Xoxoday is compliant to the stringent rules of data security and undergoes regular audits to stay compliant to the latest norms. Here are the most common questions detailing Xoxoday's adherence to data security and regular audits.
Does Xoxoday have an information security policy? And is it communicated and published to all employees, suppliers and other relevant external parties?
Xoxoday has information security policy which is published and communicated to all suppliers and employees (including contractors and other relevant external parties).
Xoxoday has ensured that the Information security policies have established the direction of the organisation and aligned to best leading practices (e.g., ISO-27001, ISO-22307, CoBIT), regulatory, federal/state and international laws where applicable.
Below is the link for information Security Policy:
Does Xoxoday have a formal established disciplinary or sanction policy for its employees who have violated security policies and controls?
Yes, at Xoxoday we have a formal disciplinary or sanction policy established for employees who have violated security policies and controls. Employees are made aware of what action might be taken in the event of a violation and stated as such in the policies and controls. A detailed disciplinary process and policy is in place.
Below is the link of the disciplinary process:
Does Xoxoday ensure that all projects go through some form of information security assessment?
At Xoxoday we use JIRA for Project Management and abiding by the Information security policy is mandatory and has been followed in all the projects.
Every code change is reviewed by the tech lead or architect responsible for the project. During the review process, the reviewer is responsible to identify possible security issues.
Below is the link for the information security policy:
Does Xoxoday have a Mobile device policy?
Yes, Xoxoday has a Mobile device policy. At Xoxoday The mobile device policy takes into account the risks of working with mobile devices in unprotected environments and the controls to be implemented for preventing data transmitted/stored in the mobile device and much more.
Below is the link for the mobile device policy:
Does Xoxoday have a policy governing information classification and is there a process by which all information can be appropriately classified?
Yes at Xoxoday we do have an 'Information Security policy' at place. Information Classification is included in the organization's processes, and be consistent and coherent across the organization. Results of classification indicate value of assets depending on their sensitivity and criticality to the organization, e.g. in terms of confidentiality, integrity and availability. Results of classification are updated in accordance with changes of their value, sensitivity and criticality through their life-cycle.
Below is the link for the information security policy document:
Does Xoxoday have a policy governing removable media?
Yes, we do have an 'Information Security Policy' in place, and Management of removal media process is defined for controlled use of removable media devices to store and transfer information by all users who have access to information, information systems and IT equipment.
Below is the link for the information security policy document:
Does Xoxoday have a formal procedure governing how removable media is disposed?
Yes, we do have an 'Information Security Policy' in place and Formal procedures for the secure disposal of media are established to minimize the risk of confidential information leakage to unauthorized persons. The procedures for secure disposal of media containing confidential information are proportional to the sensitivity of that information.
Below is the link for the information security policy document:
Does Xoxoday have a process to access the information and application system functions restricted in line with the access control policy?
Our application has role based access controls and the menu's screens are made accessible accordingly.
At Xoxoday, are privilege utility programs restricted and monitored?
The application doesn't have any system utilities, but has administrative screens. The access to these screens are restricted by role, and any action performed here are logged in our activity logs.
Is there a policy on the use of Cryptographic controls at Xoxoday?
Cryptography policy have been defined to set out principles and expectations about when and how encryption of University digital information shall (or shall not) be used, consideration are given to the regulations and national restrictions that might apply to the use of cryptographic techniques in different parts of the world and to the issues of trans-border flow of encrypted information.
Below is the link of the policy which explains the same:
Is there a policy governing the whole lifecycle of cryptographic keys at Xoxoday?
Key access is restricted to the CTO and VP of Engineering. The Encryption policy covers the requirements for managing cryptographic keys through their whole lifecycle including generating, storing, archiving, retrieving, distributing, retiring and destroying keys.
Below is the link of the encryption policy:
Is there a clear desk / clear screen policy at Xoxoday ?
Yes, we have Clear Desk / Clear screen Policy policy at Xoxoday and it is well enforced into the organization.
Below is the link of the clean screen and clean desk policy:
Does Xoxoday have documented operational procedures associated with supporting the hosting environment?
Yes, we do have documented operational procedures associated with supporting the hosting environment. Below are the policies for reference
Does Xoxoday monitors capacity demands for critical infrastructure (e.g., end-user computing devices, network, storage, power supply)?
We have a cloud monitoring system that helps us monitor the server/application performance and provision additional infrastructure when necessary. Alerts are set up to notify when capacity increase is required.
Does Xoxoday have processes to detect malware and processes to prevent malware spreading ?
All our servers are LINUX based and hence Anti Virus is not there. We do have an OWASP compliant Web Application Firewall that protects the application from hacking attempts.
Does Xoxoday have a documented backup and restoration policy outlining backup and restoration procedures, backup frequency, schedule, retention, restoration testing?
Yes, we do have policies in place which outline backup and restoration procedures, backup frequency, schedule, retention, restoration testing and much more. Below are the links of the policies.
Are the backup tapes stored at an offsite location in a secured environment and fire-resistant cabinets?
Backups are logical and inside the cloud.
Do you encrypt data while performing backups?
The backups are done using real time replication of databases (MySQL, MongoDB, etc), and hence the same encryption used in primary server is used in backup also (i.e AES256)
Are appropriate event logs maintained and regularly reviewed?
1) Infrastructure logs are collected using AWS Audit Trail
2) Application related logs are collected in our Elastic Search server and retained in long term cloud storage
Are logging facilities protected against tampering and unauthorised access?
"Controls have been implemented to protect against unauthorized changes to log information" CTO, VP and DevOps team members have access to logs. Log files are read-only.
Are sysadmin / sysop logs maintained, protected and regularly reviewed?
Administrative logs are part of Cloud Dashboard and are regularly reviewed.
Does Xoxoday use a synchronized time-service protocol (e.g., NTP) to ensure all systems have a common time reference?
Only approved services (e.g., SMTP v2, NTP, HTTPS), protocols, and ports are been enabled on network devices.
Is there a process to risk assess and react to any new vulnerabilities as they are discovered at Xoxoday?
We have quarterly VAPT performed on the entire application by a third-party security auditor.
Are IS Systems subject to audit at Xoxoday and does the audit process ensure business disruption is minimised?
As part of the ISO audit, IS Systems audit is also covered and yes the audit process ensures business disruption is minimised.
Do Xoxoday's policies govern how information is transferred?
Formal transfer policies, procedures and controls have been established to protect the transfer of information through the use of all types of communication facilities.
Below is the link for information security policy:
Do contracts with external parties and agreements within the organisation detail the requirements for securing business information in transfer?
Policies, procedures and standards have been established and maintained to protect information and physical media in transit, and are referenced in such transfer agreements.
- Also, there is a clause on Securing business information and Protection of confidential information. In the NDA's signed by the external partieshttps://drive.google.com/file/d/0B9NH9s_A-_sCMHhSOFNjZldiRUt3YmlTVjlzQ0xKeVc1WlhJ/view?usp=sharing
Do applications which send information over public networks appropriately protect the information against fraudulent activity, contract dispute, unauthorised discloser and unauthorised modification?
Xoxoday's solution is in the form of a cloud-hosted product, there is no new system or software to be installed in any clients internal systems.
Are there policies mandating the implementation and assessment of security controls at Xoxoday?
Yes, at Xoxoday We perform quarterly VAPT and have static code analysis via SonarQube
Is there a procedure in place at Xoxoday which mandates when and how software packages can be changed or modified?
All the software package changes are controlled through the manifest files that are committed into the source code repositories.
Does Xoxoday have documented principles on how systems must be engineered to ensure security?
This is handled via our architecture and code review process. The reviews are monitored in GitHub and in JIRA
Does Xoxoday Have a secure development environment been established ?
We have a secure Development, QA, and Staging environments for developers to implement their changes in.
Where systems or applications are developed, are they security tested as part of the development process?
Yes, at Xoxoday we do conduct Quarterly VAPT.
Is there an established process at Xoxoday to accept new systems / applications, or upgrades, into production use?
Yes, This is handled via our architecture and code review process. The reviews are monitored in GitHub and in JIRA.
Does Xoxoday have defined and documented policies and procedures around security incident management?
Yes, we do have an Information security policy at place which covers the Security incident management. We have a dedicated project in JIRA for tracking information security incidents. No such incidents have been reported till now.
Is there a process for reporting of identified information security weaknesses at Xoxoday and Is this process widely communicated?
During security audit/VAPT review the incidents are identified. Yes this process is widely communicated to all the employees and stakeholders.
Is there a process to ensure information security events are properly assessed and classified at Xoxoday?
Yes, Processes are established to assess each information security event using the agreed information security event and incident classification scale and decide whether the event shall be classified as an information security incident.
Below is the link for the Incident Management Procedure:
Is there an incident response process which reflects the classification and severity of information security incidents at Xoxoday?
Processes are implemented for responding to Information security incidents. Incidents may be responded to by a nominated point of contact and other relevant persons of the organization or external parties.
Below is the link for the Incident Management Procedure:
Have RTOs and RPOs been identified and defined at Xoxoday ?
Yes, RTOs and RPOs have been identified and defined at Xoxoday. RTO will be 6 hours and RPO will be 60 minutes.
Has Xoxoday identified and documented all relevant legislative, regulatory or contractual requirements related to security?
Yes. Notices are published and version control is implemented for policies
Does Xoxoday keep a record of all intellectual property rights and use of proprietary software products and does the organisation monitor for the use of unlicensed software?
Yes, we do have the following.
1. Asset Inventory Record
2. MS-Office Product users tracker
3. List of whitelisted Softwares
4. Software License tracker
Yes, the organisation monitor for the use of unlicensed software.
Below is the link which contains multiple screenshots of the pieces of evidence.
At Xoxoday, are records protected from loss, destruction, falsification and unauthorised access or release in accordance with legislative, regulatory, contractual and business requirements?
We have only insertion and update permissions on the databases and the deletion permissions are not given to any applications hence unauthorized erasure is blocked.
Is personal data identified and appropriately classified at Xoxoday?
Data policy for privacy and protection of personally identifiable information is developed and implemented. This policy is communicated to all persons involved in the processing of personally identifiable information.
Does Xoxoday have robust backup procedure? If yes, what is the backup schedule?
Yes, Xoxoday does have a robust backup procedure at place. Incremental backup on daily basis, full backup on a weekly basis.
Does Xoxoday have documented and tested Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) available? If Yes, kindly mention the location where the data would be stored?
Yes XOXODAY does have tested Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP), the data would be stored at AWS Singapore.
At Xoxoday, If the clients' data is being stored in a shared environment, what are the security controls in place to segregate the clients' data from other tenants’ data?
Each tenants data is uniquely encrypted using client-specific key, hence the segregation of data is handled appropriately.
At Xoxoday, If other tenants’ information/data compromised, how is Xoxoday making sure that the Clients data are not getting impacted?
The keys are split and stored at two independent locations, without which data cant be accessed.
At Xoxoday, Is critical data encrypted anywhere it is stored (including on portable digital media, backup media, and in logs).
At Xoxoday, We use AES 256 bit encryption for data at rest.
At Xoxoday What is the retention time for storage of data which is required for legal, regulatory, and business requirements?
Storage Period would be as per regulatory conditions. Personal data can be deleted based on a formal written request, with justification. Basis on the request, Xoxoday would delete the data within 30 days of receiving the request.
What is the Session Timeout duration?
We have session timeout enforced for 15 days from the time user last used the application. We have decided this duration for better user experience.
Is the Cookie Path Set to Root ?
We have set authorization cookies to root as this cookie is needed for every part of the application for authorization. Although we all the URL's with domain format https://*xoxoday.com/* belongs to Xoxoday.
At Xoxoday, Who All have Access to the Data Server?
DevOPS and Technical Leadership (VP/CTO) in Xoxoday.
How frequently do we check Back-up Restoration?
At Xoxoday, back-up restorations are checked every 6 months.
What is the current process of getting access to this Data?
The backup data is accessible to the same team that has access to the backup systems.
Which method does API follow pull/push?
We use HTTPS REST APIs with POST and GET methods.
Does Xoxoday use any API gateway?
Yes. GraphQL based API gateway.
Does API throttling limit configure at API gateway level?
Yes. 50 Requests Per Second.
What kind of SFTP transfer method is used at Xoxoday?
CSV Based SFTP transfer is used.
What kind of Encryption and Hashing is used at Xoxoday?
AES 256 bit encryption for PI data. SHA256 with unique salt for Hashing passwords.
What are the measures introduced for Account management at Xoxoday?
Super administrators have access to Account management. Additionally HRMS integration can be done via API or SFTP to automate the process.
What are the other SFTP hardened policies or best practices introduced at Xoxoday?
If the client wants to use Xoxo SFTP server, then a dedicated user name/password will be provided for the client to upload data. Additionally, an IP whitelisting is done to ensure only the whitelisted IPs can connect to our SFTP server.
At Xoxoday Does capability exist to forward logs and alerts from the cloud instance into Clients in house SOC for monitoring and incident management purposes?
No. Since we are a multi-tenant system, our logs contain all the client's information. We cannot isolate a single customer's information from our logs.
Does Xoxoday process any payment or digital transactions? Or capture any credit/debit card information? And, Is Xoxoday compliant to PCI DSS?
Xoxo uses PayU payment gateway in order to process transactions. Xoxo servers/application redirect the user to PayU where the card information is collected. Xoxo does not directly collect or store any payment information. Xoxo uses PayU payment gateway in order to process transactions. So Xoxo platform is not PCI-DSS compliant, but our payment partner is. Hence the payment process is PCI-DSS compliant.
In the multi tennant model, How Clients' data is protected at Xoxoday?
Xoxoday uses company wise encryption with an option to have company key stored in the client's HSM/KMS.
Architecture diagram between Xoxoday and any Client
Below is the link of the file which contains the architecture, networking and data flow diagrams. https://docs.google.com/presentation/d/1PD5W3OWLCdWbbv_Xne3FswkAoKIBpk3JcyliFAYFrZw/edit?usp=sharing
Are Xoxoday applications VAPT certified?
Yes, Mobile Application penetration testing certificate:https://assets.website-files.com/5d64e2776ed3ee7811a0b524/5e264008edc1c8393016482b_VAPT%20Security%20Certificate%20-%20I.pdf
Web Application Penetration Testing:https://assets.website-files.com/5d64e2776ed3ee7811a0b524/5e2641803cb0f7e5dd196a21_VAPT%20Security%20Certificate%20-%20III.pdf
Is Xoxoday ISO Certified?
Yes, here is the link to ISO/IEC 27001: 2013 certificate.
Updated about a month ago