Search Results

Data Handling & Security

Record Retention

By retaining transaction record history, those responsible for managing Aerialink gateway and financials are provided the means to monitor transactions and financial records, resolve problems, forecast required infrastructure and analyze operations.

Furthermore, the retention of records enables Aerialink and Clients to comply with various requirements to evidence mobile user’s consent to receive text messaging (opt-in) or to unsubscribe from text messaging (opt-out), the following applies:

  • FCC TCPA (Telephone Consumer Protection Action): Express written consent is granted for a specific telephone number, and it is recommended that customers keep records for a minimum of five years and maintain a record of mobile users’ direct request to opt-out of receiving future marketing messages also for five years.

Retention Times

The regulation requirements outlined above dictate how long our mobile data records should be retained at a minimum. Aerialink retains records for ninety days. As mentioned per the TCPA above, it is recommended that Aerialink API customers retain their own mobile data records for a minimum of five years.

Archival Options

Aerialink maintains messaging transactions in its data center for the duration of a message’s lifecycle (maximum of 96 hours except in rare cases). After this initial period has concluded, the messages are then maintained until the end of the billing cycle.

Aerialink provides two storage and archiving options for the “content” of message transactions or “data points” of other transaction types:

  • Data Encryption: default storage type
  • MMS Retention: MMS attachments are kept for forty-five (45) days after which they expire and are removed from our system.

Aerialink does not and will never sell, disseminate, publish or share any customer content to any third party outside of those required for message content delivery, or in the case of an authorized court subpoena. See our Privacy Policy for more information.

\Transaction records are maintained to support billing requirements. It is thereby not possible to completely purge or delete transaction records.*

Record Destruction

Client may fill out a Mobile Data Destruction Form and submit the request to our Help Desk Portal. The Database Administrator is responsible for the electronic records/fields destruction and scheduling, based on Client request. Data will be fully destroyed 30 days after deletion due to backup and recovery procedures. Electronic record destruction will be suspended immediately, upon any indication of an official investigation or when a lawsuit is filed or appears imminent. Destruction will be reinstated upon conclusion of the investigation.

Security Controls

Network Architecture

To protect against unauthorized access, all server access is logged and monitored. All servers require VPN RSA tokens for access. Internet/External End Points are exposed only via specific secured ports on separate infrastructure than the actual servers.

Our gateway connects to the inter-carrier network via IPSEC Tunnel. Connection monitoring is in place and automatically reports status. HTTPS TLS Standard Bank Level Security is used to secure user access to the platform and sessions.


All requests to the Aerialink API over HTTPS are processed using High-Grade Encryption SHA 256 RSA with a 2048 Bit Algorithm. The use of SSL (Secure Socket Layer) via HTTPS is required for requests to be processed with this encryption level. We highly recommend HTTPS connections over HTTP to ensure a secure and private connection between your application server and our network. Aerialink’s support for non-HTTPS requests will be phased out at a future date. (currently, this resides

Remote Access & Password Controls

API access is controlled through BASIC AUTHENTICATION, using an API key and secret. The key and secret pair are managed in the Aerialink platform portal. In addition, each authentication must come from a trusted source IP, or white listed source. The “key” is the first point of verification and the “secret” is the second point of verification. Granting access to the gateway firewall requires a customer’s IP server address which is also used for authentication. In addition, customer must use our host address in the API for gateway access. The combination of these 4 verification methods provides a highly secure access point.

Host Controls

Perimeter controls are put in place to prevent/detect/eradicate malware (viruses, spyware, etc.) from our internal systems. We use the Cisco ASA Firewalls solution to manage this.

Configuration management controls are used to keep our platform and related systems current, including patches. We utilize both GIT and SVN for source control management, branches and rollbacks.


Reporting and logging is performed on the gateway platform, each application and each database. The logs have individual accountability; can be used for problem identification, and data extraction. The logs are protected against data alteration and unavailability. Event reconstruction is also accommodated. Access to logs requires a secured user login via HTTPS. All logs are maintained for six months minimum within our redundant and failover Cisco appliances.


Data is stored in an off-site facility with data retention via AWS cloud services. We have both internal and external recovery sites, both hot and warm.