Yes, there are established policies and procedures for labelling, handling, storing, transmitting, retention/disposal, and security of TCCC data and objects which contain data, per the TCCC Information Classification Standard and Protection Measures.
Yes, there are established policies and procedures for label inheritance of TCCC data and objects which contain data, per the TCCC Information Classification Standard and Protection Measures. Mechanisms for label inheritance shall be implemented for objects that act as aggregate containers for data.
Yes, we adhere to the retention policy that the tenant sends out for optimal collaboration and smooth user experience with Xoxoday's products and services.
Your data is of the utmost importance. All the security mechanisms and policies are established and implemented in such ways that data leak can be prevented, in transit as well as at rest.
Yes, the policy, process, and procedure is implemented to ensure proper segregation of duties. These can be asked for and delivered upon tenants' requests. In the event of user-role conflict of interest, technical controls shall be implemented to mitigate risk (if any) from unauthorized/unintentional modification/misuse of organizations' information assets.
Yes, our products comply with all the industrial benchmarks and standards when it comes to the Software Development Life-cycle (SDLC). All software development procedures are supervised and monitored by Xoxoday so that they include:
independent security review of the environment by a certified individual
Quality monitoring, evaluation, and acceptance criteria for information systems, upgrades, and new versions shall be established and documented for the clients' reference.
Yes, our code reviews and analysis run through stringent eyes of automated technologies as well as manual source code overview to cover any security loopholes prior to the production phase.
Yes, an independent security review is conducted by certified professionals to look for any security vulnerabilities in order to solve them before deploying to production.
Yes, our products comply with all the industrial benchmarks and standards when it comes to the Software Development Life-cycle (SDLC) security standard.
Yes, changes to the production environment are documented, tested, and approved prior to implementation. Production software and hardware changes may include applications, systems, databases, and network devices requiring patches, service packs, and other updates and modifications. Any change in roles, rights, or responsibilities shall be documented for a seamless experience.
We have a consistent and unified framework for business continuity planning, disaster recovery, plan development. All the appropriate communications shall be established, documented, and adopted to ensure consistency in business continuity. This includes protection against natural and man-made disasters (e.g. fire, flood, earthquake, war, volcanic activity, biological hazard, civil unrest, mudslide, tectonic activity, utility services outages, etc.).
Our hosting options are limited to Xoxoday's jurisdiction and are backed by prominent business continuity plans. Hence, we don't find the need to provide geographically diverse hosting options.
The capability to transfer infrastructure service failover to other providers is not provided to the clients.
Business continuity plans shall be subject to test at least annually or upon significant organizational or environmental changes to ensure continuing effectiveness.
Along with an aligned enterprise-wide framework, we perform independent reviews through industry professionals along with formal risk assessments. These are done at least annually or at planned intervals to determine the likelihood and impact of all identified risks. With qualitative/quantitative methods ensuring our compliances with policies, procedures, and standards, we stick to the best standards.
Yes, our stringent checks and tests are conducted annually to keep up the cloud service infrastructure hygiene as per the industrial standards.
Annual audits are processed both internally and externally. The audit results can be sent over to tenants upon request.
Yes, the tenants can request for penetration results and get the reports from our end.
No, we do not process your payment card data for any reason other than billing purposes.
Yes, we are compliant with the Indian IT Act of 2000.
There is no such process available from our end.
We will terminate the contract as per rules and statutes. Meanwhile your data will be stored with us and won't be given back to you. However, if the tenant wants the data to be erased, it can be done so upon request.
Yes, we store data that's required for seamless rewarding and recognition. We conduct regular audits to ensure safety of data like employees' names, emails, employee numbers, etc. are used for verification and rewarding purposes.
Xoxoday's information and cyber-security team keeps a watchful eye on all potential sources of threats and areas of compromise when it comes to information security.
Roles are systematically defined for information security measures to tactfully align all operations, preventing any security breaches.
Employees must agree with the acceptable usage policy of peripherals and devices to prevent malicious activities from the inside and out.
Our environment has all the capabilities to be SOC-2 Type-II compliant but the certification is yet to come through. It shall be updated soon.
No, our environment is not CSA-certified.
Xoxoday keeps track of all security requirements with respect to legislations, statutes, and contracts. They are documented in all steps.
We have our own procedure for control of documents and records that ensures compliance related to intellectual property rights and use of proprietary software.
Our record management criteria checks all boxes of legislative, regulatory, contractual and business requirements.
With different metrics tracking cyber-security measures, Xoxoday keeps the effectiveness in check with regular monitoring.
Xoxoday's Human Resource operation procedure takes all measures of employee confidentiality into consideration.
Yes, Xoxoday performs a thorough background check on every employee before they get onboard. The Non Disclosure Agreement ensures that the information is secure even after the contract is terminated.
Yes, our Xoxoday Store vouchers are procured from third-party vendors. These vouchers are shared with the tenants in order to be showcased to users of Xoxoday platform.
No, the third parties and vendors we deal with our confidential to Xoxoday. Hence, this list cannot be shared.
Yes, there's a third-party security policy present to safeguard the interests of Xoxoday's tenants as well as the end users.
Yes, our third party security policy deems it clear to comply with security obligations and we monitor their compliance regularly.
Yes, we have a detailed risk management procedure in place to address situational issues like change of services being provided to tenants.
No, our customer requests are addressed by the Xoxoday customer support team for maximum efficiency.
Yes, Xoxoday's brand protection caters to any malicious interruptions and fallacies as they are addressed in prompt time.
Yes, with media platforms being the biggest pedestal for information sharing, we keep an eye out for any brand protection issues.
Yes, in the event of a rapid spike/slump in network traffic or host activity, Xoxoday analyzes the traffic to detect and prevent unauthorized or erratic behavior.
Yes, in order to ensure airtight security of data, we have a mandatory and sessional privacy training and awareness module.
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.
Yes, Please visit the link to view the registry - https://cloudsecurityalliance.org/star/registry/nreach-online-services-pvt-ltd-xoxoday
Important features of CSA STAR LEVL – 1 are listed below
Operating in a low-risk environment
Wanting to offer increased transparency around the security controls they have in place.
Looking for a cost-effective way to improve trust and transparency.
Yes, we ensure the same as part of our code review, static code analysis, and Web Application Firewall.
Yes, We comply with these requirements. Our Cloud Security Platform, (CSP) Amazon Web Services (AWS) provides these securities to our data centers.
Production data shall not be replicated or used in non-production environments. We do not use LIVE data in any other environment. We comply with the requirement.
We take prior authorization from the concerned authority as per the Media protection procedure before relocation or transfer of hardware, software, or data to an offsite premises
As per Mobile Security Compatibility compliance requirements we have a documented application validation process to test for mobile device, operating system, and application compatibility issues.