Identity & Access Management
Yes, our policies and procedures are established and implemented to enforce two-factor authentication for privileged account management/authentication while accessing tenant data/systems.
Yes, systems must be configured to log all successful and unsuccessful login attempts by accounts with privileged access. These authentication logs must be retained for a minimum of 180 days and in accordance with the Company’s records retention guidelines.
Yes, users can re-authenticate a change in credentials and we comply to any attempted change in authentication information.
No, we do not present login notices to users before they log in as the users are redirected through SAP SuccessFactors.
Yes, there is a protocol in place to ensure that no information beyond an unsuccessful login attempt goes through prior to a successful login.
Yes, our partnerships with a wide array of integration partners ensure existing customer based Single Sign On (SSO) capability for all users to seamlessly use Xoxoday's products. With an easy DIY setup, your SSO solution would be plugged in and ready to go. Please refer to our list of integrations to know more.
Yes, our identity federation standards include SAML 2.0, SPML, WS-Federation and more as means of authenticating and authorizing users with airtight security protocol.
We isolate our machines, network and storage with respect to the AWS Standards in order to keep it safe and secure.
No, tenants are only allowed to use our secure protocols and procedures to prevent cracks and folds in data handling.
Yes, we do support our clients' and tenants' access review policies.
Our password setting requirements comply with all factors to ensure that strong passwords are created. Passwords should be of a minimum length and contain special characters, capitalized letters, and alpha-numeric combinations.
No, customers/tenants must comply with Xoxoday's account lockout and password polices that have been incorporated for maximum security.
No, the user can set their own password from the very first login attempt.
No. As Xoxoday's products use single sign on (SSO), the users can login via their suite email and credentials.
Yes, audit logs are reviewed and recorded on a regular basis automatically. These logs are integrated with security operations/SIEM solutions.
Yes, to ensure the maximum safety and authority of data in right hands, the physical and logical adult log access of users can only be accessed by authorized personnel.
No, logs are automatically audited, but are not integrated with tenant's security ops. In case the tenant requests for logs, they can shared when asked for by the clients.
Yes, regular audit logs are stored with Xoxoday and retained for future references.
The event logs are stores in a bucket wherein nobody can access them without an approval from the high authorities i.e. the Chief Technical Officer.
Yes, all the mechanisms related to security and policies are implemented to facilitate timely decision and investigation by root-cause analysis. These incidences are analyzed with network intrusion detection (IDS) tools.
Please refer to: "Threat & Vulnerabilities Management Procedures"
Yes, in case specific incidents arise for particular tenants, our logging and monitoring framework allows isolation of incidents.
Are policies and procedures established and measures implemented to strictly limit access to your sensitive data and tenant data from portable and mobile devices (e.g., laptops, cell phones, and personal digital assistants (PDAs)), which are generally higher-risk than non-portable devices (e.g., desktop computers at the provider organization’s facilities)?
Yes, there are measures to limit the access of tenant's data from non-authorized devices. Please refer to "Access Control Procedures".
No. In case the accounts are deactivated or dormant, they would still be in the Xoxoday's domain. The admin would have to manually reach out and disable the accounts that they wish to declare dormant or inactive.
Yes. Passwords once used cannot be reused with the password history technique in order to disallow the reuse of old passwords. Please refer to "Password Management Policy".
Yes, with access control limit, super admins and admins can give out access to authorized individuals as per requests raised by them in order to handle their platform as well as the personal data accordingly.
Yes, the role of "admin" and "super admin" holds the high regards and these roles can process the personal data of users as per their choice with the access control limit capability
Yes, personal data is stored are registered databases that comply to all necessary inputs of a standard inventory repository.
Yes, all the given credentials are safely stored in a TCCC-approved centralized system in order to securely process the personal data.
Yes, our roles and job duties are segregated through role-based access to ensure maximum security of tenants' databases.
Yes, in case an incident occurs with respect to inappropriate access of data, we shall share the reports.
Yes, we do support measures to enforce strong multifactor authentication when it comes to accessing highly restricted data.
No, the data can be accessed by Xoxoday's authorized personnel to serve you better with maximum security.