Data Management

Do you ensure that critical data (e.g., payment card number) is properly masked and that only authorized individuals have access to the entirety of the data.

Yes, the payment card data is masked and encrypted to ensure that the access only lies in the hands of authorized individuals.

How do you protect digital identities and credentials and use them in cloud applications?

We use AES 256-bit encryption for data at rest for securing digital identities.

What data do you collect about the tenant (logs, etc.)? How is it stored? How is the data used? How long will it be stored?

The only user data stored within the system is their personal information - names, emails and contact numbers. This data is not put to any use by Xoxoday and resides within the system. The data can be deleted upon the tenant's request.

Under what conditions might third parties, including government agencies, have access to my data?

Your data is completely secure. Third parties have no access to the given data.

Can you guarantee that third-party access to shared logs and resources won’t reveal critical information about tenant?

Yes, as stated above, your data is completely encrypted and secure, hence no critical information shall be revealed to the third parties.

Do you have a data-integrity monitoring / change-detection software?

No. Our data is stored in secured databases and there is no window to alter any data without it being logged into the system records.

Do you have data loss prevention (DLP) solutions implemented for web, email, and end-point getaway?

Yes, our web assets, email records, and end-points are sealed with data loss prevention techniques.

Do you have technical controls capable of enforcing customer data retention policies?

Yes, our technicalities are built in tandem with the customer data retention policies.

Will you use other companies whose infrastructure is located outside that of owned premise/Data Center?

No, we only rely on our ironclad infrastructure to ensure maximum security of data.

Can you provide details about policies and procedures for backup? this should include procedures for the management of removable media and methods for securely destroying media no longer required.

The Xoxoday platform operates on the cloud, which means there are no removable storage devices in question.

Can you specify the steps taken to ensure that data which has been deleted is completely wiped and cannot be accessed by other service users?

Our data cleansing process goes through an organized purge. Once the data is purged, it's purged from all places.

What checks are made on the identity of users with privileged access?

There are user roles available for privileged and authorized members, access to which is provided via oAuth-2.0.

Are there different levels of identity checks based on the resources accessed?

Identities of users are verified on the events they access any resources.

What processes are in place for de-provisioning privileged credentials?

A support ticket has to be raised to the customer support team, after which the de-provisioning of privileged credentials will be taken care of in the back-end.

How are the accounts with the highest level of privilege authenticated and managed?

The accounts with highest privilege are authenticated and managed via oAuth-2.0, which can be used to implement secure access to confidential data.

Are any high-privilege roles allocated to the same person? Does this allocation break the segregation of duties or least privilege rules?

No, roles of high privilege are allocated to a chosen few so that it doesn't break the segregation of duties.

How do you allow for extraordinary privileged access in the event of an emergency?

In case of an emergency, tenants can raise a request to the customer support personnel or the key account manager. The privileged access shall be given from the back-end promptly.

How are privileged actions monitored and logged? Is there a way to check and protect the integrity of such audit logs?

Infrastructure logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our Elastic Search server and retained in the long term cloud storage.

Is there mutual authentication? How could strong authentication be used? For example RSA SecurID? Is there any limitation?

Yes, mutual authentication exists for strong authentication via AES 256-bit encryption.

Please provide detail about what information is recorded within audit logs and for how long this is retained.

1. Infrastructure logs are collected using AWS Audit Trail

2.Application related logs are collected in our Elastic Search server and retained in long term cloud storage.

Is the data segmented within audit logs so they can be made available to tenant without compromising other customers?

No. Since we are a multi-tenant system, our logs contain information of all the tenants. We cannot isolate a single customer's information from our logs.

How are audit logs reviewed? What recorded events result in action being taken?

Administrative logs are part of Cloud Dashboard and are regularly reviewed.

Do you use multiple ISPs?

Yes, we have multiple internet service providers for uninterrupted coverage and maximum uptime.

Do you have DDoS protection, and if so, how?

There are gateways in place to defer DDoS attacks.

Can you provide availability of historical data?

No, historical data cannot be provided due to its confidentiality.

What is your downtime plan (e.g., service upgrade, patch, etc.)?

We don't face any downtime and keep our service uninterrupted even in the events of upgrades and patches.

Can you accommodate timely forensic investigation (e.g., eDiscovery)?

Yes, in case there's a need for a forensic investigation, we can accommodate time and make it happen.

Do you follow Data input and output integrity routines (i.e., reconciliation and edit checks) for application interfaces and databases to prevent manual or systematic processing errors, corruption of data, or misuse?

Yes. We comply with this requirement, we follow multi-layer application architecture to isolate database access.

Do you follow a defined quality change control and testing process (e.g. ITIL Service Management) with established baselines, testing, and release standards that focus on system availability, confidentiality, and integrity of systems and services?

Yes. We follow a defined quality change control and testing as per the Organization's policies and procedures.

Do you assign Data and objects data by the data owner based on data type, value, sensitivity, and criticality to the organization?

Yes. We follow a data classification policy and access control policy to provide access to the individuals based on data type, value, sensitivity, and criticality to the organization.

Do you follow Data Security & Information Lifecycle Management Ownership / Stewardship?

Yes, We comply with this requirement. All data has been designated with stewardship, with assigned responsibilities defined, documented, and communicated as per the compliance requirements.

Do you make sure that Each operating system has been hardened to provide only necessary ports, protocols, and services to meet business needs and have in place supporting technical controls such as: antivirus, file integrity monitoring, and logging as part of their baseline operating build standard or template.

Yes. We make sure that we follow access control policy and data protection policy to make sure that only authorized individual has access to the required data. And we have controls such as antivirus, file integrity monitoring, and log monitoring as per the compliance requirements.

Contents
Do you ensure that critical data (e.g., payment card number) is properly masked and that only authorized individuals have access to the entirety of the data.
How do you protect digital identities and credentials and use them in cloud applications?
What data do you collect about the tenant (logs, etc.)? How is it stored? How is the data used? How long will it be stored?
Under what conditions might third parties, including government agencies, have access to my data?
Can you guarantee that third-party access to shared logs and resources won’t reveal critical information about tenant?
Do you have a data-integrity monitoring / change-detection software?
Do you have data loss prevention (DLP) solutions implemented for web, email, and end-point getaway?
Do you have technical controls capable of enforcing customer data retention policies?
Will you use other companies whose infrastructure is located outside that of owned premise/Data Center?
Can you provide details about policies and procedures for backup? this should include procedures for the management of removable media and methods for securely destroying media no longer required.
Can you specify the steps taken to ensure that data which has been deleted is completely wiped and cannot be accessed by other service users?
What checks are made on the identity of users with privileged access?
Are there different levels of identity checks based on the resources accessed?
What processes are in place for de-provisioning privileged credentials?
How are the accounts with the highest level of privilege authenticated and managed?
Are any high-privilege roles allocated to the same person? Does this allocation break the segregation of duties or least privilege rules?
How do you allow for extraordinary privileged access in the event of an emergency?
How are privileged actions monitored and logged? Is there a way to check and protect the integrity of such audit logs?
Is there mutual authentication? How could strong authentication be used? For example RSA SecurID? Is there any limitation?
Please provide detail about what information is recorded within audit logs and for how long this is retained.
Is the data segmented within audit logs so they can be made available to tenant without compromising other customers?
How are audit logs reviewed? What recorded events result in action being taken?
Do you use multiple ISPs?
Do you have DDoS protection, and if so, how?
Can you provide availability of historical data?
What is your downtime plan (e.g., service upgrade, patch, etc.)?
Can you accommodate timely forensic investigation (e.g., eDiscovery)?
Do you follow Data input and output integrity routines (i.e., reconciliation and edit checks) for application interfaces and databases to prevent manual or systematic processing errors, corruption of data, or misuse?
Do you follow a defined quality change control and testing process (e.g. ITIL Service Management) with established baselines, testing, and release standards that focus on system availability, confidentiality, and integrity of systems and services?
Do you assign Data and objects data by the data owner based on data type, value, sensitivity, and criticality to the organization?
Do you follow Data Security & Information Lifecycle Management Ownership / Stewardship?
Do you make sure that Each operating system has been hardened to provide only necessary ports, protocols, and services to meet business needs and have in place supporting technical controls such as: antivirus, file integrity monitoring, and logging as part of their baseline operating build standard or template.