Governance, Risk, & Data Compliance

Are policies and procedures established for labelling, handling and the security of data and objects that contain data?

Yes, there are established policies and procedures for labelling, handling, storing, transmitting, retention/disposal, and security of TCCC data and objects which contain data, per the TCCC Information Classification Standard and Protection Measures.

Are mechanisms for label inheritance implemented for objects that act as aggregate containers for data?

Yes, there are established policies and procedures for label inheritance of TCCC data and objects which contain data, per the TCCC Information Classification Standard and Protection Measures. Mechanisms for label inheritance shall be implemented for objects that act as aggregate containers for data.

Do you adhere to tenant's retention policy?

Yes, we adhere to the retention policy that the tenant sends out for optimal collaboration and smooth user experience with Xoxoday's products and services.

Can you provide a published procedure for security mechanisms to prevent data leakage in transit and data at rest leakage upon request?

Your data is of the utmost importance. All the security mechanisms and policies are established and implemented in such ways that data leak can be prevented, in transit as well as at rest.

Can you provide tenants, upon request, documentation on how you maintain segregation of duties within your cloud service offering?

Yes, the policy, process, and procedure is implemented to ensure proper segregation of duties. These can be asked for and delivered upon tenants' requests. In the event of user-role conflict of interest, technical controls shall be implemented to mitigate risk (if any) from unauthorized/unintentional modification/misuse of organizations' information assets.

Do you use industry standards (Build Security in Maturity Model [BSIMM] benchmarks, Open Group ACS Trusted Technology Provider Framework, NIST, etc.) to build in security for your Systems/Software Development Lifecycle (SDLC)?

Yes, our products comply with all the industrial benchmarks and standards when it comes to the Software Development Life-cycle (SDLC). All software development procedures are supervised and monitored by Xoxoday so that they include:

  • security requirements

  • independent security review of the environment by a certified individual

  • code reviews

    Quality monitoring, evaluation, and acceptance criteria for information systems, upgrades, and new versions shall be established and documented for the clients' reference.

Do you use automated and manual source code analysis tools to detect security defects in code prior to production?

Yes, our code reviews and analysis run through stringent eyes of automated technologies as well as manual source code overview to cover any security loopholes prior to the production phase.

Do you review your applications for security vulnerabilities and address any issues prior to deployment to production?

Yes, an independent security review is conducted by certified professionals to look for any security vulnerabilities in order to solve them before deploying to production.

Do you verify that all of your software suppliers adhere to industry standards for Systems/Software Development Lifecycle (SDLC) security?

Yes, our products comply with all the industrial benchmarks and standards when it comes to the Software Development Life-cycle (SDLC) security standard.

Do you provide tenants with documentation that describes your production change management procedures and their roles/rights/responsibilities within it?

Yes, changes to the production environment are documented, tested, and approved prior to implementation. Production software and hardware changes may include applications, systems, databases, and network devices requiring patches, service packs, and other updates and modifications. Any change in roles, rights, or responsibilities shall be documented for a seamless experience.

Are any of your data centers located in places that have a high probability/occurrence of high-impact environmental risks (floods, tornadoes, earthquakes, hurricanes, etc.)?

We have a consistent and unified framework for business continuity planning, disaster recovery, plan development. All the appropriate communications shall be established, documented, and adopted to ensure consistency in business continuity. This includes protection against natural and man-made disasters (e.g. fire, flood, earthquake, war, volcanic activity, biological hazard, civil unrest, mudslide, tectonic activity, utility services outages, etc.).

Do you provide tenants with geographically resilient hosting options?

Our hosting options are limited to Xoxoday's jurisdiction and are backed by prominent business continuity plans. Hence, we don't find the need to provide geographically diverse hosting options.

Do you provide tenants with infrastructure service failover capability to other providers?

The capability to transfer infrastructure service failover to other providers is not provided to the clients.

Are business continuity and disaster recovery plans subject to test at least annually and upon significant organizational or environmental changes to ensure continuing effectiveness?

Business continuity plans shall be subject to test at least annually or upon significant organizational or environmental changes to ensure continuing effectiveness.

Do you allow tenants to view your SOC2/ISO 27001 or similar third-party audit or certification reports?

Along with an aligned enterprise-wide framework, we perform independent reviews through industry professionals along with formal risk assessments. These are done at least annually or at planned intervals to determine the likelihood and impact of all identified risks. With qualitative/quantitative methods ensuring our compliances with policies, procedures, and standards, we stick to the best standards.

"Do you conduct annual network penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? "

Yes, our stringent checks and tests are conducted annually to keep up the cloud service infrastructure hygiene as per the industrial standards.

Do you perform annual audits (internal and external) and are the results available to tenants upon request?

Annual audits are processed both internally and externally. The audit results can be sent over to tenants upon request.

Are the results of the penetration tests available to tenants at their request?

Yes, the tenants can request for penetration results and get the reports from our end.

Are you storing, transmitting, and/or processing payment card data on behalf of our organization?

No, we do not process your payment card data for any reason other than billing purposes.

Can you prove that you are compliant for: Indian IT Act 2000?

Yes, we are compliant with the Indian IT Act of 2000.

Is there a formal process that details the transition of data from unsupported systems and applications to supported systems and applications?

There is no such process available from our end.

What will you deliver back to us on the end of service?

We will terminate the contract as per rules and statutes. Meanwhile your data will be stored with us and won't be given back to you. However, if the tenant wants the data to be erased, it can be done so upon request.

Do you conduct information audits to determine what personal data is being stored/processed and where is it being stored?

Yes, we store data that's required for seamless rewarding and recognition. We conduct regular audits to ensure safety of data like employees' names, emails, employee numbers, etc. are used for verification and rewarding purposes.

Do you have a dedicated information/cyber security team responsible for information security governance across the organization?

Xoxoday's information and cyber-security team keeps a watchful eye on all potential sources of threats and areas of compromise when it comes to information security.

Have you defined the information security roles and responsibilities?

Roles are systematically defined for information security measures to tactfully align all operations, preventing any security breaches.

Do you have an acceptable usage policy which is signed/agreed by all employees on annual basis?

Employees must agree with the acceptable usage policy of peripherals and devices to prevent malicious activities from the inside and out.

Is your environment SOC-2 Type-II attested or certified for the scope of the service being offered to tenant?

Our environment has all the capabilities to be SOC-2 Type-II compliant but the certification is yet to come through. It shall be updated soon.

Is your environment CSA-certified for the scope of the service being offered to tenant?

No, our environment is not CSA-certified.

Are all relevant legislative, statutory, regulatory and contractual security requirements identified, documented and tracked?

Xoxoday keeps track of all security requirements with respect to legislations, statutes, and contracts. They are documented in all steps.

Are appropriate procedures implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products?

We have our own procedure for control of documents and records that ensures compliance related to intellectual property rights and use of proprietary software.

Have you identified legislative, regulatory, contractual and business requirements related to record management?

Our record management criteria checks all boxes of legislative, regulatory, contractual and business requirements.

Do you monitor effectiveness of cyber security controls through regular metrics?

With different metrics tracking cyber-security measures, Xoxoday keeps the effectiveness in check with regular monitoring.

Do you have an approved HR Policy document?

Xoxoday's Human Resource operation procedure takes all measures of employee confidentiality into consideration.

Are your employees screened before joining the organization? Are they bound to keep security of information intact even after their employment contract has ended?

Yes, Xoxoday performs a thorough background check on every employee before they get onboard. The Non Disclosure Agreement ensures that the information is secure even after the contract is terminated.

Do you take services from any third party which directly or indirectly impacts services given to tenant or Client of tenant?

Yes, our Xoxoday Store vouchers are procured from third-party vendors. These vouchers are shared with the tenants in order to be showcased to users of Xoxoday platform.

Can you provide details of these third parties including the name of the third party and the services they will be performing on your behalf?

No, the third parties and vendors we deal with our confidential to Xoxoday. Hence, this list cannot be shared.

Do you have a Third Party Security Policy?

Yes, there's a third-party security policy present to safeguard the interests of Xoxoday's tenants as well as the end users.

Do you regularly monitor the third party's compliance with security obligations?

Yes, our third party security policy deems it clear to comply with security obligations and we monitor their compliance regularly.

Is there a process to address any risk that may occur due to change of services being provided to the tenant?

Yes, we have a detailed risk management procedure in place to address situational issues like change of services being provided to tenants.

Do you permit the use of contractors in roles supporting customer operations?

No, our customer requests are addressed by the Xoxoday customer support team for maximum efficiency.

Do you have subscription to brand protection services?

Yes, Xoxoday's brand protection caters to any malicious interruptions and fallacies as they are addressed in prompt time.

Do you monitor media platforms as well for brand protection?

Yes, with media platforms being the biggest pedestal for information sharing, we keep an eye out for any brand protection issues.

Do you have the capability to detect/prevent unauthorized or anomalous behavior based on network traffic and host activity?

Yes, in the event of a rapid spike/slump in network traffic or host activity, Xoxoday analyzes the traffic to detect and prevent unauthorized or erratic behavior.

Do you have mandatory and regular privacy training and awareness module?

Yes, in order to ensure airtight security of data, we have a mandatory and sessional privacy training and awareness module.

What is CSA ?

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.

Did you list your organization for CSA STAR LEVL – 1 self-assessment?

Yes, Please visit the link to view the registry - https://cloudsecurityalliance.org/star/registry/nreach-online-services-pvt-ltd-xoxoday

What are the important features of CSA STAR LEVEL – 1?

Important features of CSA STAR LEVL – 1 are listed below

  • Operating in a low-risk environment

  • Wanting to offer increased transparency around the security controls they have in place.

  • Looking for a cost-effective way to improve trust and transparency.

Are the applications and programming interfaces (APIs) designed, developed, deployed, and tested in accordance with leading industry standards (e.g., OWASP for web applications) and adhere to applicable legal, statutory, or regulatory compliance obligations?

Yes, we ensure the same as part of our code review, static code analysis, and Web Application Firewall.

Do you comply with the Physical security perimeters (e.g., fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks, and security patrols)?

Yes, We comply with these requirements. Our Cloud Security Platform, (CSP) Amazon Web Services (AWS) provides these securities to our data centers.

Do you use Production data in a non-production environment?

Production data shall not be replicated or used in non-production environments. We do not use LIVE data in any other environment. We comply with the requirement.

Do you obtain prior to relocation or transfer of hardware, software, or data to an offsite premise?

We take prior authorization from the concerned authority as per the Media protection procedure before relocation or transfer of hardware, software, or data to an offsite premises

Do you have a documented application validation process to test for mobile device, operating system, and application compatibility issues?

As per Mobile Security Compatibility compliance requirements we have a documented application validation process to test for mobile device, operating system, and application compatibility issues.

Contents
Are policies and procedures established for labelling, handling and the security of data and objects that contain data?
Are mechanisms for label inheritance implemented for objects that act as aggregate containers for data?
Do you adhere to tenant's retention policy?
Can you provide a published procedure for security mechanisms to prevent data leakage in transit and data at rest leakage upon request?
Can you provide tenants, upon request, documentation on how you maintain segregation of duties within your cloud service offering?
Do you use industry standards (Build Security in Maturity Model [BSIMM] benchmarks, Open Group ACS Trusted Technology Provider Framework, NIST, etc.) to build in security for your Systems/Software Development Lifecycle (SDLC)?
Do you use automated and manual source code analysis tools to detect security defects in code prior to production?
Do you review your applications for security vulnerabilities and address any issues prior to deployment to production?
Do you verify that all of your software suppliers adhere to industry standards for Systems/Software Development Lifecycle (SDLC) security?
Do you provide tenants with documentation that describes your production change management procedures and their roles/rights/responsibilities within it?
Are any of your data centers located in places that have a high probability/occurrence of high-impact environmental risks (floods, tornadoes, earthquakes, hurricanes, etc.)?
Do you provide tenants with geographically resilient hosting options?
Do you provide tenants with infrastructure service failover capability to other providers?
Are business continuity and disaster recovery plans subject to test at least annually and upon significant organizational or environmental changes to ensure continuing effectiveness?
Do you allow tenants to view your SOC2/ISO 27001 or similar third-party audit or certification reports?
"Do you conduct annual network penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? "
Do you perform annual audits (internal and external) and are the results available to tenants upon request?
Are the results of the penetration tests available to tenants at their request?
Are you storing, transmitting, and/or processing payment card data on behalf of our organization?
Can you prove that you are compliant for: Indian IT Act 2000?
Is there a formal process that details the transition of data from unsupported systems and applications to supported systems and applications?
What will you deliver back to us on the end of service?
Do you conduct information audits to determine what personal data is being stored/processed and where is it being stored?
Do you have a dedicated information/cyber security team responsible for information security governance across the organization?
Have you defined the information security roles and responsibilities?
Do you have an acceptable usage policy which is signed/agreed by all employees on annual basis?
Is your environment SOC-2 Type-II attested or certified for the scope of the service being offered to tenant?
Is your environment CSA-certified for the scope of the service being offered to tenant?
Are all relevant legislative, statutory, regulatory and contractual security requirements identified, documented and tracked?
Are appropriate procedures implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products?
Have you identified legislative, regulatory, contractual and business requirements related to record management?
Do you monitor effectiveness of cyber security controls through regular metrics?
Do you have an approved HR Policy document?
Are your employees screened before joining the organization? Are they bound to keep security of information intact even after their employment contract has ended?
Do you take services from any third party which directly or indirectly impacts services given to tenant or Client of tenant?
Can you provide details of these third parties including the name of the third party and the services they will be performing on your behalf?
Do you have a Third Party Security Policy?
Do you regularly monitor the third party's compliance with security obligations?
Is there a process to address any risk that may occur due to change of services being provided to the tenant?
Do you permit the use of contractors in roles supporting customer operations?
Do you have subscription to brand protection services?
Do you monitor media platforms as well for brand protection?
Do you have the capability to detect/prevent unauthorized or anomalous behavior based on network traffic and host activity?
Do you have mandatory and regular privacy training and awareness module?
What is CSA ?
Did you list your organization for CSA STAR LEVL – 1 self-assessment?
What are the important features of CSA STAR LEVEL – 1?
Are the applications and programming interfaces (APIs) designed, developed, deployed, and tested in accordance with leading industry standards (e.g., OWASP for web applications) and adhere to applicable legal, statutory, or regulatory compliance obligations?
Do you comply with the Physical security perimeters (e.g., fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks, and security patrols)?
Do you use Production data in a non-production environment?
Do you obtain prior to relocation or transfer of hardware, software, or data to an offsite premise?
Do you have a documented application validation process to test for mobile device, operating system, and application compatibility issues?