Others

Does Plum follow GDPR?

Plum is GDPR compliant. At Xoxoday, we ensure that the data is gathered, stored, and handled with respect to individual rights. We have raised awareness among our employees and other stakeholders on how to handle the data appropriately. Our employees understand the importance of GDPR and information security.

Does Xoxoday have an information security policy and is it communicated and published to all employees, suppliers, and other relevant external parties?

Xoxoday has an information security policy that is published and communicated to all suppliers and employees (including contractors and other relevant external parties).

Xoxoday has ensured that the Information security policies have established the direction of the organization and align to best leading practices (e.g., ISO-27001, ISO-22307, CoBIT), regulatory, federal/state, and international laws where applicable.

Does Xoxoday have a formal established disciplinary or sanction policy for its employees who have violated security policies and controls?

Yes, at Xoxoday, we have a formal disciplinary or sanction policy established for employees who have violated security policies and controls. Employees are made aware of what action might be taken in the event of a violation and stated as such in the policies and controls. A detailed disciplinary process and policy are also in place.

Does Xoxoday ensure that all projects go through some form of information security assessment?

At Xoxoday, we use JIRA for Project Management, and abiding by the Information security policy is mandatory and has been followed in all the projects.

Every code change is reviewed by the tech lead or architect responsible for the project.

During the review process, the reviewer is responsible for identifying possible security issues.

Does Xoxoday have a mobile device policy?

Yes, Xoxoday has a Mobile device policy. At Xoxoday, the mobile device policy takes into account the risks of working with mobile devices in unprotected environments and the controls to be implemented for preventing data transmitted/stored in the mobile device, and much more.

Does Xoxoday have a policy governing information classification and is there a process by which all information can be appropriately classified?

Yes at Xoxoday, we do have an 'Information Security Policy' in place.

Information Classification is included in the organization's processes, and be consistent and coherent across the organization. Results of classification indicate the value of assets depending on their sensitivity and criticality to the organization, e.g. in terms of confidentiality, integrity, and availability. Results of classification are updated in accordance with changes in their value, sensitivity, and criticality through their life-cycle.

Formal procedures for the secure disposal of media are also established to minimize the risk of confidential information leakage to unauthorized persons. The procedures for the secure disposal of media containing confidential information are proportional to the sensitivity of that information.

Does Xoxoday have a formal procedure governing how removable media is disposed of?

Yes, we do have an 'Information Security Policy' in place and formal procedures for the secure disposal of media are established to minimize the risk of confidential information leakage to unauthorized persons. The procedures for the secure disposal of media containing confidential information are proportional to the sensitivity of that information.

Does Xoxoday have a process to access the information and application system functions restricted in line with the access control policy?

Our application has role-based access controls and the menu's screens are made accessible accordingly.

What kind of Encryption and Hashing is used at Xoxoday?

AES 256 bit encryption for PI data. SHA256 with unique salt for Hashing passwords.

Does Xoxoday have a documented and tested Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) available? If Yes, kindly mention the location where the data would be stored?

Yes, Xoxoday does have tested Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP), the data would be stored at AWS Singapore

Is there a process for reporting identified information security weaknesses at Xoxoday and Is this process widely communicated?

During security audit/VAPT review, these incidents are identified.

Yes, this process is widely communicated to all the employees and stakeholders.

Where systems or applications are developed, are they security tested as part of the development process?

Yes, on Xoxoday, we do conduct Quarterly VAPT.

Are there policies mandating the implementation and assessment of security controls at Xoxoday?

Yes, at Xoxoday, we perform quarterly VAPT and have static code analysis via SonarQube

Do contracts with external parties and agreements within the organization detail the requirements for securing business information in a transfer?

Policies, procedures, and standards have been established and maintained to protect information and physical media in transit, and are referenced in such transfer agreements.

Also, there is a clause on securing business information and protection of confidential information in the NDA's signed by the external parties.

Are IS Systems subject to audit at Xoxoday and does the audit process ensure business disruption is minimized?

As part of the ISO audit, IS Systems audit is also covered and yes the audit process ensures business disruption is minimized.

Is there a process to risk assess and react to any new vulnerabilities as they are discovered at Xoxoday?

We have a quarterly VAPT performed on the entire application by a third-party security auditor.

How secure is Plum?

At Xoxoday, we ensure that the data is gathered, stored, and handled with respect to individual rights. We have raised awareness among our employees and other stakeholders on how to handle the data appropriately. Our employees understand the importance of GDPR and information security. Our controls are placed based on the data protection impact assessment (DIPA). All the personal data is encrypted on Xoxoday.

We take data and security very seriously. We are ISO 27001, GDPR, and SOC compliant. More details about our security and privacy policy in the links aforementioned. You can also know more about our compliance here.

How does Plum use my information?

We may use the information we collect from you when you register, make a purchase, sign up for our newsletter, respond to a survey or marketing communication, surf the website, or use certain other site features in the following ways:

  • To personalize your experience and to allow us to deliver the type of content and product offerings in which you are most interested.

  • To improve our website in order to better serve you.

  • To allow us to better service you in responding to your customer service requests.

  • To ask for ratings and reviews of services or products.

  • To follow up with them after correspondence (live chat, email, or phone inquiries).

Data security and ownership?

We take data and security very seriously. We are ISO 27001, GDPR and SOC compliant. More details about our security and privacy policy are here.

Contents
Does Plum follow GDPR?
Does Xoxoday have an information security policy and is it communicated and published to all employees, suppliers, and other relevant external parties?
Does Xoxoday have a formal established disciplinary or sanction policy for its employees who have violated security policies and controls?
Does Xoxoday ensure that all projects go through some form of information security assessment?
Does Xoxoday have a mobile device policy?
Does Xoxoday have a policy governing information classification and is there a process by which all information can be appropriately classified?
Does Xoxoday have a formal procedure governing how removable media is disposed of?
Does Xoxoday have a process to access the information and application system functions restricted in line with the access control policy?
What kind of Encryption and Hashing is used at Xoxoday?
Does Xoxoday have a documented and tested Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) available? If Yes, kindly mention the location where the data would be stored?
Is there a process for reporting identified information security weaknesses at Xoxoday and Is this process widely communicated?
Where systems or applications are developed, are they security tested as part of the development process?
Are there policies mandating the implementation and assessment of security controls at Xoxoday?
Do contracts with external parties and agreements within the organization detail the requirements for securing business information in a transfer?
Are IS Systems subject to audit at Xoxoday and does the audit process ensure business disruption is minimized?
Is there a process to risk assess and react to any new vulnerabilities as they are discovered at Xoxoday?
How secure is Plum?
How does Plum use my information?
Data security and ownership?