Application,Dev & Security

Questions

Answers

How do you continuously monitor and report the compliance of your infrastructure in accordance to industry best practises (i.e., OWASP, SANS, SOC, ISO 27001)

We take steps to securely develop and test against security threats to ensure the safety of our customer data. We maintain a Secure Development Lifecycle, in which training our developers and performing design and code reviews takes a primary role. In addition, Xoxoday employs third-party security experts to perform detailed penetration tests on different applications. In addition to the security components provided by our top-level cloud providers AWS, Xoxoday maintains its own dedicated controls by following the Industry best practices. These controls cover the DDoS attack, DB protection and a dedicated web application firewall, as well as network firewall fine-grained rules configured using the highest industry standards.

Have you implemented backup or recovery mechanisms to ensure compliance with regulatory, statutory, contractual or business requirements?

Data backups are done daily and in a secured way in AWS

If using virtual infrastructure, does your cloud solution include independent hardware restore and recovery capabilities?

We are using AWS VIrtual patform cloud. We have created an Amazon CloudWatch alarm that monitors an Amazon EC2 instance and automatically recovers the instance if it becomes impaired due to an underlying hardware failure or a problem that requires AWS involvement to repair. EBS Snapshot functionality allows us to capture and restore virtual machine images at any time.

Does your infrastructure environment solution include software/provider independent restore and recovery capabilities?

The infrastructure environment solution include software/provider independent restore and recovery capabilities.

Do you test your backup or redundancy mechanisms at least annually?

Data backups are automated and done daily in a secured way on AWS. Yes. We test the dats backup or redundancy mechanisms at least annually.

Do you test your applications before they are promoted into the Production environment? What types of testing do you perform on your application and codes?

We have SDLC Policy as per ISMS requirements and we follow General Coding Practice. For example - We Conduct data validation on a trusted system, All cryptographic functions used to protect secrets from the application user. We also conduct the code review and vulnerability assessment and penetration testing. We follow a blue-green deployment strategy for deployment of changes to the production environment that allows us to introduce new changes without any downtime and provides us the option to roll-back without impacting any existing users. Typically for routine deployment of enhancements we do not require any downtime.

Do you have a defined quality change control and testing process in place based on system availability, confidentiality, and integrity?

Yes, changes to the production environment are documented, tested, and approved prior to implementation. Production software and hardware changes may include applications, systems, databases, and network devices requiring patches, service packs, and other updates and modifications.

Do you have controls in place to ensure that standards of quality are being met for all software development?

We have implemented the SDLC Procedure and standards of quality are being met for all software development.

What controls do you have in place to detect source code security defects for any outsourced software development activities?

We have not outsourced software development activities. Our code reviews and analysis run through stringent eyes of automated technologies as well as manual source code overview to cover any security loopholes prior to the production phase.

Are mechanisms in place to ensure that all debugging and test code elements are removed from released software versions?

All debugging and test code elements are removed from released software versions.

Do you have technical measures in place to ensure that changes in production environments are registered, authorized and in adherence with existing SLAs?

Yes, changes to the production environment are documented, tested, and approved prior to implementation. Production software and hardware changes may include applications, systems, databases, and network devices requiring patches, service packs, and other updates and modifications.

Do you monitor and log privileged access (e.g., administrator level) to information security management systems?

Yes. We monitor the logs.Application and Infrastructure logs are also centrally collected and backed up in a secure manner for internal development and other relevant audit-related concerns

Do you have an identity management system (enabling classification of data for a customer) in place to enable both role-based and context-based entitlement to data?

We have role based access system to make sure that only the authorised individual have an access to the required information.

Do you provide customers with strong (multifactor) authentication options (e.g., digital certs, tokens, biometrics, etc.) for user access?

we don't provide multi-factor authentication. As of now, there's oAuth2.0 and SAML-based tokens. JSON-based token is available for maximum security direct-email logins.

Do you allow customers/customers to define password and account lockout policies for their accounts?

It can be configured with Active directory.

Are access to utility programs used to manage virtualized partitions (e.g. shutdown, clone, etc.) appropriately restricted and monitored?

These access has been restricted and also monitored for security reasons.

Are changes made to virtual machines, or moving of an image and subsequent validation of the image's integrity, made immediately available to customers through electronic methods (e.g., portals or alerts)?

Audit logs are reviewed and recorded on a regular basis automatically. These logs are integrated with security operations/SIEM solutions. We provide logs to the customer on need and approval basis.

Do you restrict personnel access to all management functions or administrative access based on the principle of least privilege and supported through technical controls (e.g., two-factor authentication, audit trails, IP address filtering, firewalls and TLS-encapsulated communications to the administrative consoles)?

Access to data and systems are based on the principles of least privilege for access. Accordingly, all information systems and data are classified and further segregated to support role based access requirements. Furthermore, while defining job roles and designing access roles, privileges leading to conflicts of interests are to be avoided. A strong identification and authentication system and logging systems are deployed and provides a centralized control to administer, monitor and review all critical access events. We use MFA, Firewall, VPN, active directory etc for maximum security.

Do your network architecture diagrams clearly identify high-risk environments and data flows?

Yes. we have captured these information on our architecture and data flows diagram.

Is data import, data export, and service management be conducted over secure (e.g., non-clear text and authenticated), industry accepted standardized network protocols?

All the data is collected only through Xoxoday Platform.

Are you capable of supporting litigation holds (freeze of data from a specific point in time) for a specific customer without freezing other customer data?

we can freeze data from a specific time without freezing other data if need be

Do you have the capability to recover data for a specific customer in the case of a failure or data loss?

We have data loss prevention solution is in place and data will not be lost.

Do you use an automated source code analysis (automated/manual) tool to detect security defects in code prior to production?

We use an automated source code analysis.

Privacy by Design is incorporated into all your developments and services

We are proactively embedding privacy into the design and operation of IT systems, networked infrastructure, and business practices

How do you verify password strength?

The password needs to be minimum 8 characters long and should contain at least one capital letter, special characters among '# $ % * &' and 1 digit. These are reviewed on monthly basis and the last review was conducted 20th Aug 2021.

Does the organisation have a formal change control process for IT changes?

We have implemented the change management Procedure. All the IT changes takes place as per the Change management procedure. Attached the same for your reference.

Is antivirus software installed on workstations?

We have installed the antivirus on all the workstations and servers.

Are system and security patches applied to workstations on a routine bases?

We update the patches on routine basis.

Are system and security patches applied to servers on a routine bases?

We update the patches on routine basis for servers as well.

Are system and security patches tested prior to implementation in the production environment?

We test it before implementation in the production environment.

Are all systems and applications patched regularly?

Patches are updated regularly.

Do contracts with third party vendors that access or host your organization's information assets contain security requirements commensurate with your organization's security standards

We make sure that they have adequate controls in place and meet the security standard.

Are Cloud Hosting services (IaaS) provided?

We provide Software as a Service.(SAAS)

Is there an Internet-accessible self-service portal available that allows clients to configure security settings and view access logs, security events and alerts?

Admins can control the application and will have an access to alerts and security events.

If an employee requires remote access, is there a process to request and obtain approval for the same (including new and existing employees) tothe customer network?

If we need access we will follow the process to request and obtain approval for the same. We have implemented the change management procedure.

Are there network access controls in place to ensure that endpoint security settings (anti-virus definition, patch update, etc.) are compliant to organization's security policy before the devices are allowed to connect remotely tothe customer network?

We have installed the end point security and update the patches on regular basis.

In case of any exceptions due to which anti-malware activities fail (e.g. antivirus scans cannot be conducted or patches cannot not be applied), are alternative controls implemented to reduce the exposure on remote endpoints?

We have the alerting system in place and we perfom the scaning immediately in order to reduce the risk.

Are rules pertaining to remote access monitoring configured on DLP solution?

We have implemented the data loss prevention techniques to make sure that the data is not lost permanently.

Are policies configured to monitor and detect data leakage over different file types?

It’s a part of our data loss prevention techniques

Is the current DLP solution capable of enforcing policies even when the endpoint is disconnected from corporate network?

our web assets, email records, and end-points are sealed with data loss prevention techniques even when the endpoint is disconnected from corporate network

Are all non-internet facing systems placed behind firewall?

Yes, we have the firewall.

Does the vendor have comprehensive network architecture diagram covering infrastructure used for the customer operations ?

Yes, we have the network architecture diagram.

Is the internet access secure through a proxy/firewall?

Yes, we have configured.

Are roles & responsibilities defined for Firewall configuration?

Yes, we have configured.

Is there a proactive mechanism to monitor unauthorised network access attempts?

Yes. We have IDS and IPS implemented and will get an alerts for unauthorised network access.

Is the firewall rule base reviewed at regular intervals?

Yes, Its reviewed on monthly basis

Does the firewall have Realtime logging & alerting capability covering systems in the customer scope of work?

Yes.

Are prior management approvals obtained and communication provided to the customer in case of any external connections to parties other than the customer? Is there a mechanism to limit the access to essential IPs and ports(the customer / Firewall Rule Base)?

Yes.

Does the organization maintain audit logs of user activities, exceptions, and security events on all systems that store or process sensitive data?

Yes. We maintain the records.

Do these audit logs contain details regarding the User ID, timestamp, and what actions were performed?

Yes. Since we are recording Services and Server logs – At the level of virtual machine and Audit and Access logs – At the level of AWS these are covered.

At what frequency are these logs reviewed? (monthly, quarterly, yearly, etc)

Monthly

Is the ability to delete event logs restricted to only superadmin or host admin for systems related to the customer operations ?

Yes. Only authorised individual can do this.

Is the network used for providing service to the customer, logically and physically segregated? Is server placed on separate LAN?

Yes, Its logically and physically segregated. We have deployed our application on AWS Cloud platform.

Are external access (e.g., remote, wireless and third party) to the Group’s network only permitted after a user has been identified and authenticated? What mechanism are used for authentication?

We do not provide access.

What are the applications used for the customer Operations?

Mainly we use AWS platform and Jira software for operations.

Is testing of applications done on separate testing facility & not on production data?

Both are kept separate.

Are patches tested in a UAT instance before deployment on the production server ?

Yes

Does the RTO and RPO of CSP’s contingency plan meeting with vendor's customer (specifically the customer in this case) requirements?

Our RTO and RPO is 60 mins

Does the requirement discussed and agreed that CSP to notify vendor which further notify the customer for major changes of infrastructure / security configuration in cloud environment specific to services obtained by the customer which may impact the customer services or security requirements?

Yes, we will notify the customer if there are any major changes.

Does a communication channel is established between Vendor and the customer to notify the customer on the scheduled downtime for services obtain and in case of any data security breach at Cloud environment?

Yes, Our customer support team will communicate

What is the service delivery model? (IaaS/PaaS/SaaS)

SAAS

If other tenants’ information / data compromised, how is vendor along with CSP making sure that vendor organisation’s (the customer) data are not getting impacted?

We logically segment or encrypt customer data such that data may be produced for a single tenant.

What security measures are implemented by Application Service Provider for guarding against data leakage/ data corruption/ data breach ?

All the security mechanisms and policies are established and implemented in such ways that data leak can be prevented, in transit as well as at rest. Exhaustive Vulnerability Assessment and Penetration Testing has been conducted along with business logic testing based on OWASP framework which incorporates 120+ test cases like Access Controls, Authentication and Session Management, Cross-site Request Forgery, Cross-site Scripting, Cryptography and Insecure Storage, Data Validation, Information Leakage and Error Handling, Malicious Execution etc.

What technology languages/platforms/stacks/components are utilized in the scope of the application? (MySQL, Ruby on Rails, Javascript or any other?)

We have deployed our application on Amaon web services (AWS) cloud platform. We are using MySQL, Salt stack, Nodejs and MongoDB technology.

Tech stack of the Application / Platform

We have deployed our application on Amaon web services (AWS) cloud platform. We are using MySQL, Salt stack, Nodejs and MongoDB technology.

Are applications and operating system software implemented after extensive and successful security testing ? Is there a log maintained to track installation of operational software on workstations? Do operational systems hold only approved Softwares and there is a periodic audit to track Software Compliance ? Are users disallowed to install software on their workstations?

Any applications, softwares are implemented after the security testing by our IT Team. All the logs are monitored as a best practice. We also maintain the approved software/application register and these documents are audited during the internal and external audits. Users do not have an option or disallowed to iinstall the softwares on their workstations.

Are audit logs maintained that record user activities, exceptions, success and failure logons, policy changes, events, and information security events in order to assist in future investigations and access control monitoring? Do event logs contain sensit

All the audit logs are monitored as a best practice

Are system administrator and system operator activities monitored and logged? Can system administrator activities be tracked to individual system administrators?

We maintain the logs and monitor for security and audit purposes.

Are the system clocks of all information processing β€Žsystem within the organization or security domain β€Žsynchronized with an agreed accurate time source ?

Synchronized the system clocks of all relevant information processing systems to facilitate tracing and reconstitution of activity timelines.

Whether any Firewall, deep packet inspection solution, IPS/IDS , DLP, Anti APT, SIEM, AntiSpoofing and other such security solutions (Perimeter, Endpoint, Web, Infrastructure) have been implemented in the network infrastructure ?

We have implemented the IDS/IPS, Endpoint security, Firewall, DLP, Antispoofing, VPN, Active directory and other security solutions for maximum security.

Mandatory Business ownership to be mapped for all applications on-boarded. The Business Owner is responsible for Budgets, Vendor / Partner liaison and overall ownership for approving any changes needed and aligning partners / vendors to achieve the outcomes. These could be On-premise, On-Cloud, SaaS etc.

Xoxoday would act as liason partner between customer and merchants. We process the budgets which are approved by the customer. Xoxoday application is a SaaS Product.

Mandatory Active Directory (SSO) Integration preferably through ADFS

Logs should be sent to the customer SIEM for continuous monitoring of security events from the application

The logs are automatically audited, but are not integrated with tenant's security ops. In case the tenant requests for logs, they can shared when asked for by the clients.

What Services/products are being/will be provided to the customer?

Xoxoday application is an API driven digital rewards platform that automates rewards, incentives and gifting. The storefront has a global catalogue of 20,000+ options with 5,000+ experiences, 2000+ gift cards and 10,000+ perks. application offers reward distribution modes like sending bulk vouchers via emails, generation of bulk voucher codes.

What is the purpose for processing the Personal Data?

Personal data will be processed only for the rewards and redemption purposes.

Can Supplier provide a data map which includes all country locations where Personal Data would traverse, be stored or processed

YES. We can provide the data flow diagram.

Has Supplier implemented data backup and recovery procedures to prevent data loss, unwanted overwrite and/or destruction

YES, Data backups are done daily and in a secured way in AWS

Are you managing the offer from end to end or do you rely on suppliers and/or subcontractors. If you are relying on suppliers/subcontractors, please refer to section 16 - Third Party Management

We are managing the platform end to end.

Is application of patches and ugrades under the provider's responsibility or the customer's

It will be the responsibility of Xoxoday.

How is the customer informed of application upgrades impacting the end user's client (internet browser version for ex)

The process for upgrades is automated using Continuous Integration and Deployment. Since our services are delivered via. Web, the upgrades and updates to the services are seamless and usually do not involve any actions from the end-users.

Is any DLP solution in place ? What is implemented to prevent data leaks ?

Yes. We have implemented the Data loss prevention techniques on AWS.

What type of mechanisms do you implement to make sure Data Integrity is protected against errors, corruption or misuse and how frequently are they controlled

We have Web application firewall (WAF), IDS/IPS, AWS Guardduty, Coudflare and the data has been encrypted for security reasons. We conduct code reviews as per the compliance requirements. We also conduct the Vulnerability assessment and penetration testing on annual basis with the help of the third party authorised vendor. We are equipped to detect and mitigate Threats, DDOS attacks, session hijack, login spoofs or any other data extraction strategies. Access to data and systems are based on the principles of least privilege for access. Accordingly, all information systems and data are classified and further segregated to support role based access requirements. Furthermore, while defining job roles and designing access roles, privileges leading to conflicts of interests are to be avoided. A strong identification and authentication system and logging systems are deployed and provides a centralized control to administer, monitor and review all critical access.

Describe how you make sure that the customer's data is properly segregated from other customers' in multi-tenant solutions and how you control that production data is not replicated or used in non-production environments

Yes, the data is segregated with a client-specific key for proper handling and representation. physical segregation is done for production and non-production environments.

Would you support encryption keys generated by our own PKI that would be used to encrypt data.

We use a split key mechanism to ensure that every client's key is unique. Its generated automatically from our end.

Describe the management system in place to fix vulnerabilities identified during control activities (Health Checking, TCP Scanning, FW rules revalidations, CVE vulnerability scanning, code reviews, etc.)

Our Quality Assurance (QA) department reviews and tests our code base. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code. We also conduct code reviews and vulnerability assessment and penetration tesing with the help of the third party vendor. Attached the VA/PT Certificate

Describe what is in place to detect attacks that target the virtual infrastructure directly (e.g., shimming, Blue Pill, Hyper jumping, etc.) and the technical controls in place to prevent them.

We have Web application firewall (WAF), IDS/IPS, AWS Guardduty, Coudflare and the data has been encrypted for security reasons. We conduct code reviews as per the compliance requirements. We also conduct the Vulnerability assessment and penetration testing on annual basis with the help of the third party authorised vendor. We are equipped to detect and mitigate Threats, DDOS attacks, session hijack, login spoofs or any other data extraction strategies.

Do you use a synchronized time-service protocol (e.g., NTP) to ensure all systems have a common time reference?

YES

Describe how you implement segregation of the environments (prod/non-prod, customer/internal, customer/customer, etc.) and how frequently the appropriateness of the allowed connectivity is monitored.

The physical segregation is done for production and non-production environments. And we do not use any customer data for testing purposes.

Describe the patch management process in place at all levels of the proposed solution, including frequency and process to apply patches and specifying how rapidly you can patch vulnerabilities accross all components of the solution

Attached the Patch management procedure. Critical patches will be deployed immediately High patches will get deployed within 5 days Medium Patches will get deployed within 15 day Low will get deployed in 25 days.

What type/model of Firewall are implemented to segregate security zones internally and to protect the infrastructure from external attacks

We use Web Application Firewall

How are operating systems hardened to provide only the necessary ports, protocols and services to meet business needs

We hardened the operating systems and restrict access to all the ports, application, software etc.. And monitored on regular basis.

Describe how you protect your wireless network environment from unauthorized access and traffic and the type of encryption implemented.

We have imlemented the policies and procedures established and mechanisms configured and implemented to protect the wireless network environment perimeter and to restrict unauthorized wireless traffic. We use a cloud hosted VPN with strict access controls to allow our employees to access the official network. This VPN is managed by our IT team and it's linked with the SSO/Active Directory.

Describe how you make sure that the application is properly protected against exploitation of CVE vulnerabilities prior to allowing it to go to production. Can the customer perform his own testing on a ISO Production environment ?

Yes. We do the testing before deploying in the production environment.

Can your solution link to our Identity Federation Tool in order to authenticate users and retrieve their user profile using SAML or Oauth

Yes the application have robust authentication methods. We are integrated SAML 2.0 with SAP SuccessFactors, we also support OAuth 2.0 for seamless authentication.

Are there interactions between the proposed solution and third-party applications/middleware ? If yes, please describe what function, APIs, protocols are used

API Documentation - https://xoxoday.gitbook.io/application/user-guide/for-admins-1/xoxo-links/xoxo-link-apis

Provide the scope of data sources merged in your SIEM (Security Information and Event Management) : app logs, firewall logs, IDS logs, logical and physical access logs, etc. and confirm if the SIEM is configured for granular analysis and real-time alerting

Yes, SIEM has been implemented. Our event management systems merge the data sources to maintain a log data within the SIEM. This helps in proper analysis and driving out alerts if need be in case of contingency.. The audit logs are reviewed and recorded on a regular basis automatically. These logs are integrated with security operations/SIEM solutions.

Is a SOC implemented to monitor the software solution ? Can the customer gain access to the SOC alert and response reporting ?

We have implemented the security operations center to monitor, prevent, detect, investigate, and respond to cyber threats around the clock.

Are system and security patches applied to workstations on a routine bases?

We update the patches on routine basis.

Are system and security patches applied to servers on a routine bases?

We update the patches on routine basis for servers as well.

Are system and security patches tested prior to implementation in the production environment?

We test it before implementation in the production environment.

Are network boundaries protected by firewalls?

We have installed the firewall for maximum securty and configured to restrict unauthorized traffic

Are Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) used by your organisation?

We have implemented IDS/IPS to facilitate timely detection, investigation by root cause analysis and response to incidents

Is wireless access allowed in your organisation?

Wireless access is allowed and handled with high quality routers, password protection and restriction on internet usage etc.

Are all servers, end user devices (All systems) configured according to security standards as part of the build process?

All are configured according to security standards as part of the build process

Are all systems and applications patched regularly?

Patches are updated regularly.

Does the organisation store backups offsite?

Data backups are done on daily basis and in a secured way on AWS

Are servers configured to capture who accessed a system and what changes were made?

We have track of the changes. Infrastructure logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our Elastic Search server and retained in the long term cloud storage.

Does the software development lifecycle in the organisation specifically focus on security?

We focus on the security while producting the softwares and Attached the SDLC procedures.

Are development, test and production environments separate?

All are separate.

Is production data ever used in a test environment?

We do not use.

How are passwords stored (encrypted, hashed, algorithm or hashing methodology)?

We store password hashed. We have SHA512 hash with unique salt for every password

Are Cloud Hosting services (IaaS) provided?

We provide Software as a Service.(SAAS)

Are there network access controls in place to ensure that endpoint security settings (anti-virus definition, patch update, etc.) are compliant to organization's security policy before the devices are allowed to connect remotely tothe customer network?

We have installed the end point security and update the patches on regular basis. Attached the Virus Management Procedure and Threat & Vulnerability Management.

Does WAF is implemented to protect from application attackes?

Yes. We have implemented the Web Application Firewall (WAF)

Does Production environment is segregated from Non-Prod (UAT, Test, DEV etc.) environment? Share supporting evidence

Yes. The production environment is segregated from Non-Production environment. Attached the evidence.

Does the application support any APIs? And how are they consumed internally and externally?What controls are implemented for sharing such APIs externally?

How the security of the exposed APIs is managed?

We have implemented the Web application firewall, IDs/IPs and amazon guard duty etc for maximum security. OAuth2 is used to authorize all API requests. We also conduct code review to make sure that the APIs are secure.

Is the data classified top secret/ confidential /PII stored separately from public data / data of other organizations residing on same cloud ?

Yes

Have you implemented measure for prevention of loss of PII data? e.g. DLP, restricted access controls, log recording, encryption.

We use technologies like DLP, Data encryption, access control, log monitoring etc.

Does the SAAS support MFA such as OTP or security tokens or biometrics ?

No, we don't provide multi-factor authentication. As of now, there's oAuth2.0 and SAML-based tokens. JSON-based token is available for maximum security direct-email logins.

IS logging enabled for all components, such as, network devices, servers, DBs, IAM, Cloud Services and etc.?

Yes, Only authorised individual have access.

What is the log retention policy? Who has access to logs in your organization? Make sure nobody has modification access to log servers.

We maintain the logs for atleast 180 days. And only CTO and Production head will have access to these logs. There will be no modification to these logs.

Do you have any monitoring tool in place to get timely alerts on when device is going down, restarted and resources are over utilized?

we have an intrusion detection/monitoring application that alerts on unauthorized access. We use Amazon CloudWatch and Grafana polemique which allows us to monitor instances and alerts us through emails.

Does access provided to users and administrators are based on Need to Know basis?

Yes.

Share the User ID life cycle process, from creation till termination of an user ID / account.

What are the controls in place to detect any unauthorized change to cloud infrastructure and application?

We have AWS Guard Duty threat detection service that continuously monitors for malicious activity and unauthorized behaviour.

Please share the logical diagram with DR in place

Attached the application Network architecture diagram.

If vendor shares reports/data with the customer over emails, is that email ID blocked for sharing any data over other public domains? Please confirm the same by sending a test email to -Information.Security@the customerinsurance.com Please share the screenshot of the blocked email for confirmation.

Reports can be generated by the admins through the application. If there are any additional support needed, our customer support team would be able to help and guide on generating report.

Which all locations vendor is working or their offices are located ?

The production center location will be Bangalore.

Supplier has internal processes for identity and access management.

Yes, our policies and procedures are established and implemented to enforce two-factor authentication for privileged account management/authentication while accessing tenant data/systems. A strong identification and authentication system and logging systems are deployed and provides a centralized control to administer, monitor and review all critical access events. An Identity and Access Management (IAM) solution has been defined to manage user access through role-based access profiles that support the implementation of accesses based on the principles of need to know basis and support segregation of duties. Privileges relating to Administration of user access privileges and role configurations are different from the authorized approver that approves access requests. The approvers are either the Product Heads or respective function Heads are their authorized delegates.

Control panel or administration console to the service or application offered to the customer is properly protected from abuse. Segregation of duties is implemented for privileged users.

By Default, Xoxoday will not have access to Service Data (customer’s account/application and the associated data processed as part of using our services). The access control to the accounts (who can access the application instance) is managed by the admin from the customer end. If we require (access for troubleshooting) we will request temporary access (occasional agent) and the decision to provide access is decided by Customer & their account admin. Access to our production environment is allowed only via Xoxoday corporate network and access is allowed only to authorized individuals of the infrastructure and engineering team. Accordingly, all information systems and data are classified and further segregated to support role based access requirements. Furthermore, while defining job roles and designing access roles, privileges leading to conflicts of interests are to be avoided.A strong identification and authentication system and logging systems are deployed and provides a centralized control to administer, monitor and review all critical access events.

Logging and monitoring is in place for analysing activities of privileged users as well as for inspecting and analysing network traffic.

All our Infrastructure logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our Elastic Search server and retained in the long term cloud storage. The audit logs are reviewed and recorded on a regular basis automatically. These logs are integrated with security operations/SIEM solutions. All the events and activities are logged and monitored on a monthly basis. Application Audit Logs within the Admin console (Admin > Audit Trail) captures the user activities and configuration changes or all agents.

When infrastructure is shared, the tenant environments are properly segreggated and isolated.

It’s a multi- tenant system. We use logical data isolation with the help of company specific encryption keys and its solated from other customers data.

Logs are reviewed in a continuous manner to improve performance, as well as detect potential security issues.

The logs are reviewed in a continuous manner to improve performance, as well as detect potential security issues. Yes, our event management systems merge the data sources to maintain a log data within the SIEM. This helps in proper analysis and driving out alerts if need be in case of contingency.

Vendor has network forensics capabilities in place, and additionally, when required, the customer is assisted by the Vendor in performing any the customer initiated investigations on suspicious activites on the services it is provided by the Vendor. E2. Whenever Personally Identifiable Information (PII) data is gathered, Data Privacy Officer has access to the data change logs.

Infrastructure logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our Elastic Search server and retained in the long term cloud storage. We provide these logs on need and approval basis to the customer for forensic investigation. Yes, we can freeze data from a specific time without freezing other data if needed.

Do you provide customers with security administrative guides that detail configurable security settings, their interpretation and how to implement them

Do you monitor and log user, system and administrative access

We monitor the logs on regula basis. Infrastructure logs are collected using AWS Audit Trail. Application related logs are collected in our Elastic Search server and retained in long term cloud storage.

Do you review user access and rights at least annually

We review the user access on periodical basis and validated the same during the internal and external Audits.

Is API integration available?

Does the application have APIs available for user provisioning and deprovisioning?

application enables user account management for its customer organizations through API-based integration with their HR management system. These APIs are used to access the necessary employee data to ensure users' accounts are created, updated, and disabled securely.

What is the idle session timeout and session expirations?

Since it’s a SaaS product Session timeout can be set with the help of Active directory. For ex – 15 min or 20 mins as per the requirements.

Is there account lockout functionality? What is maximum number of failed login attempts before the account gets locked out?

The account will get automatically locked after 5 attempts of unsuccessful logins.

What is the account unlock process?

Users will get a reset password link and with the help of that account can be unlocked.

Are file integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation by root cause analysis, and response to incidents?

Yes, all the mechanisms related to security and policies are implemented to facilitate timely decision and investigation by root-cause analysis. These incidents are analyzed with network intrusion detection (IDS) tools.

Please provide information about your patching process including monitoring of security updates, testing and deployment.

Attached the Patch Management Procedure.

Does your organization have Cyber Insurance coverage? Provide details of what is covered

We are working with the Insurance company to get the Cyber Insurance

Do you ensure that endpoints (laptops,desktops,etc) have the latest available security-related patches (OS, applications) installed?

We update the patches periodically and ensure that all the endpoints have the latest available security-related patches.

Please provide further information about your handling of security requirements during development.

All software development procedures are supervised and monitored by Xoxoday so that they include: security requirements, independent security review of the environment, code reviews, Quality monitoring, evaluation, and acceptance criteria for information systems, upgrades etc..

Can the logs be integrated into an SIEM system?

No, logs are automatically audited, but are not integrated with tenant's security ops. In case the tenant requests for logs, they can share when asked by the clients.

Does the Company run Security Operations Center (or equivalent) which allows to detect and respond to Cyber Security Incidents in a timely manner?

The cyber security incidents are analyzed with network intrusion detection (IDS) tools. It promptly notified the incident response team for immediate counter-actions and defence mechanisms in case of confirmed security incidents. We have a Security incident management process to classify and handle incidents and security breaches. The team is responsible for recording, reporting, tracking, responding, resolving, monitoring, and communicating about the incidents to appropriate parties in a timely manner.

Who has access to Security logs?

Only authorised individuals have access to the security logs. For ex – CTO, Devops Head, Production Head.

How long are security logs maintained by the provider?

At least 180 days.

Support requirement (version updates, future enhancement etc)

Product updates and feature enhancements are done periodically by the application team. These updates are made available to all the customers, by default. The customer need not do anything from their end in order to update the product version in their local server, as the application is hosted on AWS Cloud.

Confirm with CSP which technologies and processes are used to ensure high levels of performance, reliability and availability.

We have deployed our application on Amazon web services (AWS) cloud platform. We are using MySQL, Salt stack, Nodejs and MongoDB technology etc...

How to Authentication / Single Sign On (SSO): products should support the SAML2 standard?

application Integrations - https://www.application.io/integrations?tab=tab-collaborations

Products should support the secure VPN standard.

It's a web and mobile application.

Are all security patches tested before they are deployed? How is this accomplished?

Yes. We test the patches on the testing environment and deploy it on the production upon validation.

Who will have access to our data?

As per the Information security policy and Data protection policy only the authorised individual have an access to the data through internal approving and ticketing system.

I cannot find anywhere in their documentation that they support IP address range restriction for the application Pro API, could we get confirmation for this too?

We do not provide support for IP address range restriction. our restrictions/security are based on our OAuth process and do not restrict to specific IPs.

It seems they support credit card processing for adding funds, what is their PCI DSS compliance exposure and level achieved?"

The payments redirected to Payu gateway or PayPal websites to complete your purchase securely. And, we are also implementing PCI DSS compliance controls and we will provide you the certification as soon as possible.

Is the support for our company’s users’ operation logs available on the admin console? If not, is such support available from the Vendor backend system? If supported, what operations are the audit logs monitoring?( For example, Add/Edit/Delete)

Yes, audit logs are reviewed and recorded on a regular basis automatically. These logs are integrated with security operations/SIEM solutions.

Is there a service for APIs to push the logs of our company’s administrators' operations on the Vendor platform in real time?

No. We do not have a service. The key admin actions are present on the application reports. Our support team can help in deep dive of a specific incident with the help of audit logs.

Cloud Service Provider shall implement an access control policy which includes on-boarding, off-boarding and changeover between roles of Cloud Service Provider personnel for network devices, management consoles for servers and storage, operating system, databases and applications.

We have implemented the access control policy to make sure that only the authorised individual have an access to the data.

Do you offer an on premise solution? If so describe the system requirements, including OS and database requirements

No.. We are cloud hosted only.

Describe in detail your product's architecture

We will share as attachment

Please describe the typical installation time and resources required for your solution

No installation, We are a out of the box SAAS solution

Describe the key differentiators of your technical architecture

Cloud hosted, microservice based, highly scalable, High Availability

Describe the minimum & recommended system requirements for your solution. Include Operating System, CPU, RAM, Database, Disk Space, etc.

NA - We are cloud hosted

Describe your solution’s networking requirements and capabilities

NA - We are cloud hosted. User need to have internet access

Describe any key technology differentiators (any leading edge technologies?) that set your application apart from your competitor’s application.

Cloud hosted, microservice based, highly scalable, High Availability

How would you service and support Union Pacific as a customer?

We will be provinding training for the admin and the end user and also we provide extensive support through our customer support team

How are security patches rated?

Security patches are rated as Critical, High, Medium and Low.

What are the procedures for configuration management, patch installation and malware prevention for all servers and PCs involved in cloud service delivery?

We have installed end point security in servers and PCs of all our employees as per the compliance requirements.

What are the supported options for communicating data between the UP and the service?

We do not take any data directly. The data will be provided through our platform or application and its hosted on Amazon Web Services (AWS)

Is the data for multiple customers co-mingled in the same database or schema?

No. We use logical data isolation with the help of company specific encryption keys

Which groups of staff (individual contractors and full-time) have access to personal and sensitive data handed to you?

Only our product engineering team members have access as per their job functions and role based logical access. We do not provide access to any third parties and all the devolopment and testing has been done by the internal employees.

Do you have complexity or length requirements for passwords?

Yes. We have complexity or length requirements for passwords

How are passwords hashed?

We store password hashed. We have SHA512 hash with unique salt for every password

How is your application security testing performed? Internal, third parties or both? If so, how often is it tested? Explain your methodology

We have conducted our application security testing with the help of Industry approved third party vendor. We conduct the application testing for every six months. During the testing, if any observations found our team will work on those Audit observations and fix the issues. The primary objective is to identify and eliminate problems that could lead to a breach of confidentiality, availability, or the integrity of Xoxoday data resources and to ensure adequate protection of client data.

How do you limit data exfiltration from production endpoint devices?

We have a multi-layered network architecture with role based access control. All the confidential/PI data are encrypted at rest with a split key mechanism to ensure that every client's key is unique. Additionally we have a intrusion detection/monitoring application that alerts on unauthorized access.

Do you have breach detection sytems and/or anomaly detection with alerting?

Yes

Are the hosts where the service is running uniformly configured?

Yes

Are changes to the production environment reviewed by at least two engineers/operations staff?

Yes. Our production team and QA Team test the new releases or chages made to the existing product.

Are all security events (authentication events, SSH session commands, privilege elevations) in production logged?

Yes

Is the production network segmented in to different zones based on security levels?

Yes

What is the process for making changes to network configuration?

We have Network Access Control and Security Procedure in place and as per this policy network resources must be on need to know basis and authorizations must be obtained from appropriate authorities before providing access. Networks is logically or physically divided based on the criticality of the information stored in the networks

What cryptographic frameworks are used to secure data in transit over public networks?

Yes, our network communication is encrypted with highly restricted protocols to ensure maximum security. We use TLS1.2 encryption for Data in transit

Do you do static code analysis?

Yes. We have static code analysis

How do you ensure code is being developed securely?

We have SDLC Policy as per ISMS requirements and we follow General Coding Practice. For example - We Conduct data validation on a trusted system, All cryptographic functions used to protect secrets from the application user. We also have Implemented least privilege; restrict users to only the functionality, data and system information that is required to perform their tasks

What percentage of your production code is covered by automated tests?

More than 50% our production code is covered by automated tests

Is a staging/pre-production system used to validate build artifacts before promotion to production?

No. We do not use it for building the artifacts.

Which audit trails and logs are kept for systems and applications with access to customer data?

Infrastructure logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our Elastic Search server and retained in long-term cloud storage These infrastructure logs are – 1. Services and Server logs – At the level of virtual machine 2. Audit and Access logs – At the level of AWS

Please give a very brief description of what the system will be for and how it will work

Xoxoday System β€œapplication” will be used, via API with Success Factors to facilitate delivery of e-vouchers to reward recipients appointed by appointed Yorkshire Water management. Limited and minimal employee information within the SAP Reward Portal will be passed via a secure link to Xoxoday to facilitate voucher fulfilment to individual employees

Will the system accept data from another system and if so, what?

The application will accept minimal employee data from Success Factors per the diagrams

Will the system send data to another system and if so, what, how will it be controlled and by whom?

application will only send data to Success Factors

What will be the principle methods of transporting information? Examples include (but are not limited to): HTTP β€œget”; SFTP over SSH; HTTPS; email etc.

We do not take any data directly. The data will be provided through our platform or application and its hosted-on Amazon Web Services (AWS)

Will an asset register be completed to log all assets holding the customer data and who is responsible for updating it?

Yes.

Please outline your planned approach, to security patching of operating systems and applications that form part of the system. Please confirm that critical and important security patches will be up to date.

We update patches periodically. See Patch Management Procedure attached.

Please outline any anti-malware (antivirus, etc.) tools that will be used to protect the system.

We use endpoint security for prevention

Will the application collect, and/or host, any User Generated Content (UGC)? If so – describe the UGC in detail and explain what moderation approach will be applied?

The only user data stored within the system is their personal information - names, emails and contact numbers. This data is not put to any use by Xoxoday and resides within the system. The data can be deleted upon the tenant's request

Will event logging/audit mechanisms be turned on at all times for the system.

Yes

Will logs be regularly reviewed?

Yes. Administrative logs are part of Cloud Dashboard and are regularly reviewed

Will a separate test environment be used? Will this include the use of dummy or live the customer data? If Live Data, how will that data be secured?

Yes. segregation is done for production and non-production environments.

All network components and computers shall be password protected.

All our network components and computers are password protected to make sure that we are compliant with integrity, availability and confidentiality principles of Information Security compliance.

The concept of least privilege should be employed for specific duties to adequately mitigate risk to the customer operations, including, but not limited to: β€’ Configuring critical assets with least privilege for data, commands, file and account access. β€’ Configuring the system services to execute at the lowest privilege level possible for that service and document the configuration. β€’ Documenting the changing or disabling of access to files and functions. β€’ Verifying that baseline permission and security settings are not altered after modifications or upgrades.

We are compliant. We have implemented the password management policy and follow the concept of least privilege should be employed. Only limited number of and approved users have privilege access. All the access will be provided on need and approval basis. We maintain the ticketing system to make sure that appropriate process is followed.

Passwords shall be implemented on sensitive components to prevent unauthorised access and all default accounts and default passwords shall be changed.

We have implemented the password management Policy for maximum security of data.

Passwords shall be changed at an agreed upon interval, taking into consideration any operational impacts.

We are Compliant. The passwoed will be changed every 90 days.

Where technically feasible implement network (e.g. network gateways using traffic inspection to limit the capabilities of users) and/or host-based (e.g. Application Control) technical controls that control remote desktop user access to the sensitive environment and specifically allow only approved users and remote applications.

We have implemented the role based access control system. Only approved users will have an access to the sensitive environment.

Where technically feasible, implement network-based technical controls that monitor communications with external systems and with key internal systems for suspicious traffic. Detection capabilities shall be augmented with correlation (e.g. SIEM) to approved and expected connections and communications.

These are integrated with security operations/SIEM solutions.

Secure log-on procedures shall be in place, taking into consideration following requirements: Β· Warning banners. Β· Protection against brute force. Β· Logging of successful and unsuccessful authentications. Β· Not displaying password being entered. Β· Not transmitting password in clear text. Β· Restricting connection times. Β· Failed attempt lockouts.

We have a secure log on process and compliant with these requirements.

Secure log-off procedures shall be followed, taking into consideration following requirements: Β· Maximum session times. Β· Termination of inactive sessions after defined periods.

We have a secure log off process and compliant with these requirements.

System logging and auditing features are enabled and configured.

Audit logs are reviewed and recorded on a regular basis automatically. These logs are integrated with security operations/SIEM solutions

All supporting systems used to develop or integrate systems shall be appropriately and timely patched.

Patches are updated ontime.

System architecture/interconnection diagrams showing data flows, and physical and logical segmentation shall be reviewed and updated at-least quarterly or based on updates or changes to the environment.

We review Architecture daigrams and Data flow daigrams on a periodical basis. This is also validated during our internal and external independent audits.

The required levels of control for data flows and users (e.g. data flows that are not allowed, that requires control, that requires strict control and that are allowed) shall be identified, documented and implemented for: β€’ Inter-security zones. β€’ Intra-security zones. β€’ Inter-sub-security zones. β€’ Between Levels (Level 0 to Level 4) and identified security zones.

We have a defined data flow and only required data will be stored on our application.

Required segregation, physically and/or logically, shall be implemented ensuring that the identified required levels of control for data flows and users are met. Alternative or compensating security controls shall be implemented where segregation is not technically feasible. Document those cases and their reasons.

we logically segregate the tenant's data, and it is segregated with a client-specific key for proper handling and security reasons.

Compensating controls/countermeasures shall be implemented to mitigate risk associated with the use of protocols that cannot be inspected by network equipment (e.g. by firewalls).

We have installed the firewalls to monitor and control the incoming and outgoing network traffic based on predetermined security rules. It helps us to establishes a barrier between a trusted network and an untrusted network.

When SNMP version 3 is not supported, protective and detective capabilities shall be employed, based on security risk assessment, to mitigate the use of unsecure versions of SNMP.

. We have implemented the firewall and IDS/IPS for detection and prevention of security.

Detective controls shall be implemented, where technically feasible, to increase assurance that the customer systems, assets, business processes, and information are being properly protected. Consider activities such as: β€’ Comparing open ports and other parameters against known good baselines. β€’ Comparing firewall, switch and other network equipment configurations against known good configuration baselines.

. We have installed the firewalls to monitor and control the incoming and outgoing network traffic based on predetermined security rules. It helps us to establishes a barrier between a trusted network and an untrusted network. We have implemented IDS/IPS for detection and prevention of security.

Monitor if network services requirements are implemented as agreed.

We monitor the network.

Based on potential risks (e.g. many personnel involved in operational execution, potential ambiguity, complexity, etc.) supporting procedures shall be developed where appropriate and kept up-to-date to increase assurance that the customer security requirements are consistently met and all operations are performed uniformly and safely.

We are complaint. We make sure that we follow the procedures in place with regards to production or devolopment activities and records has been kept up to date.

Configuration baselines shall be continually monitored to ensure their integrity. Where technically feasible, implement network and/or host based technical controls that monitor for configuration changes. Detection capabilities should be augmented with event correlation (i.e. SIEM) that is used to correlate approved and expected changes (e.g. change management) to networks and components.

. We have implemented the IDS/IPS for detection and prevention of security.We have installed the firewalls to monitor and control the incoming and outgoing network traffic based on predetermined security rules. It helps us to establishes a barrier between a trusted network and an untrusted network.

Unsecured protocols or protocols with known vulnerabilities shall not be used and secure protocols shall be chosen over insecure protocols where available (e.g. using SSH version 2 over Telnet, HTTPS over HTTP, etc.).

We do not use any Unsecured protocols

All critical applications shall be reviewed and tested, after operating system changes or other major changes, to ensure no adverse operational and security impact occurs from changes.

All the crtical application are reviewed and tested before deployement.

Development, test and production environments shall be segregated.

We have a separate test and production environment.

Performance and capacity monitoring, such as system and network utilisation, shall be practiced.

We monitor the systems and network utilization

Ensure that all anti-malicious code protection is up-to-date based on entity-defined maintenance schedules.

We maintain up to date end point security to safeguard from attack scripts, viruses, worms, Trojan horses, backdoors and malicious active content.

Network IDS may be provided where necessary (security risk based) and subject to vendor’s confirmation of proven performance.

We have implemented the file integrity (host) and network intrusion detection (IDS) tools to help facilitate timely detection, investigation.

Documented patch management procedures shall be developed, implemented and maintained to manage any and all software updates, security patches, functional upgrades, operating system patching, etc.

We have implemented the Patch Management Procedure

In the event a patch is not approved for use by the system vendor, a reason and risk mitigating controls for that patch shall be documented. The implementation of compensating controls must follow the Change Management process.

We follow the Change Management process to implement the compensatory control.

In the event a patch cannot be implemented due to current operations, an official exception shall be raised. Where patches are not applied, required risk mitigating controls for that patch shall be documented in the exceptions request. The implementation of compensating controls must follow the Change Management process.

We follow the Change Management process.

All systems, assets and information/data (e.g. applications, operating systems, data (including databases), user configuration information and hardware configuration information) shall be backed up based on a BIA (Business Impact Analysis) which will establish Recovery Point and Recovery Time Objectives (RPO/RTO) for each information asset.

We take automated backup on regular basis.

The asset owner shall identify the components that need to be backed up, their physical and logical protection (e.g. encryption levels) requirements, and what backups need to be tested.

With regards to application all the data backups are done on daily and in a secured way in AWS

A backup shall be taken before and after any major changes to hardware, OS, application or configuration.

We take backup of all the data before making anymajor changes to hardware and softwares

There shall be a detailed backup procedure based on the established RPO and RTO with defined schedule for each site.

we have implemented the Backup Recovery Procedure

Records of the backups shall be maintained at respective Sites outside the backup system.

With regards to application all the data backups are done on daily and in a secured way in AWS

Entities shall be responsible for defining and updating the information/data retention policy and procedure.

We have implemented the Data retension and disposal policy

Performance improvement plans shall be outlined based on successive progression of security controls maturity (continuous improvement) and based on identified nonconformities, and in line with the customer goals and objectives.

We make sure that we follow the indutry best practices, PDCA cycle and standatd in order to safeguard the Information security system.

Service Provider shall have strict patching practice to ensure security patches are applied rapidly.

All the critical patches are applied rapidly

Service Provider shall have solid application security controls such as web-application firewall (WAF), Run time application self-protection security (RASP) to detect and block web-based attacks such as XSS, SQL Injection, and CSRF.

We have web appliction firewall, IDS/IPS,SQL injectoin. We use CloudFlare for the same.

Service Provider should have capabilities to integrate security systems and other type of systems with the customer's Security monitoring solution (SIEM).

We are a multi tenant SAAS system and all our logs will contain data of all customers. We will have our own log monitoring and security analysis.

Does the service have intrusion and security violation monitoring and reporting?

We have implemented network intrusion detection (IDS) tools to help facilitate timely detection, investigation by root cause analysis, and response to incidents

Are there controls in place to prevent administrators and other staff from the Vendor's organisation from downloading customer data to removable storage (USB memory sticks, CD ROM etc)?

Yes. We have the controls in place. We have blocked connecting Hard disk, USB, CD ROM etc to computers and all the devices are centrally managed.

What is the browser compatibility of the service? Are the required browsers sufficiently secure and compatible with "X Company" standard PC build?

No. our product is supported by a comprehensive web application that can be accessed via desktop and mobile browsers on all compatible devices

Are the vendor's change control procedures compliant with ISO 27002?

Yes. Attached the Change management procedures. We are compliant.

Does the vendor have a patch management process for the operating systems and software on their PCs, servers and network infrastructure?

Yes. We do update the pathes periodically for our operating systems, softwares, servers and network infrastructure.

How do you monitor system integrity, logs, intrusion detection, and system access (e.g., checking the logs to verify failed and successful logins, password changes)?

Infrastructure logs are collected using AWS Audit Trail. Application related logs are collected in our Elastic Search server and retained in long term cloud storage

Describe the network protocols used to communicate between components of the system (e.g., HTTPs, LDAP, SSL).

We use HTTPs and our network communication is encrypted with highly restricted protocols to ensure maximum security.

Does the platform support typical Single Sign-On paradigms (e.g., Active Directory)

Yes. It support SSO.

Explain how the system supports single sign-on and an external roles based access control system.

Our partnerships with a wide array of integration partners ensure existing customer based Single Sign On (SSO) capability for all users to seamlessly use Xoxoday's products. With an easy DIY setup, your SSO solution would be plugged in and ready to go.

How resources on the server can be augmented if required ? Any additional charges

Since we are SAAS product and deployed on AWS we have this capabilities.

Can customers control the timing of software upgrades? What support do you provide during the upgrade process?

Xoxoday's architecture goes through constant upliftment and experiences no downtime during upgrades and maintenance windows.

Mobile Device Availability? (Android & IOS)

Its accessible in a mobile browser and can be accessed via an Android or an iOS device

Tablet Device Availability? (Android & IOS)

Our applications are compatible with desktops, tablets and Mobiles, No additional components are required.

Browser compatibility? (MS Edge, Chrome, Safari, IE)

Our applications are compatible with desktops, tablets and Mobiles, No additional components are required.

Technology Stack? (Infrastructure / Frontend / Backend / Database)

AWS/Kuberntes-React-Node/GraphQL-MYSQL/Mongodb

How often is the platform scheduled for software patches and updates?

The process for upgrades is automated using Continuous Integration and Deployment. We try our best to make sure that upgrades have minimal to no impact on the end-users. Since our services are delivered via. Web, the upgrades and updates to the services are seamless and usually do not involve any actions from the end-users. We try to release our product hotfixes once every week & major features once every month.

What processes does the vendor have to detect and prevent viruses and other malicious software from damaging the service and the customer's data?

We use Bitdefender End point security software to prevent from malware and protect the data. In addition to that we also have AWS Guard Duty threat detection service that continuously monitors for malicious activity and unauthorized behaviour. We use a cloud hosted VPN with strict access controls to allow our employees to access the official network. This VPN is managed by our IT team and it's linked with the SSO/Active Directory

Does the service have intrusion and security violation monitoring and reporting?

We have implemented network intrusion detection (IDS) tools to help facilitate timely detection, investigation by root cause analysis, and response to incidents

Does the vendor have a patch management process for the operating systems and software on their PCs, servers and network infrastructure?

Yes. We do update the patches regularly for our operating systems, softwares, servers and network infrastructure.

How do you monitor system integrity, logs, intrusion detection, and system access (e.g., checking the logs to verify failed and successful logins, password changes)?

Infrastructure logs are collected using AWS Audit Trail. Application related logs are collected in our Elastic Search server and retained in long term cloud storage

Describe the network protocols used to communicate between components of the system (e.g., HTTPs, LDAP, SSL).

We use HTTPs and our network communication is encrypted with highly restricted protocols to ensure maximum security.

How is data loss prevented and how is high availability ensured? What are typical measures such as MTBF (failure time) or MTTR (recovery time)?

our web application, email records, and end-points are sealed with data loss prevention techniques. We have the capability to do it immediately.

Where is the primary data center? Back-up data center?

We have deployed our application on AWS Cloud virtual platform so they only provide the services with regards to backup data center. Its in Singapore.

Describe the network topology.

The data centers are hosted completely in isolation so that the access is limited and controlled. Load balancer allows shifting incremental load and can auto scale based on data load experienced by application. Each instance (EC2 Instance) under fortified VPC network is further conglomeration of Docker Container Web Services and APIs and application layer running on top of it. This helps in managing various aspects and features of application without affecting the functioning of each other and achieving a modular architecture to work as plug and play model. Amazon Cloud Watch is implemented to enable monitoring of the functioning of the application. The data is encrypted using 256-encryption based SSL certificate. To manage security of data Xoxoday plans a quarterly VAPT based security audit of application.

What type of DR options do your provide for my data within your offering?

We have implemented policies and procedure with regards to DR. Since we have deployed our application on AWS cloud they only provide DR Services.

Describe your network configuration. Has your IT vendor provided information regarding how your sensitive data system(s) is protected?

application by Xoxoday, the RnR platform is a cloud-based SaaS platform hosted on VPC infrastructure of AWS. The data centers are hosted completely in isolation so that the access is limited and controlled. The architecture of the solution allows adding more location specific data centers for latency and data security. Load balancer allows shifting incremental load and can auto scale based on data load experienced by application. Each instance (EC2 Instance) under fortified VPC network is further conglomeration of Docker Container Web Services and APIs and application layer running on top of it. This helps in managing various aspects and features of application without affecting the functioning of each other and achieving a modular architecture to work as plug and play model. Amazon Cloud Watch is implemented to enable monitoring of the functioning of the application. We have encrypted the data while in transit and at rest. We use TLS1.3 encryption for Data at transit and AES256 Data at rest for maximum security.

Are systems and networks that host, process and or transfer sensitive information β€˜protected’ (isolated or separated) from other systems and or networks?

Yes, the data is logically segregated with a client-specific key for proper handling and representation.

Are internal and external networks separated by firewalls with access policies and rules?

Yes. With multiple layered firewalls configured with deny-all mode allowing only specific rules which are required for business, network traffic is regulated. We have implemented intrusion detection and prevention system tools to help facilitate timely detection, investigation. It alerts us us through emails and we continuously monitor and take necessary actions on time to time basis.

Is there a standard approach for protecting network devices to prevent unauthorised access/ network related attacks and data-theft?i.e. Firewall between public and private networks, internal VLAN, firewall separation, separate WLAN network, and/or secure portal, multi-tenancy, virtualization, shared storage etc.

With multiple layered firewalls configured with deny-all mode allowing only specific rules which are required for business, network traffic is regulated. We have tools that analyze various traffic patterns and correlate network events. We have configured early warning signals that trigger alerts to our team based on event patterns and strict thresholds. We are equipped to detect and mitigate Threats, DDOS attacks, session hijack, login spoofs or any other data extraction strategies. We use a cloud hosted VPN with strict access controls to allow our employees to access the official network. This VPN is managed by our IT team and it's linked with the SSO/Active Directory.

Is sensitive information transferred to external recipients?If so, are controls in place to protect sensitive information when transferred (e.g. with encryption)? i.e. Secure VPN connection with third parties, and/or IT vendors or email encryption

We do not transfer any data externally. However, we have implemented the encryption, VPN, Firewall, IDS/IPS, monitoring system etc..

Are third party connections to your network monitored and reviewed to confirm only authorized access and appropriate usage?i.e. VPN logs, server Event Logs, system, application and data access logging, automated alerts, regular review of logs or reports.

We use Amazon CloudWatch and Grafana polemique which allows us to monitor instances and alerts us through emails. Infrastructure logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our Elastic Search server and retained in the long term cloud storage. Administrative logs are part of Cloud Dashboard and are regularly reviewed.

Do you have a formal access authorization process based on 'least privilege' (employees are granted the least amount of access possible in order to perform their assigned duties) and need to know (access permissions are granted based upon the legitimate business need of the user to access the information)?i.e. Role-based permissions, limited access based on specific responsibilities, network access request form?

Access to data and systems are based on the principles of least privilege for access. Accordingly, all information systems and data are classified and further segregated to support role based access requirements. Furthermore, while defining job roles and designing access roles, privileges leading to conflicts of interests are to be avoided. A strong identification and authentication system and logging systems are deployed and provides a centralized control to administer, monitor and review all critical access events. An Identity and Access Management (IAM) solution has been defined to manage user access through role-based access profiles that support the implementation of accesses based on the principles of need to know basis and support segregation of duties. Privileges relating to Administration of user access privileges and role configurations are different from the authorized approver that approves access requests. The approvers are either the Product Heads or respective function Heads are their authorized delegates.

Any host-based IPS for critical systems? Any next generation firewall, IPS and web application firewall? Any web security gateway? To provide layered defense.

Yes. As part of Web Application Firewall (WAF), rate limiters are installed to block multiple requests from specific IPs in order to prevent DDOS-type attacks. These are powered by intelligent daemons that detect other identifiers like URLs accessed or other client properties to automatically blacklist possible threats either temporarily or permanently

Are systems and networks monitored for security events?If so, please describe this monitoring. i.e. server and networking equipment logs monitored regularly. Servers, routers, switches, wireless AP's

We use Bitdefender End point security software to prevent from malware and protect the data. In addition to that we also have AWS Guard Duty threat detection service that continuously monitors for malicious activity and unauthorized behaviour. Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. logs/alerts are monitored - We use Amazon CloudWatch and Grafana polemique which allows us to monitor instances and alerts us through emails. Infrastructure logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our Elastic Search server and retained in the long term cloud storage.

Do procedures exist to protect documents, computer media (e.g., tapes, disks, CD-ROMs, etc.), from unauthorized disclosure, modification, removal, and destruction? Is sensitive data encrypted when stored on laptop, desktop and server hard drives, flash drives, backup tapes, etc.?i.e. Data at Rest - Is data encrypted on the server? Backups? Mobile devices? SD Cards?

We have disabled all the ports and users does not have access to USB,CD-ROM, Disks, tapes, Hard drives etc.. All the data including backup has been encrypted. We have encrypted the data while in transit and at rest. We use TLS1.2 encryption for Data at transit and AES256 Data at rest for maximum security.

Are there security procedures for the decommissioning (replacement) of IT equipment and IT storage devices which contain or process sensitive information?i.e. use of secure wiping

All our customer data including backup data is stored on AWS virtual platform cloud and does not store anything locally. We have encrypted the data while in transit and at rest. We use TLS1.2 encryption for Data at transit and AES256 Data at rest for maximum security. We also have implemented the Media handling procedure and attached the same.

Are development, test and production environments separated from operational IT environments to protect production (actively used) applications from inadvertent changes or disruption?

Yes. We have logically and physically segregate production and non-production environments. And we do not use any customer data in production environment.

Do formal change management procedures exist for networks, systems, desktops, software releases, deployments, and software vulnerability (e.g., Virus or Spyware) patching activities?i.e. Changes to the system? Changes to the workstations and servers? Appropriate testing, notification, and approval?

Yes. We have implemented the change management procedures and this applies to all Xoxoday assets, infrastructure, processes, software, third party activities etc. The procedure also applies to employees, vendors, and all other individuals who has access to, or is responsible for Xoxoday information processing facilities. This procedure applies to all parties operating within the Xoxoday’s network environment or utilising Information Resources. Attached the Change management procedures.

Any product pre-release security threat modeling, secure coding practice, security architecture review and penetration testing?

Yes, our code reviews and analysis run through stringent eyes of automated technologies as well as manual source code overview to cover any security loopholes prior to the production phase. Vulnerability scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems. In addition to our extensive internal scanning and testing program, Xoxoday employs third-party security experts to perform a Vulnerability assessment and penetration testing.

Any centralized crypto materials and key management infrastructure and program in place to manage centralized key mgmt.?Any PKI (HSM-based or not?) to issue certs needed for products and cloud service infrastructure?

We use a split key mechanism to ensure that every client's key is unique. 1. We perform annual key rotation. 2. Keys are generated using KMS service whenever needed. 3. We store keys in KMS.

Describe your SSO and Federated Identity Enablement integration options. E.g. Support for Standards like SAML v2 and OAuth 2.0 Describe your web services and data import / export options. Providing supporting documentation as required.

our partnerships with a wide array of integration partners ensure existing customer based Single Sign On (SSO) capability for all users to seamlessly use Xoxoday's products. With an easy DIY setup, your SSO solution would be plugged in and ready to go. our identity federation standards include SAML 2.0, SPML, WS-Federation and more as means of authenticating and authorizing users with airtight security protocol. Please click here to know more about integreation - xoxoday.com/integrations

If hosted on public cloud ( Amazon , Google , Azure etc ) - security configurations are aligned with public cloud vendor security requirements?

We have deployed our application on AWS Virtual platform cloud. We use Web application firewall, IDs/IDs, AWS Audit trail, Amazon guard duty etc..

How are the encryption keys used secured and protected from unauthorized access ?

Each tenant data is uniquely encrypted using client specific key. We use AES 256 bit encryption for data at rest to ensure maximum security measures. our network communication is encrypted with highly restricted protocols to ensure maximum security. the cryptographic keys, including data encryption and SSL certificates are managed by Xoxoday for optimal security of sensitive data. The passwords are also stored after encryption for maximum security of data.

Does WAF is implemented to protect from application attackes?

Yes. We have implemented the Web Application Firewall (WAF)

Does Production environment is segregated from Non-Prod (UAT, Test, DEV etc.) environment? Share supporting evidence

Yes. The production environment is segregated from Non-Production environment. Attached the evidence.

what backup and disaster recovery plans are in place to avoid data loss / service loss in the time of contingency

We have Business Continuity Policy and Business Continuity Management Procedure in place and tested periodically. And also, our Policies has been reviewed and Audited annually. Attached the Business continuity policy, plan and procedures. We have test the BCP every 12 months and this has been reviewed as a part of Internal and external Audits.

Have you applied data backup mechanism ? If yes what is the frequency of backup ?

Yes. Data backups are done on daily basis in a secured way in AWS

Is your backup mechanism tested at least annually ?

Yes, Its tested annually.

All backup data should be encrypted and shall be adequately protect against unauthorized access.

Yes. All the data backup is encrypted.

Are you able to restore a user data upon loss through disk recovery mechanisms or stored backups?

Yes. It can be recovered

Do you have a SIEM for monitoring and maintaining logs over security incidents from various components (e.g. IDS, IPS, firewall logs )?

Yes. We have a SIEM in pance for monitoring and maintaining logs over security incidents from various components.

IS logging enabled for all components, such as, network devices, servers, DBs, IAM, Cloud Services and etc.?

Yes, Only authorised individual have access.

What is the log retention policy? Who has access to logs in your organization? Make sure nobody has modification access to log servers.

We maintain the logs for atleast 180 days. And only CTO and Production head will have access to these logs. There will be no modification to these logs.

Vendor shall immediately inform the customer about any security incident.

Yes. We inform the client about any security incidents.

Do you have any monitoring tool in place to get timely alerts on when device is going down, restarted and resources are over utilized?

we have an intrusion detection/monitoring application that alerts on unauthorized access. We use Amazon CloudWatch and Grafana polemique which allows us to monitor instances and alerts us through emails.

what kind of identity and access management services are provided by cloud : 1- Independent IDM Stack - all information related to user account is managed by SAAS vendor 2: Using credentials provided by enterprise - user account creation done at tenant within the enterprise boundary used by SAAS vendor to provide Sign On services 3: Federated IDM : User account details are managed by enterprise /tenant.SAAS vendor uses federated idnetity details on demand basis to allow sign on and access control

Share the User ID life cycle process, from creation till termination of an user ID / account.

Does MFA is applied while accessing cloud environment / applications remotely (VPN, VDI)?

Yes.

What are the controls in place to detect any unauthorized change to cloud infrastructure and application?

We have AWS Guard Duty threat detection service that continuously monitors for malicious activity and unauthorized behaviour.

Please share the logical diagram with DR in place

Attached the application Network architecture diagram.

Do you possess ISO 22301 for Business Continuity?

We have implemented the Business continuity management policy and test the BCM plan annually. Attached the BCM policy

If your customer later find & reports security hole/issue in the solution, will you provide the patch/fix at no cost? Please give example.

Yes, we fix the issues found at no cost. we understand that consumer data protection is a high priority & extremely significant responsibility that requires constant monitoring. We have implemented Bug Bounty Program and encourage the reporting of security issues. If any outsiders and customers report any kind of security related issues we fix thos3e issues free of cost.

Does solution provide full audit trail at both Database and Application/Operating System of the following event: Transactions, Master File, Parameters, Access Control, Batch Transactions? (overide special pricing, waiving activites)

We maintain System logs and Audit trial centrally. Infrastructure logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our Elastic Search server and retained in the long-term cloud storage

Does System level audit trail capture the following information: events, policy changes, obejct accesses, special privilege used, start up and shutdown, events of account logon, data accessed (at file, row, column, or field levels), record/report printed and before and after image of modified records?

Yes. Infrastructure logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our Elastic Search server.

Does User Level audit trail capture access right and security related information (user id, transaction id & name, date and time, ip address, workstation id, entries generated, updated deleted, document/file generated/accessed, and user activities)

Yes. All user activities are logged in audit trail

Can the system provide the alert function (e.g. email, pager, cell phone) to the auditor if detected any violation of security policy (e.g. brute force logon attempt)?

Yes. We have implemented IDS/IPS, Firewall and our security information and event management (SIEM) system merge data sources (app logs, firewall logs, IDS logs, physical access logs, etc.) for granular analysis and alerting We use Amazon CloudWatch and Grafana polemique which allows us to monitor instances and alerts us through emails.

Has the system has been independently evaluated to attest its secureness of both hardware and software? Please provide information!

Its SAAS Solution. We conduct periodical Vulnerability assessment and Penetration testing and fix the issues as per the compliance requirements. We also conduct Internal and external Audit for evaluating the security and privacy controls implemented.

Do all transaction screens display the following system information:and is access to the user transaction file system tracked and stored in a read only encrypted audit file with differential privileges (functional id and name, processing date, current time, current user, authorizing user)

We do not collect and store any Cardholder data through our application. But while doing the transaction through payment gateways all the screens display the name, date, time etc. And all the data will be encrypted.

If someone have an access to the system database and is comitting a valid transaction NOT from the system pages (E.g. TOAD, Query Analyzer), is the transaction just comitted would also be logged in Audit Trail?

Yes. Everything will be logged in Audit trial

Does your solution follow any particular internationally accepted best practices or standards for password management?

Yes. Our password setting requirements comply with all factors to ensure that strong passwords are created. Passwords should be of a minimum length and contain special characters, capitalized letters, and alpha-numeric combinations. The passwords are stored after encryption for maximum security of data.

Does the solution force the new user to change the password for their first logon and on expiry?

Yes

Can passwords may be changed by the user at anytime?

Yes

Can the solution alert the security administrator to delete a UserID if that UserID has not been used for predefined days?

The solution does not allow to login by using the the credentials which are not used . And Admin can create and delete the users accounts.

Can users/customers be prevented from login into multiple terminals simultaneously ? Will such attempts be logged and alerted ?

Its SAAS Solution. We can login in multiple location.

Is the solution partitioned into security domains so that a failure in one domain does not jeopardize the security of the others?

We have implemented the Business continuity policy and our product have a capacity of the maximum availability.

Can the security module be integrated with Middleware to provide the security services? If yes, describe the mechanism?

Its SAAS Product and implemented the security controls to provide secure services and make sure that the customer data is protected.

Does your solution provide multiple algorithms (i.e.: Triple DES, SHA1, 1024 bit CSR, W3C, etc) algorithms (provided by security module)?

We have deployed our application on Amazon web services (AWS) cloud platform. We are using MySQL, Salt stack, Nodejs and MongoDB technology. We use TLS1.2 encryption for Data in transit and AES256 for Data at rest.

Does the solution have other options of logon inputs besides user ID and password ?

No. Need to login with user ID and password. But we have integrated with other solutions like Zoho CRM, HubSpot, Darwin box, SurveyMonkey, Freshdesk etc

Does your system support dynamic key for encryption? How to store the key?

We use logical data isolation with the help of company specific encryption keys.

CLOUD SERVICE PROVIDER (CSP) must ensure CLIENT that its infrastructure is always using up to dates system by implementing any new tested firmware, patches and service packs available In multi-tenancy cloud environment.

Yes. All the Critical patches will be deployed immediately. We ensure that its infrastructure is always using up to date.

In multi-tenancy cloud environment, CLOUD SERVICE PROVIDER (CSP) and CLIENT must ensure the CLIENT environment is segregated from other tenants’ environment.

We have the ability to logically segment or encrypt customer data such that data may be produced for a single tenant only, without inadvertently accessing another tenant's data

CLOUD SERVICE PROVIDER (CSP) must be able to ensure any data and/or system disposal in case of service termination and in case of data and/or system end of life.

Yes, as per our policies and procedures - we make sure that there will be secure disposal and removal of data from every storage media. By this, it rests assured that the data can't be recovered by any computer forensic means. We assure secure data disposal when storage is decommissioned or when the contract comes to an end

How is data being collected (Manual/Online)? Is this application/ service accessible over Internet?

Online - Through application application

What logging and monitoring capabilities are in place to detect unauthorised access to data or hacking attempts?

We use a cloud hosted VPN with strict access controls to allow our employees to access the official network. This VPN is managed by our IT team and it's linked with the SSO/Active Directory We have implemented intrusion detection tools, we ensure timely detection and investigation in a prompt manner. File integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation. We also have Endpoint security software for all the computers for Protection from exploits, malicious web downloads and softwares, Application and device control etc.

Are independent IT security testing programs, assurance, audit and/or assessments performed? How frequently?

We perform Internal Audit and external Audits annually. We also conduct Security assessments and testing like Vulnerability assessment and Penetration testing every six months. Yes. We communicate these assessment results to clients on a yearly basis.

Please provide: A solution IT architecture diagram

See application architecture diagram attached

What are the digital infrastructure secure configuration, vulnerability management and patch management policies, procedures and processes?

See below policies attached - Infrastructure Change Control Procedure Patch Management Procedure Information System Acquisition Development and Maintenance Procedure SDLC Procedure Threat and Vulnerability Management

Do you undertake regular website security testing?

Yes. We do conduct regular website security testing

Do you have a web application security firewall?

Yes. We do have Web Application Firewall (WAF),

How are endpoint devices that are connected to the corporate network managed and secured?

Yes. We have all the required security controls in place for protecting Endpoints. For ex - VPN, FIrewall, IDS/IPS, Anti Virus softwares, Audit log monitoring, Active directory etc We use a cloud hosted VPN with strict access controls to allow our employees to access the official network. This VPN is managed by our IT team and it's linked with the SSO/Active Directory

What is the schedule for access management logging, monitoring and reporting? Are remote users of IT systems required to use 2FA (two factor authentication)?

logs are reviewed and recorded on a regular basis automatically. These logs are integrated with security operations/SIEM solutions. We use Amazon CloudWatch and Grafana polemique which allows us to monitor instances and alerts us through emails Yes. Remote users of IT systems required to use 2FA

What logging and monitoring capabilities are in place to detect unauthorised access to data or hacking attempts?

We use Amazon CloudWatch and Grafana polemique which allows us to monitor instances and alerts us through emails

What is the process for upgrades? How often are new versions released? And what requirement does the service provider have for upgrades by Nova?

The process for upgrades is automated using Continuous Integration and Deployment. We try our best to make sure that upgrades have minimal to no impact on the end-users. Since our services are delivered via. Web, the upgrades and updates to the services are seamless and usually do not involve any actions from the end-users. We try to release our product hotfixes once every week & major features once every month.

Please provide a high-level diagram of your Continuous Integration and Continuous development/deployment (CI/CD) pipeline.

See application high-level diagram of CI/CD attached

What SLA’s apply to the product/service?

The time of support ranges between two to forty-eight hours. This depends on the level of service and the gravity of incidents.

What support methods are available?

We have an Email Support and application help center for helping users.

Is there an individual or group with responsibility for security within the organization?

Yes. We have an Information security team and group of people with responsibility for security within the organization.

Does your internal security group carries audit on your Information Security Management System? (If so, please provide the last audit date in the comment box)

Yes. We conduct Audit on our Information Security Management System. The last Audit date was 16th June 2021

Are security patches regularly reviewed and applied to network and security devices as appropriate? If yes please explain and share evidence?

Security patches are regularly monitored and applied to the network security devices to ensure the network configuration is up to date and patches are rolled out on the network in a controlled and secure manner. All the Critical patches will be deployed immediately. Attached the Patch Management Procedure.

Please provide the complete data flow diagram and the network architecture diagram for the proposed setup

Attached the data flow diagram and the network architecture diagram

Static application security test report

Application has be designed, developed, deployed, and tested in accordance with leading industry standards (e.g., OWASP for web applications) we ensure the same as part of our code review, static code analysis and Web Application Firewall.

Do you have a managed process for approving new 3rd Party Libraries?

This is part of the code review process wherein the reviewer checks the utility and security of the 3rd party library.

Please describe your Key Management controls including: β€’ key rotation β€’ key generation β€’ key storage.

We use a split key mechanism to ensure that every client's key is unique. We perform annual key rotation. Keys are generated using KMS service whenever needed. We store keys in KMS.

Authentication mechanisms must not allow passwords to be sent in clear text, using a minimum of protocol of TLS 1.2, and an encryption algorithm and strength of AES-256.

Password can be reset by the employees. We do not send the password in a plain text. We have encrypted the data while in transit and at rest. we use TLS1.2 encryption for Data at transit and AES256 Data at rest for maximum security.

Passwords must be Hashed while stored using a salted non-reversible hash.

We store password hashed. We have SHA512 hash with unique salt for every password.

Applications must be designed in such a way that it captures evidence of any action taken by the user to protect itself (from any individual or process acting on behalf of an individual) from denying authenticity of the actvity (including any transaction, signature on a document or a message, etc). All actions performed on sensitive data must audited & logged. Applications must be designed to log all actions performed on sensitive data must audited & logged.

Infrastructure logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our Elastic Search server and retained in the long term cloud storage. Administrative logs are part of Cloud Dashboard and are regularly reviewed.

The hosted applications’s architecture must be configured in such a way that data stores (e.g., databases or file storage systems) containing confidential or regulated information are logically located in a secure network segment that is separated from application servers, web servers, workstations, the Internet, and other systems by a firewall and/or restrictive the customers.

Yes, we logically segregate the tenant's data and the application.

The hosted web applications’s architecture is to be deployed and configured with a web application firewall to protect the application.

Web Application Firewall (WAF), rate limiters are installed to block multiple requests from specific IPs in order to prevent DDOS-type attacks.

All Network Security Groups (NSGs) must be requested and approved by EIS - Information Security Architecture and deployed by PSJH Cloud Operations/ Cloud Engineering. NSGs that are created by Cloud Operations/ Cloud Engineering must not be altered by Subscription owner/ Subscription contributors.

We have implemented the WAF. As part of Web Application Firewall (WAF), rate limiters are installed to block multiple requests from specific IPs in order to prevent DDOS-type attacks

Any user-defined routes must be approved by PSJH Cloud Engineering and Information Security Architecture. (Note: Azure often requires routing when clustering services, and these routes need to be coordinated with and approved by PSJH Cloud Engineering and PSJH Security Architecture)

application Admins will have complete controls to manage the user access.

Private endpoints should be configured wherever available, if not, PaaS firewall to be enabled and the firewall rules configured and approved by PSJH Cloud Engineering and PSJH Security Architecture.

We have implemented the WAF. As part of Web Application Firewall (WAF), rate limiters are installed to block multiple requests from specific IPs in order to prevent DDOS-type attacks. We also have implemented the End point security in all the employees computer for maximum security.

Ensure only the minimum necessary product/ application functions are enabled and deployed. Disable or remove (physically/ virtaully) un-necessary ports, protocols or connection of input/output devices on information systems or information system components.

application platform has been designed for employees rewards and recognition. The application features can be used by the admins as per the requirements.

Remove or disable functions that allow bypass of security controls prior to staging or releasing systems into production.

At Xoxoday we have disabled functions that allow bypass of security controls prior to staging or releasing systems into production. All the changes to the environment will take place as per the change management policy and upon approval of the CTO. Attached the change management policy.

Applications to accept specific and defined HTTP methods only (GET, POST, PUT, DELETE)

It supports https.

Must Configure applications to prevent sensitive information leakage, such as system details & sensitive data.

We have encrypted the data while in transit and at rest. We use TLS1.2 encryption for Data at transit and AES256 Data at rest for maximum security. Additionally we use Cloudflare Web application firewall (WAF), AWS Guard Duty threat detection service, Amazon CloudWatch, IDS/IPS etc.. for maximum security of data.

Log events based on the type, sensitivity & criticality of the data the application handles and the high-value transactions it processes.

We maintain the logs and monitor it on regular basis for security reasons.

Periodically review logs and audit security events for all system components to identify anomalies or suspicious activity, including account creation, modification, enabling, disabling, and removal actions.

We are compliant with this requiremernt. Infrastructure logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our Elastic Search server and retained in the long term cloud storage.

Retain audit logs in accordance with retention requirements: 90 days for non-PHI/regulated activities and one year for PHI related activities or longer if mandated by compliance team.

We retain the logs for a minimum of 180 days and in accordance with the Company’s records retention guidelines. We do not process any e-PHI

The application does not permit duplicate concurrent user sessions, originating from same/ different machines, for the same user.

Since its SaaS platform the users can login only with the help of valid credentials.

Configure systems and applications to protect against any malicious files uploaded via upload features/optionsI Protect system from trusting inputs (code from user or integrated or dependent systems), which may contain malicious code. If deemed necessary (reviewed by EIS Architecture Team), those fucntioality shall be sandboxed, executed in an isolated environement, analyzed for its impact to Providence, then brought into Providence's network.

The application comes within built threat prevention with the help of firewall

Applications must never disclose private IP addresses and routing information to unauthorized parties, review must be conducted on cases where it need to be disclosed within providence.

application is SaaS platform and as part of Web Application Firewall (WAF), rate limiters are installed to block multiple requests from specific IPs in order to prevent DDOS-type attacks. These are powered by intelligent daemons that detect other identifiers.

Roles are to be assigned to manage updates on third Party applications (non-OS applications such as Adobe Acrobat, web browsers, etc.)

The process for upgrades is automated using Continuous Integration and Deployment. Since our services are delivered via. Web, the upgrades and updates to the services are seamless and usually do not involve any actions from the end-users.

The solution is to be deployed and operationalized in a configuration where the application and data storage components (e.g., databases or file storage systems) will reside and operate on separate physical or virtual servers.

Compliant. We have deployed our application and database operates on a seperate servers.

Data stores (e.g., databases or file storage systems) containing confidential or regulated information must be logically located in a secure network segment that is separated (by a firewall or restrictive the customers) from application servers, workstations, and other system components. The information system maintains a separate execution domain for each executing process. The information system implements underlying hardware separation mechanisms to facilitate process separation.

We have deployed our application and database operates on a seperate servers. application is SaaS platform and as part of Web Application Firewall (WAF), rate limiters are installed to block multiple requests from specific IPs in order to prevent DDOS-type attacks. These are powered by intelligent daemons that detect other identifiers.

Develop applications based on secure coding guidelines.

Compliant. We have devoloped the application based on secure coding guidelines and we also coduct the code review as per the compliance requirements.

Implement controls to obfuscate application code prior to compilation.

Compliant.

Production data must not be used on non-production environments. Exceptional cases must be reviewed with EIS & IRSA on case to case basis.

We do not use Production data on non-production environments

Configure REST/Web services to explicitly validate content types.

Since application is a SaaS Platform this would be not applicable.

Configures web services in accordance with OWASP.

Compliant. Yes, we follow all the technical guidelines for development of our code and applications that come under the Open Web Application Security Project.

Configure web services to prevent sensitive information leakage in response headers.

Compliant. We have implemented the DLP techniques and there are no possibilities of data leakage or loss.

Configure web services to use secure HTTP headers.

Compliant. application uses https.

Implement strict HTTP transport security headers to protect websites against protocol downgrade attacks and cookie hijacking.

Compliant. we use strict HTTP transport security.

Impose file upload frequency restrictions in applications to prevent abuse or attack.

We cannot Impose file upload frequency restrictions. But application has technical and organizational measures to prevent attacks through WAF, log monitoring, AWS Guard Duty threat detection service, Amazon CloudWatch, IDS/IPS etc..

All application created sessions, windows, forms, pages, and pop-ups that display highly confidential and/or confidential information must be terminated or closed after the user logs out, when the session timeout threshold is reached, or upon abrupt application termination.

Once the user logged out from the application all the pages, forms pop-ups will get closed.

Implement controls to log TLS connection failures.

We maintain the logs and monitor it on regular basis for security reasons.

Implement processes to measure the availability, quality, and adequate capacity of resources to deliver the required system performance in accordance with legal, statutory, and regulatory compliance obligations.

Compliant. we have resources to meet these requirements.

Establish a dedicated patch management process for components.

Critical patches will be deployed immediately High patches will get deployed within 5 days Medium Patches will get deployed within 15 day Low will get deployed in 25 days. Attached the Patch Management Procedure

Test patches and updates prior to deploying software in production environments.

Yes. We test the patches before deploying in production environment.

Is your solution available in a seemless manner to access either as an app on different mobile devices and as web app on different desktop devices with wider browser support? Describe shortly.

Yes. The solution is available as part of SAP SuccessFactors solution on web, as well as SuccessFactors native mobile app for both iOs and Android.

Does your service include Standard Reporting & Analytics Functionalities?

"Two standard reports are available for the admins on Success Factors at the program level - Budget and Spot Award Nomination. Further using People Analytics (Embedded Edition) customers can create their own reports and dashboards where they can combine Spot Awards data from Recognition with data from across SuccessFactors such as Gender, Cost Center, Business Unit etc. from Employee Profile." Admins can also access similar data via a Xoxoday logon.

Can your service, via standard or custom interfaces/APIs, integrate with third party analytics? Please provide your standard API documentation.

Yes, customers can extract the data from SuccessFactors via Integration Center and integrate it with other third parties

Please describe user provisioning, on-boarding and off-boarding of end users to the platform.

User provisioning for SAP SuccessFactors - Reward and Recognition is handled the same way as rest of SuccessFactors. For the employees redeeming the points via Xoxoday, user provisioning is done on the fly at the time of redeeming the awards.

Do you support a Pub Sub architecture model for data transfer?

Somewhat, we do have Spot Award Approved event available via Intelligent Service Center on Success Factors which customers can use to build custom extensions.

Does your solution support modern authentication methods e.g. SAML and Oauth/OIDC against Azure AD?

Yes the application have robust authentication methods. We are integrated SAML 2.0 with SAP SuccessFactors, we also support OAuth 2.0, Azure AD for seamless authentication.

Estimate implementation duration from project start to go live in first market based on your best experience

Approximately 2 weeks

The solution should have a well defined data model - What standard documentation (i.e. standard data model) will be provided and how can the customer users access it?

What are the various modes of data transfer (give indicative e.g. like SFTP,ITL drive etc.) between Infosys and your(Vendor) environment?

We do not have any automated data transfer. The data is uploaded manually on the application portal.

Is two-factor authentication enabled for end users and Administrators that have access to Infosys data? If yes, provide details of the same and if not, please list down the compensating controls implemented to manage the resulting risk

Yes. Is two-factor authentication enabled for end users and Administrators. MFA devices like Google Authenticator etc for getitng the OTP/Codes/Passwords

How is Segregation of Duties (SoD) or role differentiation implemented for various user access roles that have access to Infosys data (e.g. Systems Admin,Security Admin, User etc.)?

We have procedure for Roles, Responsibilities & Authorities at Xoxoday. As per the access control policy we provice access of the data only authorized and right individual.

Detail out the the organization password policy. Further, What is the process in place for creating and sharing user IDs & passwords for users that handle Infosys data?

We have password management policy Must contain at least 8 characters Must contain both numbers and letters English uppercase characters (A-Z) English lowercase characters (a-z) Base 10 digits (0-9) Non-alphabetic characters (for example, !, $, #, %) Password should be changed every 90 days The password will be shared throgh secure mode and encrypted.

Provide a detailed summary of all the system components involved to provide services to Infosys

Our applications are compatible with desktops, tablets and Mobiles. No additional components are required.

What security controls are implemented to prevent leakage of Infosys data stored/processed at your network (both hard copies and electronic copies)? (e.g. DLP, SIEM, AV, Hardening, Patch Management etc.)

We are regularly hardening, patch management and following SIEM practices.

Detail Out the process implemented for security event logging and monitoring (including details of applicable correlation rules.). Further, detail out the log retention period and protection mechanisms in place to prevent log tampering

Yes, our event management systems merge the data sources to maintain a log data within the SIEM. This helps in proper analysis and driving out alerts if need be in case of contingency.

How is it ensured that servers hosting Infosys application are hardened as per the Industry hardening standard? Elaborate the process.

We regularly update our infrastructure and underlying stack as per industry norms and best practices.

Is there a process in place for tracking patch compliance in terms of patches successfully applied, unapplied patch ratio and latency in rollout of patches against pre-defined threshold values? Outline the process.

We regularly update our instance and make sure that we follow the security best practices. There is a process in place for regularly updating the servers and in this process we monitor for latest updates to our softwares across the entire stack.

Detail Out the mechanism for Antivirus installation, monitoring & signature updates of infrastructure with regards to the service being provided to Infosys?

We are using Linux operating systems and following the security Best practices And, we are monitoring using technical stack known as Prometheus/Grafana.

Are incident reporting obligations passed on to all 3rd parties who are subcontracted by you? (If so please detail who reviews any applicable contracts)

Yes. incident reporting obligations passed on to all 3rd parties as well All the contracts and agreements has reviewed by the Legal Department.

Is application deployed behind the firewall and IDS/IPS?

We use Cloudflare Web Application Firewall (WAF) and IDS/IPS for maximum security.

Is the application developed on latest language framework?

We are using latest language framework like MySQL, Javascript, Node.js and MongoDB technology etc.

Is the application developed using secure libraries?

The application developed using secure libraries. And these approved during the code review process wherein the reviewer checks the utility and security of these libraries.

Is application development follow secure coding standards i.e. OWASP

Yes, our code reviews and analysis run through stringent eyes of automated technologies as well as manual source code overview to cover any security loopholes prior to the production phase. Multiple security checks including code reviews, web vulnerability reviews, and advanced security tests are performed in every build

Is the code reviewed by peer or externally?

Is the application server and database server are separate?

The application and database server are separate.

Is the patches are updated as per defined policy and regularly for application and database servers?

Critical patches will be deployed immediately High patches will get deployed within 5 days Medium Patches will get deployed within 15 day Low will get deployed in 25 days.

Is the data flow is defined and documented for the application?

The data flow is defined and docuemented for the application application.

Is security audit logs and alerts are configured for Code repository?

We maintain syslog/audit trails centrally. The audit logs and alerts are configured.

Is the new client environment get set up on dedicated hardware, or do multiple tenants exist? If the latter, how does the provider control / restrict access for multiple environment?

Since it’s a SaaS product multiple tenants system exist. we logically segregate the tenant's data and the application. And it is segregated with a client-specific key for proper handling and security reasons.

What application security measures are used in the production environment (e.g., application-level firewall, database logging/auditing, etc.)?

We have implemented IDS/IPS, Web application Firewall and our security information and event management (SIEM) system merge data sources like app logs, firewall logs, IDS logs etc.. for granular analysis and alerting Infrastructure logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our Elastic Search server and retained in the long-term cloud storage for security reasons.

Does the provider retain rights to the customer data even if data is removed from the provider?

Our data cleaning process goes through an organized purge. Once the data is purged, it's purged from all places.

Will the service/solution require integration with other the customer solutions/data, either on-premise or in the cloud? Can be possible

We have an option to integrate with SSO and HRMS. For more info, please visit the link - https://www.application.io/integrations

What alerts can be set in the system?

At Xoxoday below information is recorded within audit logs – 1. Infrastructure logs are collected using AWS Audit Trail 2.Application related logs are collected in our Elastic Search server and retained in long term cloud storage.

Is any prerequisite recommended to use or access the solution\services effectively (e.g., Bandwidth, OS, Browser, application, devices etc. etc.)

No recommendations as such. application is SaaS product and it’s supported by a comprehensive web application that can be accessed via desktop and mobile browsers on all compatible devices. application application is also available on Android and iOS.

Last updated