This Festive Season, Show that you care

Securing Your Data is Our Top Priority

Compliance

Xoxoday's primary security focus is to safeguard our customers' and users' data. That's why Xoxoday has invested in the appropriate resources and controls to protect and service our customers. We focus on defining new and refining existing controls, implementing and managing the Xoxoday security framework, and providing a support structure to facilitate effective compliance and risk management.

Xoxoday is committed to ensuring the integrity, confidentiality, availability, and security of its physical and information assets and maintaining privacy when serving the customers and organization's needs while meeting appropriate legal, statutory, and regulatory requirements.

To provide adequate protection for information assets, Xoxoday has built the Information Security Management System (ISMS), enabling everyone to follow these policies diligently, consistently, and impartially. Xoxoday will implement procedures and controls at all levels to protect the confidentiality and integrity of information stored and processed on its systems and ensure that information is available only to authorized individuals as and when required.

Objectives

We've developed our compliance framework using best practices of the SaaS industry. Our key objectives include– 

  • Customer Trust and Protection – consistently deliver superior product and service to our customers while protecting the privacy and confidentiality of their information.
  • Information and Service Integrity – Using security controls focused on data integrity to prevent data from being modified or misused by any unauthorized party.
  • Availability and Continuity of Service – Ensuring ongoing availability of services and data to authorized individuals and proactively minimizing security risks threatening service continuity.
  • Compliance with Standards – Implementing processes and controls to align with current international regulatory and industry best practices and best-of-breed guidelines for cloud security by leveraging standards like Cloud Security Alliance (CSA), ISO 27001;2013, SOC 2, HIPAA, CCPA, CPRA, etc.

The Xoxoday promise

Xoxoday is committed to complying with all applicable regulations and laws of the land in all locations and countries it operates and processes information. Xoxoday takes data integrity and security seriously. Over two million customers across the globe trust us with their data security. Due to the nature of our products and services, we must acknowledge our responsibilities both as a data controller and processor.

Customer data security is an essential part of our product, processes, and team culture. Our facilities, processes, and systems are reliable, robust, and tested by reputed quality control and data security organizations. We continuously look for opportunities to improve the dynamic technology landscape and give you a highly secure, scalable system that delivers a great experience.

Compliance certifications

We use best practices and industry standards to achieve compliance with industry-accepted general security and privacy frameworks. 

We use enterprise-class security features and conduct comprehensive audits of our applications, systems, and networks to protect customer and business data. Our customers rest easy knowing their information is safe, their interactions are secure, and their businesses are protected.

ISO 27001:2013 - Information security management system (ISMS)

Xoxoday is ISO 27001:2013 certified. 

ISO/IEC 27001:2013 is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures for organizational information risk management, including legal, physical, and technical controls, used to keep information secure.

With ISO's robust ISMS, you gain the additional reassurance that we've implemented a full spectrum of security best practices across the organization.

Xoxoday is ISO 27001:2013 certified, and we are committed to identifying risks, assessing implications, and using systemized controls that inspire trust in everything we do - right from our codebase to physical infrastructure and people practices.

The primary goal of ISO 27001 is to protect three aspects of information:
  • Confidentiality: only authorized persons have the right to access information.
  • Integrity: only authorized persons can change information.
  • Availability: authorized persons must have access to information anytime.

SOC 2 - Service Organization Controls 

Xoxoday conducts annual SOC 2 audits using an independent third-party auditor. Our SOC 2 report attests that our controls, governing the availability, confidentiality, and security of customer data, map to Trust Service Principles (TSPs) established by the American Institute of Certified Public Accountants (AICPA).

A SOC 2 fives trust principles:

Security: These principles measure how we protect your data and our systems against unauthorized access and how we prevent information disclosure damage to the systems that protect the availability, integrity, confidentiality, and privacy of your information.

Availability: This trust principle covers whether your information and systems are available for operation and use to meet your company's objectives.

Processing integrity: This principle assesses whether your system's processing is complete and accurate and only processing authorized information.

Confidentiality: This covers whether confidential information stays genuinely protected.

Privacy: This final trust principle looks at whether your users' personal information is collected, used, retained, disclosed, and destroyed per your company's privacy notice and the Generally Accepted Privacy Principles (GAPP).

We are proud of the excellence of our controls and invite you to obtain a copy of our SOC 2 Type I report by contacting your Xoxoday representative

California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)

Xoxoday is CCPA/CPRA Compliant. 

The CPRA has modified, expanded, and clarified privacy rights for California residents, and it takes inspiration from the EU’s GDPR policy in a variety of ways. CPRA creates the new category sensitive personal information (SPI) that is regulated separately and stronger than personal information (PI).

CPRA's purpose is to redefine and expand the California Consumer Privacy Act (CCPA) to strengthen the rights of residents of California. It provides consumers greater opportunity to opt out and requires deliberate data privacy management by businesses.

Health Insurance Portability and Accountability Act (HIPAA)

Xoxoday is HIPAA certified. 

The U.S. Department of Health & Human Services established the Health Insurance Portability and Accountability Act, HIPAA, in 1996. This act aimed to ensure the protection of a patient's healthcare information from public access.

There could be instances when customers may use some of our products to process electronic Personal Health Information (ePHI) in the ordinary course of their business operations. As per HIPAA of 1996, should our customers get categorized as either Covered Entity or Business Associate, Xoxoday extends support for their compliance towards HIPAA.

We help customers address their HIPAA obligations by leveraging appropriate security configuration options in Xoxoday products.

General Data Protection Regulation (GDPR)

Xoxoday is GDPR compliant.

Our comprehensive GDPR compliance program is supported by these fundamental privacy principles - Accountability, Privacy by Design and Default, Data Minimization, and Subject Access Rights, among others. Technology and operations related to the business are subject to regular sensitization programs.

Xoxoday is committed to providing secure products and services by implementing and adhering to prescribed compliance policies, both as a data controller and processor.

The enforcement of GDPR is critical to our mission of providing the EU and all our global customers with safe and dependable business solutions. In support of this commitment, Xoxoday extends the same level of privacy and security to all its customers worldwide, irrespective of location.

For more information about Xoxoday GDPR, please click here

Cloud Security Alliance (CSA) - STAR Level 1

Xoxoday is STAR Level 1 compliant.

CSA STAR encompasses the fundamental principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM) and CAIQ. Xoxoday is a member of the Cloud Security Alliance (CSA), a not-for-profit organization with a mission of promoting best practices for providing security assurance within Cloud Computing. 

CSA has launched the Security, Trust & Assurance Registry (STAR), a publicly accessible registry that documents the security controls provided by various cloud computing offerings. Based on our due diligence self-assessment results, we've completed a publicly available Consensus Assessment Initiative (CAI) Questionnaire.

The CSA CAIQ is available for download here.

Privacy and Data protection

Xoxoday is fully committed to upholding the rights that data subjects are granted under the applicable data protection laws and taking great care of their personal data. Over 2 million customers across the globe trust us with their data security. Due to the nature of the products and services we provide, we acknowledge our responsibilities both as a data controller and processor. 

Customer data security is an essential part of our products, processes, and team culture. Our facilities, processes, and systems are reliable, robust, and tested by reputed quality control and data security organizations. We continuously look for opportunities to improve the dynamic technology landscape and give you a highly secure and scalable system that delivers a great experience.

Privacy Policy - Learn more about Xoxoday privacy policy

GDPR Policy - Learn more about Xoxoday GDPR Policy

Artifacts

We have a number of resources that we can provide upon request.

Direct Download resources (Non-NDA)

To gain access to the following downloadable resources, please click the button below:

  1. Xoxoday ISO 27001:2013 certificate – Click here
  2. Vulnerability Assessment and Penetration Testing (VAPT) Certificate –
    Xoxoday Plum - Click here
    • Xoxoday Empuls - Click here
    • Xoxoday Compass - Click here
  1. Service Level Agreement (SLA) – Click here

NDA Resources

The following resources may require an NDA on file. Please reach out to your Xoxoday representative.

  1. SOC 2 Compliance Report
  2. Vulnerability Assessment and Penetration Test Summary
  3. California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) Report.
  4. Health Insurance Portability and Accountability Act (HIPAA) Report.
  5. GDPR Data Privacy Impact Assessment Report.

Cloud Security

Xoxoday outsources the hosting of its product infrastructure to leading cloud infrastructure providers. Principally, the Xoxoday product leverages Amazon Web Services (AWS) and Microsoft Azure for infrastructure hosting. The cloud infrastructure providers have high levels of physical and network security and hosting provider vendor diversity. AWS maintains an audited security program, including SOC 2 and ISO 27001 compliance. Xoxoday does not host any product systems within its corporate offices.

Data centre

Xoxoday deploys products in AWS and Microsoft Azure data centres that have been certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant. AWS and Microsoft Azure infrastructure services include backup power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data

Learn more about Compliance at AWS and Microsoft Azure.

Security

The physical, environmental, and infrastructure security protections, including continuity and recovery plans, have been independently validated as part of their SOC 2 Type II and ISO 27001 certifications.

AWS and MS Azure on-site security includes a number of features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures.

AWS/MS Azure provides physical data center access only to approved employees. All employees who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. Requests are reviewed and approved by authorized personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions.

Network Protection

Our network is protected using essential cloud security services, integration with our Cloudflare edge protection networks, regular audits, and network intelligence technologies, which monitor and block known malicious traffic and network attacks.

Vulnerability Management - Vulnerability Scanning

Vulnerability scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems. In addition to our extensive internal scanning and testing program, Xoxoday employs third-party security experts to perform a vulnerability assessment and penetration testing.

Bug Bounty Program

Our Bug Bounty Program gives security researchers and customers an avenue for safely testing and notifying Xoxoday of security vulnerabilities.

Please click here to know more about Xoxoday Bug Bounty Program

Security Incident Event Management

Our Security Incident Event Management (SIEM) system gathers extensive logs from essential network devices and host systems. The SIEM alerts notify the Security team based on correlated events for investigation and response.

Intrusion Detection and Prevention

Service ingress and egress points are instrumented and monitored to detect anomalous behavior. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats. This includes 24/7 system monitoring.

Logical Access

Access to the Xoxoday Production Network is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the Xoxoday Production Network are required to use multiple factors of authentication.

Access to data and systems are based on the principles of least privilege for access. An Identity and Access Management (IAM) solution has been defined to manage user access through role-based access profiles that support the implementation of accesses based on the principles of need to know basis and support segregation of duties. Privileges relating to Administration of user access privileges and role configurations are different from the authorized approver that approves access requests. The approvers are either the Product Heads or respective function Heads are their authorized delegates. 

Security Incident and Breach Management

In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.

Xoxoday has defined the Security incident management process to classify and handle incidents and security breaches. The Information Security team is responsible for recording, reporting, tracking, responding, resolving, monitoring, reporting, and communicating the incidents to appropriate parties promptly. The process is reviewed as part of our periodic internal audit and audited as part of ISO 27001 and SOC 2 Type II assessment.

Encryption

Encryption in Transit and at Rest

Data is encrypted via industry-standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and Xoxoday is secure during transit. Additionally, for email, our product leverages opportunistic TLS by default. 

Transport Layer Security (TLS) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol. Exceptions for encryption may include any use of in-product SMS functionality, any other third-party app, integration, or service that subscribers may choose to leverage at their own discretion.

Service Data is encrypted at rest in AWS using AES-256 key encryption.

Product Security

We take steps to securely develop and test against security threats to ensure the safety of our customer data. We maintain a Secure Development Lifecycle, in which training our developers and performing design and code reviews takes a primary role. In addition, Xoxoday employs third-party security experts to perform detailed penetration tests on different applications.

Network security

Xoxoday products are hosted on Amazon's AWS and MS Azure platforms. Xoxoday employees do not have any physical access to our production environment. As an Amazon and Azure customer, we benefit from a data center and network architecture built to meet the requirements of the most security-sensitive organizations.

The data centers are housed in nondescript facilities, with military-grade perimeter control beams with professional security staff utilizing video surveillance, state-of-the-art intrusion detection systems, and other electronic means.

In addition to physical security, Cloud platforms also provide significant protection against traditional network security.

Secure development (SDLC)

Secure Code Training - At least annually, engineers participate in secure code training covering OWASP Top 10 security risks, common attack vectors. 

Secure Access - Xoxoday's application servers are all secure HTTPS. We use industry-standard encryption for data traversing to and from the application servers.

Quality Assurance (QA)

Our Quality Assurance (QA) department reviews and tests our codebase. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code.

Separate Environments

Testing and staging environments are logically separated from the Production environment. No Service Data is used in our development or test environments.

Application Security

In order to ensure we protect data entrusted to us; we implemented an array of security controls. Xoxoday security controls are designed to allow for a high level of employee efficiency without artificial roadblocks, while minimizing risk.

Xoxoday employs a dedicated, full-time security team to manage and continuously improve our security. The team protects Xoxoday infrastructure, network and data (including the data of our customers).

In addition to the security components provided by our top-level cloud providers (MS Azure and AWS), Xoxoday maintains its own dedicated controls by following the Industry best practices. 

These controls cover the DDoS attack, DB protection and a dedicated web application firewall, as well as network firewall fine-grained rules configured using the highest industry standards.

Host Security

SSH keys are required to gain console access to our servers, and each login is identified by a user. All critical operations are logged to a central log server, and our servers can be accessed only from restricted and secure IPs.

Hosts are segmented, and accesses are restricted based on functionality. Application requests are allowed only from AWS ELB, and database servers can be accessed only from application servers.

Password Policy

We have enabled the password policy, and passwords are stored after encryption for maximum security of data. The password needs to have a minimum of 8 characters and must contain at least one capital letter, special characters among '# $ % * &' and one digit.

Web Application Firewall (WAF)

Our dedicated web application firewall acts as a strong barrier to protect Xoxoday’s application and microservices. It enforces security controls such as hardened TLS configuration (HSTS, strong encryption and hashing algorithms), overall protection against malicious activity (bad IP reputation detection, browser integrity checks, WAF rules) and multiple rate-limiting rules that prevent automated form submission on critical endpoints (password guessing attacks).

Credit Card Information Protection

Xoxoday does not store, process or collect credit card information submitted to us by customers. We leverage trusted and PCI-compliant payment vendors to ensure that customers’ credit card information is processed securely and according to appropriate regulation and industry standards.

All our payment gateways are PCI DSS compliant.

Availability and business continuity

Xoxoday maintains a disaster recovery program to ensure services remain available or are easily recoverable in the case of a disaster. Customers can stay up-to-date on availability issues through a publicly available status website covering scheduled maintenance and service incident history.

The BCP and DR Plans are tested and reviewed every year. The Xoxoday BCP and DR plans are reviewed and audited as part of ISO 27001 standards and SOC 2 Type II covering availability as one of the trust service principles.

Administrative operations

Xoxoday uses two-factor authentication to grant access to our administrative operations - both infrastructure and services. We ensure that administrative privileges are granted to only a few employees. Additionally, our use of role-based access ensures that users can perform operations as per the access control policy.

All administrative access is automatically logged and monitored by our internal security team. Detailed information on when and why the operations are carried out is documented and notified to the security team before making any changes in the production environment.

Xoxoday has deployed an information technology network to facilitate its business and make it more efficient for various risks. And establish management direction, principles, and standard requirements to ensure that the appropriate protection of information on its networks is maintained and sustained.  

Human Resources Security

Security awareness - Policies 

Xoxoday has developed a comprehensive set of security policies covering a range of topics. These policies are shared with and made available to all employees and contractors with access to Xoxoday information assets.

Awareness Training 

Each employee, when inducted, signs a confidentiality agreement and acceptable use policy, after which they undergo training in information security, privacy, and compliance. Furthermore, we evaluate their understanding through tests and quizzes to determine which topics they need further training in. We provide training on specific aspects of security that they may require based on their roles.

Employee Vetting

Each employee undergoes a process of background verification. We hire reputed external agencies to perform this check on our behalf. We do this to verify their criminal records, previous employment records, if any, and educational background. Until this check is performed, the employee is not assigned tasks that may pose risks to users.

Non Disclosure Agreement

All new hires are required to sign Non-Disclosure and Confidentiality agreements. The Employee expressly agrees that he/she shall not use Confidential Information provided by the company in the development or delivery or for personal gain from providing any products or services for his/her own account or for the account of any third party.

Information Security

Last modified – 15th April 2021

Introduction

Securing your data is a top priority!!

Xoxoday is committed to ensure Integrity, Confidentiality, Availability and Security of its Physical and Information Assets and maintaining privacy for serving the needs of the customers and organization while meeting appropriate legal, statutory, and regulatory requirements.

To provide adequate protection for information assets, Xoxoday has built the Information Security Management System (ISMS) which includes the respective policies to be followed in a diligent, consistent, and impartial manner. Xoxoday will implement procedures and controls at all levels to protect the confidentiality and integrity of information stored and processed on its systems and ensure that information is available only to authorized persons as and when required.

The Xoxoday promise

Xoxoday is committed to complying with all applicable regulations and law of the land in all locations and countries related to its operations and information processing.

Xoxoday takes data integrity and security very seriously. Over 2 million customers across the globe trust us with their data security. Due to the nature of the product and service we provide, it is important that we acknowledge that our responsibilities both as data controller as well as a data processor.

Customer data security is an essential part of our product, processes, and team culture. Our facilities, processes and systems are reliable, robust, and tested by reputed quality control and data security organizations. We continuously look for opportunities to make improvements in the dynamic technology landscape and give you a highly secure, scalable system to provide a great experience.

Xoxoday lets you deliver a secure subscription experience at different levels by -

  • Securing your data with compliance to GDPR.
  • Ensuring Internal Data security of your data that rests with Xoxoday with adherence to ISO 27001, SOC 2 Compliance requirements.
  • Network Security within Xoxoday: Network, application, and operational level security policies that we follow.
  • Governance, risk, and compliance team ensuring best practices and standards across the employees and teams.

ISO 27001 certification

ISO/IEC 27001:2013 bis a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes with the aim of keeping information secure.

With ISO’s robust information security management system (ISMS) in place, you gain the additional reassurance that a full spectrum of security best practices are implemented across the organization.

Xoxoday is ISO 27001:2013 certified and we’re committed to identifying risks, assessing implications and putting in place systemised controls that inspire trust in everything that we do - right from our codebase to physical infrastructure to people practices.

The basic goal of ISO 27001 is to protect three aspects of information:
  • Confidentiality: only the authorized persons have the right to access information.
  • Integrity: only the authorized persons can change the information.
  • Availability: the information must be accessible to authorized persons whenever it is needed.

EU-US privacy shield

Xoxoday complies with the EU-U.S. Privacy Shield by adhering to the principles and protecting the rights of anyone in the EU whose personal data is transferred to the United States as well as bringing legal clarity for businesses relying on transatlantic data transfers.

General Data Protection Regulation (GDPR)

General Data Protection Regulation it is one of the most important changes made to data privacy regulations in the last two decades. It establishes a new framework for handling and protecting the personal data of EU-based residents and is in effect since May 25, 2018. It provides the citizens of the EU greater control over their personal data and assures them that their information is protected.

At Xoxoday, we are helping our users understand and, where applicable, comply with the General Data Protection Regulation (GDPR). The GDPR was introduced to bind each member state of the EU with a single, harmonious data protection law. It has been the most comprehensive European data privacy law in decades.

Xoxoday's Commitment to GDPR

Xoxoday is fully committed to upholding the rights data subjects are granted under the applicable data protection laws and taking great care of their personal data. Over 2 million customers across the globe trust us with their data security. Due to the nature of the product and service we provide, it is important that we acknowledge that our responsibilities both as data controller as well as a data processor. 

Customer data security is an essential part of our product, processes, and team culture. Our facilities, processes, and systems are reliable, robust, and tested by reputed quality control and data security organizations. We continuously look for opportunities to make improvements in the dynamic technology landscape and give you a highly secure, scalable system to provide a great experience.

Physical and Network security

Xoxoday is hosted on Amazon's AWS platform and infrastructure. Xoxoday employees do not have any physical access to our production environment. As an Amazon - AWS customer, we are benefitted from a data centre and network architecture built to meet the requirements of the most security-sensitive organisations.

AWS data centres are housed in nondescript facilities, with military-grade perimeter control berms with professional security staff utilising video surveillance, state of the art intrusion detection systems, and other electronic means.

In addition to Apart from the physical security, AWS platform also provides significant protection against traditional network security issues including - 

  • Distributed Denial of Service (DDoS).
  • AttacksMan In the Middle (MITM).
  • AttacksPort Scanning.
  • Packet sniffing by other tenants.

Administrative operations

Xoxoday uses two-factor authentication to grant access for our administrative operations - both infrastructure and services. We ensure that administrative privileges are granted to only a few employees. Additionally, role-based access is used to ensure specific users have only required operations that are allowed for specific users as per the access control policy.

All administrative access is automatically logged and monitored by our internal security team. Detailed information on when/why the operations are carried out are documented and notified to the security team before performing any changes in the production environment.

Xoxoday has deployed an information technology network to facilitate its business and make it more efficient for various risks. And establish management direction, principles, and standard requirement to ensure that the appropriate protection of information on its networks maintained and sustained. Few controls which in place to achieve the protection of exchanged information from interception, copying, modification, misrouting, and destruction as follow:

Host security

SSH keys are required to gain console access to our servers and each login is identified by a user. All critical operations are logged to a central log server and our servers can be accessed only from restricted and secure IPs.

Hosts are segmented, and accesses are restricted based on functionality. That is, application requests are allowed only from AWS ELB and database servers can be accessed only from application servers.

Application security

Secure Access - Xoxoday's application servers are all secure HTTPS. We use industry-standard encryption for data traversing to and from the application servers.

Cross-site scripting (also known as XSS) - All user inputs are well encoded when displayed to ensure XSS vulnerabilities are mitigated.

Cross-site request forgery (CSRF) - All POST requests are checked for CSRF token before processing the request.

SQL Injection - We use prepared statements for database access to avoid SQL Injection attacks.

Encrypted Data Storage - ‍Xoxoday does not store any sensitive user information. The keys for various third-party services (like payment gateway) - if stored, are all in the encrypted form in the database.

Vulnerability Scanning & Patching - ‍We periodically check and apply patches for third-party software/services. As and when vulnerabilities are discovered we apply the fixes. We do periodic vulnerability Assessment and Penetration testing using the services of an authorised vendor.

Data storage & redundancy

We use Amazon's RDS for our database. The automated backup feature is configured for RDS. We backup data for up to 30 days. We have configured Amazon RDS in Multi-AZ which provides enhanced availability and durability. Each AZ runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable. Know more.

Monitoring

Xoxoday uses both internal and multiple external monitoring services to make sure the environment is secure. Our monitoring system will alert the concerned teams through emails and phone calls if there are any errors or abnormality in the request pattern.

Disclosure

At Xoxoday, we are continually working towards making our system secure. If you find any issues or have any queries regarding our security, please write to us at cs@xoxoday.com. We will make sure it gets addressed.