The # tell the PBX that that is the end of the phone number, at which point the PBX connects to the VOIP provider and completes the call. Calls traverse a private fiber-optic circuit from our location to our VoIP provider. Should a TCPA complaint come in, the phone number will immediately be searched for on ANY study running on the predictive dialer study server. If the number is found, we will follow the number back through the identification process and determine why it was not flagged by our systems. The mostly cause would be a respondent who’s home/landline number was forwarding to a cellphone. In this case, we followed all possible procedures and are not a fault. MAXimum Research also manages an internal DNC list. Any time a respondent explicitly states that want to be on that list, the phone number is coded with a special disposition in our survey programs and immediately removed from the study. That night, during after-hours processing, all numbers from the previous day that receive this disposition are exported and appended to the internal DNC list. After this process it completed, all projects are refreshed against this list, ensure the number may not be loaded in a different project. Additionally, when new projects are prepared for dialing, the entire sample is checked against the list, and not loaded if a match is found.
