3CX GDPR Statement

Introduction

GDPR as such does not apply to products directly, but to how customers/employees data are being protected and procedures in place on the policy level in the company and good practices in place.

Data Protection in 3CX Phone System

In regards to data protection the 3CX Phone System has multiple security features inbuilt which ensure their protection, for example:

  • Your 3CX Phone System database is not exposed to the WAN nor to the LAN and can be accessed only by the local system
  • The Management Console will blacklist any offender who inputs incorrect credentials 10 times
  • The Management console access can be done only through HTTPS
  • The 3CX SSL certificate included when using a 3CX FQDN is signed by a trusted authority and transport has strong encryption ciphers
  • 3CX Call Reports or voicemails or recordings can be accessed only by authenticated users

Configuration & Access Controls

The configuration can be adjusted to strengthen access or clear periodically old data:

  • Access rights segregation exists to delegate management console partial access
  • Passwords can be renewed at any time
  • 3CX logs files have low verbosity by default
  • Logging can be turned off completely
  • Call history can be purged manually by the administrator for a given period
  • 3CX Phone System voicemails and recordings quota can be set to delete automatically everything older than a configurable number of days
  • 3CX Phone System voicemails can be sent by email and immediately deleted, such that they are not stored locally at all

Data Processing Addendum (DPA)

Customers in EU/EEA can refer to the Data Processing Addendum (DPA) found in their Customer Portal/Subscriptions/key page, which details further our data processing and subprocessors.

See Also

Last Updated

This document was last updated 16 October 2025

https://www.3cx.com/company/gdpr-statement/