Security Operations

Have you suffered any security breach in the last 5 years?

Our security systems are airtight and so far we haven't suffered any security breaches.

Do you make security incident information available to all affected customers and providers periodically through electronic methods (e.g., portals)?

Yes, we have a repository of security incident information if needed for all the affected customers. This information can be accessed electronically.

What data monitoring tools are available and is there support for using external monitoring tools?

We have an ELK setup in place to ensure data monitoring in the most optimal manner.

Do you use content monitoring and filtering to detect inappropriate data flows ?

No, content monitoring and filtration is not done to detect inappropriate data flows.

Are ingress and egress points, such as service areas and other points where unauthorized personnel may enter the premises, monitored, controlled and isolated from data storage and process?

Yes, only the authorized personnel are allowed in points of ingress and egress in order to isolate access of data storage and process.

What are the data backup and data archiving procedures? Is it secured?

Data backups are done daily and in a secured way in AWS

Is there a provision for customer definable backup and Retention Periods of data?

No, the backup and retention of data lies in the hands of Xoxoday. Data is stored in the event that a future need arises for looking into the database.

Is the data stored in the database and is transit scrambled ?

Yes, the data is stored in our secure database and is transit scrambled for maximum security.

Is the client data used for testing purposes ?

Our tenants' data is excruciatingly confidential and is never used for testing or staging purposes.

In the case of confirmed security incidents targeted at TCCC, do you provide immediate notification to KO-CIRT?

Yes, we promptly notify the KO-CIRT for immediate counter-actions and defense mechanisms in case of confirmed security incidents.

Do you provide tenants with documentation describing your Information Security Management Program (ISMP)?

Yes, please go through our "Information Security Management System Manual" for a complete understanding.

Do you review your Information Security Management Program (ISMP) at least once a year?

Our ISMP is annually reviewed and updated if required.

Please provide your Information Security Policy and Privacy Policy.

Please go through the links below to access our policies:

Information Security Policy Privacy Policy

Privacy Policy

Do you ensure your providers adhere to your information security and privacy policies?

Yes, it's crucial for our providers to adhere with the Information Security & Privacy Policy of the organization.

Do you follow OWASP (Open Web Application Security Project) guidelines for application development?

Yes, we follow all the technical guidelines for development of our code and applications that come under the Open Web Application Security Project.

Are all identified security, contractual, and regulatory requirements for customer access contractually addressed and remediated prior to granting customers access to data, assets, and information systems?

Yes, we remediate and address all requirements with respect to security, contracts, and regulative purposes for customer access to data and information systems.

Is MFA (Multi-Factor Authentication) provided as an option?

No, we don't provide multi-factor authentication. As of now, there's oAuth2.0 and SAML-based tokens. JSON-based token is available for maximum security direct-email logins.

Does the product's architecture support continuous operation during upgrades and maintenance windows?

Yes, Xoxoday's architecture goes through constant upliftment and experiences no downtime during upgrades and maintenance windows.

Does your security information and event management (SIEM) system merge data sources (app logs, firewall logs, IDS logs, physical access logs, etc.) for granular analysis and alerting?

Yes, our event management systems merge the data sources to maintain a log data within the SIEM. This helps in proper analysis and driving out alerts if need be in case of contingency.

Do you have a documented security incident response plan?

Yes, our documented security incident response plan logs, monitors, and collects relevant security event data for the purpose of investigation.

Do you monitor and quantify the types, volumes, and impacts on all information security incidents?

Yes, information security incidents, if any, shall be quantified in type, volume, and the impact of such incidents.

Does your incident response plan comply with industry standards for legally admissible chain-of-custody management processes and controls?

Yes, systems must be configured to log all successful and unsuccessful login attempts by accounts with privileged access. These authentication logs must be retained for a minimum of 180 days and in accordance with the Company’s records retention guidelines.

Do you use file integrity (host) and network intrusion detection (IDS) tools for you SaaS solution to help facilitate timely detection, investigation by root cause analysis, and response to incidents?

Yes, with host and network intrusion detection tools, we ensure timely detection and investigation in a prompt manner.

Do you route entire outbound internet traffic through centralized proxy server?

No, all of Xoxoday's servers are with Amazon Web Services, Singapore and that is where the outbound traffic is routed through.

Do you monitor cyber threats internally or have taken services from any third party?

Cyber threats, if any, are managed internally by the tech team.

Do you assess identified threat for applicability and exposure to your environment?

Yes we have a regular audit on threats for applicability and exposure to our environment.

Do you update your cyber security program based on proactive or reactive threat intelligence feeds?

Yes we update your cyber security program based on proactive or reactive threat intelligence feeds

Does your threat feed rely on input from multiple sources?

Xoxoday's holistic presence keeps our tech team updated with the latest news from multiple sources when it comes to any technological developments or threats.

Does your incident response plan comply with industry standards for legally admissible chain-of-custody management processes and controls?

Yes, physical segregation is done for production and non-production environments.

Contents
Have you suffered any security breach in the last 5 years?
Do you make security incident information available to all affected customers and providers periodically through electronic methods (e.g., portals)?
What data monitoring tools are available and is there support for using external monitoring tools?
Do you use content monitoring and filtering to detect inappropriate data flows ?
Are ingress and egress points, such as service areas and other points where unauthorized personnel may enter the premises, monitored, controlled and isolated from data storage and process?
What are the data backup and data archiving procedures? Is it secured?
Is there a provision for customer definable backup and Retention Periods of data?
Is the data stored in the database and is transit scrambled ?
Is the client data used for testing purposes ?
In the case of confirmed security incidents targeted at TCCC, do you provide immediate notification to KO-CIRT?
Do you provide tenants with documentation describing your Information Security Management Program (ISMP)?
Do you review your Information Security Management Program (ISMP) at least once a year?
Please provide your Information Security Policy and Privacy Policy.
Do you ensure your providers adhere to your information security and privacy policies?
Do you follow OWASP (Open Web Application Security Project) guidelines for application development?
Are all identified security, contractual, and regulatory requirements for customer access contractually addressed and remediated prior to granting customers access to data, assets, and information systems?
Is MFA (Multi-Factor Authentication) provided as an option?
Does the product's architecture support continuous operation during upgrades and maintenance windows?
Does your security information and event management (SIEM) system merge data sources (app logs, firewall logs, IDS logs, physical access logs, etc.) for granular analysis and alerting?
Do you have a documented security incident response plan?
Do you monitor and quantify the types, volumes, and impacts on all information security incidents?
Does your incident response plan comply with industry standards for legally admissible chain-of-custody management processes and controls?
Do you use file integrity (host) and network intrusion detection (IDS) tools for you SaaS solution to help facilitate timely detection, investigation by root cause analysis, and response to incidents?
Do you route entire outbound internet traffic through centralized proxy server?
Do you monitor cyber threats internally or have taken services from any third party?
Do you assess identified threat for applicability and exposure to your environment?
Do you update your cyber security program based on proactive or reactive threat intelligence feeds?
Does your threat feed rely on input from multiple sources?
Does your incident response plan comply with industry standards for legally admissible chain-of-custody management processes and controls?