Security

Why is data security critical for Xoxoday customers?

Xoxoday products are used across companies employees, channel partners, sales and consumers. With critical information about your key stakeholders and business processes,  the security of the Xoxoday system needs to be of best standards.

The Xoxoday promise

Xoxoday takes data integrity and security very seriously. Over 2 million customers across the globe trust us with their data security. Due to the nature of the product and service we provide, it is important that we acknowledge that our responsibilities both as data controller as well as a data processor. Customer data security is an essential part of our product, processes, and team culture. Our facilities, processes and systems are reliable, robust and tested by reputed quality control and data security organizations. We continuously look for opportunities to make improvements in the dynamic technology landscape and give you a highly secure, scalable system to provide a great experience. 

Xoxoday lets you deliver a secure subscription experience at different levels by,

  • Securing your data and personal information with compliance to GDPR.
  • Ensuring Internal Data security of your data that rests with Xoxoday with adherence to ISO standards. 
  • Network Security within Xoxoday: Network, application and operational level security policies that we follow.
  • Governance, risk and compliance team ensuring best practices and standards across the employees and teams. 

ISO 27001 certification

ISO 27001 (formally known as ISO/IEC 27001:2013) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes with the aim of keeping information secure.

With ISO’s robust information security management system (ISMS) in place, you gain the additional reassurance that a full spectrum of security best practices are implemented across the organization.

Xoxoday is ISO 27001:2013 certified and we’re committed to identifying risks, assessing implications and putting in place systemised controls that inspire trust in everything that we do - right from our codebase to physical infrastructure to people practices.

EU-US privacy shield

Xoxoday complies with the EU-U.S. Privacy Shield and U.S.- Swiss Privacy Shield by adhering to the principles of protecting the rights of anyone in the EU whose personal data is transferred to the United States as well as bringing legal clarity for businesses relying on transatlantic data transfers.

GDPR

The General Data Protection Regulation (GDPR) is a European privacy law which became enforceable on May 25, 2018. The GDPR replaces the EU Data Protection Directive, also known as Directive 95/46/EC, and is intended to harmonize data protection laws throughout the European Union (EU) by applying a single data protection law that is binding throughout each member state.

The core of Xoxoday's internal operations underpins protecting the personal data of our customers. We only collect and store information that is necessary to offer our service, and we do this with the consent of our customers. Adding to this, our approach towards privacy, security, and data protection align with the goals of GDPR. Along with a highly secure and robust system architecture, we have a variety of security measures in place to prevent unauthorized access and processing of personal data. 

Governance, Risk & Compliance

By setting up an internal compliance team (with functional heads) who works with an external specialist from a global audit firm, our security standards are assessed and the required changes are rolled out regularly.

Xoxoday audits its products, processes and vendors based on a risk based cadence such that all products and BUs are audited at least once in a year. The audits findings are reported directly to the Chief Security Officer and the Information security team tracks and reports the remediation of the audit findings till its closure.

Regular trainings and awareness programs are conducted across the company for new joiners and any new security compliance. 

All Xoxoday employees sign an agreement of data confidentiality. Confidentiality agreements are also signed with all its vendors or sub-processors along with appropriate services contracts with them. Our code of conduct is a set of common rules and standards of ethics that every Xoxoday employee is expected to follow in writing and in spirit.

Physical and Network security

Xoxoday uses Amazon's AWS and Microsoft Azure platform and infrastructure. Xoxoday employees do not have any physical access to our production environment.

Here are more details about the security setup of AWS.

Cloud security is the highest priority at AWS or Azure. We are benefitted from a data center and network architecture built to meet the requirements of the most security-sensitive organizations. We are hosted in dedicated VPCs in non-promiscuous mode that are further segmented for increased security and manageability.

In addition to physical security, being on AWS platform also provides us significant protection against traditional network security issues on the infrastructure including,

  • Distributed Denial Of Service (DDoS) Attacks
  • Man In the Middle (MITM) Attacks
  • Port scanning
  • Packet sniffing by other tenants
  • Malware and spam protection applied based on latest threat signatures and supports real-time scanning and security.

Administrative operations

Xoxoday provides role-based access through IAM that enforces segregation of duties, two-factor authentication and end-to-end audit trails ensuring access is in accordance with security context. We use secure administrative tunnels with whitelisted IP addresses for secure connection to the servers for administrative purposes. Any administrative access is automatically logged and mailed to our internal security team. Detailed information on when/why the operations are carried out are documented and notified to the security team before performing any changes in the production environment. 

Secure delivery builds

Information security and data privacy requirements are checked into every release cycle and form part of the blueprint considerations of the product. 

  • Strong authentication mechanism on our API calls, dynamic throttling based on API requests and further simplifying security using a robust microservices architecture.
  • Security related features and fixes are prioritized in sprints
  • Dev-ops is a multi-disciplinary team and part of every release. 
  • Code reviews are done for every release through a code review process. 
  • Builds go through full quality stages like functional, performance, stability, UX, system and security. 

Host security

SSH keys are required to gain console access to our servers and each login is identified by a user. All critical operations are logged to a central log server and our servers can be accessed only from restricted and secure IPs.

Hosts are segmented and accesses are restricted based on functionality. That is, application requests are allowed only from AWS ELB and database servers can be accessed only from application servers.

Application security

  • Secure access
    Xoxoday’s application servers can be accessed only via HTTPS. We use industry standard encryption for data traversing to and from the application servers.
  • XSS
    All user input is properly encoded when displayed to ensure XSS vulnerabilities are mitigated.
  • CSRF
    All POST requests are checked for CSRF token before processing the request.
  • SQL injection
    We use prepared statements for database access to avoid SQL Injection attacks.
  • Encrypted data storage
    We do not store sensitive details on any Xoxoday network. The keys for various third party services (like payment gateway) are stored in our database in encrypted form.

Vulnerability scanning & patching

We periodically check and apply patches for third-party software/services. As and when vulnerabilities are discovered we apply the fixes. We do periodic vulnerability scanning using the services of an authorized QSA. Xoxoday performs the VAPT assessment on a quarterly basis on all its applications.

Data storage & redundancy

We use Amazon's RDS for our database. The automated backup feature is configured for RDS. We backup data for upto 30 days. We have configured Amazon RDS in Multi-AZ which provides enhanced availability and durability. Each AZ runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable. We do proactive capacity monitoring based on conservative thresholds and on-demand capacity expansion capability through our highly elastic hosting partners. Know more.

Monitoring

We use both internal and multiple external monitoring services to monitor Xoxoday. Our monitoring system will alert the Operations & Security Team through emails and phone calls if there are any errors or abnormalities in the request pattern.

Disclosure

We are working continuously to make our system secure. If you find any security issues, please send it to cs@xoxoday.com. We will make sure the issue is fixed and updated at the earliest.

We take security as our highest priority.