Securing Your Data is Our Top Priority

The following resources may require an NDA on file. Please reach out to your Xoxoday representative.

1. SOC 2 Compliance Report
2. Vulnerability Assessment and Penetration Test Summary
3. California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) Report.
4. Health Insurance Portability and Accountability Act (HIPAA) Report.
5. GDPR Data Privacy Impact Assessment Report.
   

Xoxoday deploys products in AWS and Microsoft Azure data centres that have been certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant. AWS and Microsoft Azure infrastructure services include backup power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data

Learn more about Compliance at AWS and Microsoft Azure.

The physical, environmental, and infrastructure security protections, including continuity and recovery plans, have been independently validated as part of their SOC 2 Type II and ISO 27001 certifications.
‍
AWS and MS Azure on-site security includes a number of features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures.

AWS/MS Azure provides physical data center access only to approved employees. All employees who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. Requests are reviewed and approved by authorized personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions.

Our network is protected using essential cloud security services, integration with our Cloudflare edge protection networks, regular audits, and network intelligence technologies, which monitor and block known malicious traffic and network attacks.

Vulnerability scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems. In addition to our extensive internal scanning and testing program, Xoxoday employs third-party security experts to perform a vulnerability assessment and penetration testing.

Our Bug Bounty Program gives security researchers and customers an avenue for safely testing and notifying Xoxoday of security vulnerabilities.

Please click here to know more about Xoxoday Bug Bounty Program

Our Security Incident Event Management (SIEM) system gathers extensive logs from essential network devices and host systems. The SIEM alerts notify the Security team based on correlated events for investigation and response.

Service ingress and egress points are instrumented and monitored to detect anomalous behavior. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats. This includes 24/7 system monitoring.

Access to the Xoxoday Production Network is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the Xoxoday Production Network are required to use multiple factors of authentication.

Access to data and systems are based on the principles of least privilege for access. An Identity and Access Management (IAM) solution has been defined to manage user access through role-based access profiles that support the implementation of accesses based on the principles of need to know basis and support segregation of duties. Privileges relating to Administration of user access privileges and role configurations are different from the authorized approver that approves access requests. The approvers are either the Product Heads or respective function Heads are their authorized delegates. 

In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.

Xoxoday has defined the Security incident management process to classify and handle incidents and security breaches. The Information Security team is responsible for recording, reporting, tracking, responding, resolving, monitoring, reporting, and communicating the incidents to appropriate parties promptly. The process is reviewed as part of our periodic internal audit and audited as part of ISO 27001 and SOC 2 Type II assessment.

Encryption in Transit and at Rest

Data is encrypted via industry-standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and Xoxoday is secure during transit. Additionally, for email, our product leverages opportunistic TLS by default. 

Transport Layer Security (TLS) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol. Exceptions for encryption may include any use of in-product SMS functionality, any other third-party app, integration, or service that subscribers may choose to leverage at their own discretion.

Service Data is encrypted at rest in AWS using AES-256 key encryption.

Xoxoday products are hosted on Amazon's AWS and MS Azure platforms. Xoxoday employees do not have any physical access to our production environment. As an Amazon and Azure customer, we benefit from a data center and network architecture built to meet the requirements of the most security-sensitive organizations.

The data centers are housed in nondescript facilities, with military-grade perimeter control beams with professional security staff utilizing video surveillance, state-of-the-art intrusion detection systems, and other electronic means.

In addition to physical security, Cloud platforms also provide significant protection against traditional network security.

Secure Code Training - At least annually, engineers participate in secure code training covering OWASP Top 10 security risks, common attack vectors. 
‍
Secure Access - Xoxoday's application servers are all secure HTTPS. We use industry-standard encryption for data traversing to and from the application servers.

Our Quality Assurance (QA) department reviews and tests our codebase. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code.

Testing and staging environments are logically separated from the Production environment. No Service Data is used in our development or test environments.

In order to ensure we protect data entrusted to us; we implemented an array of security controls. Xoxoday security controls are designed to allow for a high level of employee efficiency without artificial roadblocks, while minimizing risk.

Xoxoday employs a dedicated, full-time security team to manage and continuously improve our security. The team protects Xoxoday infrastructure, network and data (including the data of our customers).

In addition to the security components provided by our top-level cloud providers (MS Azure and AWS), Xoxoday maintains its own dedicated controls by following the Industry best practices. 

These controls cover the DDoS attack, DB protection and a dedicated web application firewall, as well as network firewall fine-grained rules configured using the highest industry standards.

We have enabled the password policy, and passwords are stored after encryption for maximum security of data. The password needs to have a minimum of 8 characters and must contain at least one capital letter, special characters among '# $ % * &' and one digit.

Our dedicated web application firewall acts as a strong barrier to protect Xoxoday’s application and microservices. It enforces security controls such as hardened TLS configuration (HSTS, strong encryption and hashing algorithms), overall protection against malicious activity (bad IP reputation detection, browser integrity checks, WAF rules) and multiple rate-limiting rules that prevent automated form submission on critical endpoints (password guessing attacks).

Xoxoday does not store, process or collect credit card information submitted to us by customers. We leverage trusted and PCI-compliant payment vendors to ensure that customers’ credit card information is processed securely and according to appropriate regulation and industry standards.

All our payment gateways are PCI DSS compliant.

Xoxoday maintains a disaster recovery program to ensure services remain available or are easily recoverable in the case of a disaster. Customers can stay up-to-date on availability issues through a publicly available status website covering scheduled maintenance and service incident history.

The BCP and DR Plans are tested and reviewed every year. The Xoxoday BCP and DR plans are reviewed and audited as part of ISO 27001 standards and SOC 2 Type II covering availability as one of the trust service principles.

Xoxoday uses two-factor authentication to grant access to our administrative operations - both infrastructure and services. We ensure that administrative privileges are granted to only a few employees. Additionally, our use of role-based access ensures that users can perform operations as per the access control policy.

All administrative access is automatically logged and monitored by our internal security team. Detailed information on when and why the operations are carried out is documented and notified to the security team before making any changes in the production environment.

Xoxoday has deployed an information technology network to facilitate its business and make it more efficient for various risks. And establish management direction, principles, and standard requirements to ensure that the appropriate protection of information on its networks is maintained and sustained.  

Xoxoday has developed a comprehensive set of security policies covering a range of topics. These policies are shared with and made available to all employees and contractors with access to Xoxoday information assets.

Each employee, when inducted, signs a confidentiality agreement and acceptable use policy, after which they undergo training in information security, privacy, and compliance. Furthermore, we evaluate their understanding through tests and quizzes to determine which topics they need further training in. We provide training on specific aspects of security that they may require based on their roles.

Each employee undergoes a process of background verification. We hire reputed external agencies to perform this check on our behalf. We do this to verify their criminal records, previous employment records, if any, and educational background. Until this check is performed, the employee is not assigned tasks that may pose risks to users.

All new hires are required to sign Non-Disclosure and Confidentiality agreements. The Employee expressly agrees that he/she shall not use Confidential Information provided by the company in the development or delivery or for personal gain from providing any products or services for his/her own account or for the account of any third party.