Cloud Security

QuestionsAnswers

Is your infrastructure in the cloud, SDDC, co-location, or on-premise? Please state provider name, unless it is on-prem.

We have deployed our application on AWS Virtual platform cloud - Singapore and USA region.

Is your Data Security Architecture designed using an industry standard (e.g., CDSA, MULITSAFE, CSA T`rusted Cloud Architectural Standard, FedRAMP, CAESARS)?

Data Security Architecture designed using an industry standard and best practices. We are adhered to CSA, ISO 27001, SOC 2 TSP. We have deployed our application on AWS Virtual platform cloud - Singapore region. The cloud infrastructure providers have high levels of physical and network security and hosting provider vendor diversity.

Do you inventory, document, and maintain data flows for data that is resident (permanent or temporary) within the services' applications and infrastructure network and systems?

All our customer data is stored on AWS Virtual platform cloud. And we collect the data only throguh our application platform. We do not store any customers data locally.

Are file integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation by root cause analysis, and response to incidents?

File integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation.

Does the virtual machine management infrastructure include a tamper audit or software integrity function to detect changes to the build/configuration of the virtual machine?

AWS CloudTrail helps to detect changes to the build/configuration of the virtual machine

Does your system's capacity requirements take into account current, projected, and anticipated capacity needs for all systems used to provide services to customers?

Our solution is using state of the art Cloud Native infrastructure technologies along with microservices architecture allows us to scale our operations as per the demands.

Are system and network environments protected by a firewall or virtual firewall to ensure business and customer security requirements?

We use Web application firewall (WAF) and pfSense firewall for security reasons. 1. The Cloudflare Web Application Firewall (Cloudflare WAF) checks incoming web requests and filters undesired traffic based on the set of rules. 2. pfSense helps to monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules

Have you implemented the necessary measures for the appropriate isolation and segmentation of customers' access to infrastructure system and network components?

We isolate our machines, network and storage with respect to the AWS Standards in order to keep it safe and secure.

Are system and network environments protected by a firewall or virtual firewall to ensure protection and isolation of sensitive data?

We use Web application firewall (WAF) and pfSense firewall for security reasons.

Do you implement technical measures and apply defense-in-depth techniques (e.g., deep packet analysis, traffic throttling and black-holing) for detection and timely response to network-based attacks associated with anomalous ingress or egress traffic patterns (e.g., MAC spoofing and ARP poisoning attacks) and/or distributed denial-of-service (DDoS) attacks?

As part of Web Application Firewall (WAF), rate limiters are installed to block multiple requests from specific IPs in order to prevent DDOS-type attacks. These are powered by intelligent daemons that detect other identifiers like URLs accessed or other client properties to automatically blacklist possible threats either temporarily or permanently.

Do you select and monitor outsourced providers in compliance with laws in the country where the data is processed, stored, and transmitted?

Yes. We monitor the compliance programs of AWS As we have stored the data on their cloud.

Do you have the capability to restrict the storage of customer data to specific countries or geographic locations?

No. Currently, all the data is stored on AWS VPC - Singapore region.

Can you provide the physical location/geography of storage of a customer’s data upon request?

Yes, we inform the customer on the data storage location.

Do you make standards-based information security metrics (CSA, CAMM, etc.) available to your customers?

We are CSA STAR Level 1 compliant. Please click here to know more - https://cloudsecurityalliance.org/star/registry/nreach-online-services-pvt-ltd-xoxoday

Do you use industry standards (i.e. OWASP Software Assurance Maturity Model, ISO 27034) to incorporate security requirements into your Systems/Software Development Lifecycle (SDLC)?

We use OWASP Software Assurance Maturity Model

What services are contracted for appropriate disposal of hardware? Please provide a sample certificate of physical destruction?

Since we have deployed our application on AWS Cloud its not applicable for us.

What services are contracted for appropriate disposal of paper documents? Please provide a sample certificate of physical destruction?

Since we have deployed our application on AWS Cloud its not applicable for us. We provide certifite of destruction of data once the data is purged/deleted from all the places upon request from the customer.

Is physical access to data processing equipment (servers and network equipment) restricted?

We have deployed our product on AWS Cloud virtual platform. AWS provides physical security to the data center as a part of our subscription. AWS physical security - https://aws.amazon.com/compliance/data-center/controls/

Are Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) used by your organisation?

We have implemented IDS/IPS to facilitate timely detection, investigation by root cause analysis and response to incidents

Are computer systems (servers) backed up according to a regular schedule?

Data backups are done on daily basis and in a secured way on AWS

Does the organisation replicate data in another region

Data backups are done on daily basis and in a secured way on AWS - Singapore

Are the backup tested for restoration?

Data backups are done on daily basis and in a secured way on AWS. This has been tested on regular basis.

Are default hardened base virtual images applied to virtualized operating systems?

Applies to all.

In case any the customer information is stored on vendor corporate network/systems, is there access available to employees using remote access?

We have deployed our application on AWS cloud virtual platform and the data is stored on it. Only approved users will have an access and We use a cloud hosted VPN with strict access controls to allow our employees to access the official network. This VPN is managed by our IT team and it's linked with the SSO/Active Directory.

Are necessary tools utilised to monitor environmental protection systems and alert personnel in the event of warnings or failures?

We have deployed our application on AWS cloud virtual platform. AWS provides physical security to the data center and it’s a part of our subscription. AWS physical security - https://aws.amazon.com/compliance/data-center/controls/

Is the vendor facility / critical servers related to the customer scope of work placed in secure areas?

Yes. We have deployed our application on AWS cloud virtual platform for maximum security.

Are servers / assets pertaining to the customer operations housed in a secure location? Are they shared with other clients?

Yes. Its deployed on AWS cloud virtual platform.

Is an inventory maintained for hardware, software, information, physical assets, services and all other forms of media, where information is processed or stored? If so, how often is the inventory reviewed and updated? Is an Owner Defined for all the Information Assets? How is it documented?

The application is deployed on AWS cloud virtual platform. We maintain the register for hardwares, softwares, physical assets etc as per the Asset management policy. All the inventories are reviewed and updated on monthly basis. We have tagged the owners for all the assets alloted by the organization. Atatched the asset management policy.

Are all external facing / web facing servers placed in DMZ?

Our application is deployed on AWS cloud virtual platform. We use a cloud hosted VPN with strict access controls to allow our employees to access the official network. This VPN is managed by our IT team and it's linked with the SSO/Active Directory.

Is there a dedicated infrastructure for collection, analysis and storage of logs?

Infrastructure logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our Elastic Search server and retained in the long term cloud storage.

Is access to Database systems used for the customer operations logged?

We use AWS Platform for storing the data. Our data is stored in secured databases and there is no window to alter any data without it being logged into the system records. Our data is stored in secured databases and there is no window to alter any data without it being logged into the system records.

Do systems and network devices utilize a common time synchronization service?

Yes

Does the Isolation/segregation of the customer environment at vendor done by means of VLAN/ creation of zones on Firewall?

We have deployed our application on AWS Cloud platform.As part of Web Application Firewall (WAF), rate limiters are installed to block multiple requests from specific IPs in order to prevent DDOS-type attacks.

Are the systems used for the customer operations hardened according to hardening document/ technical specification document?

Yes. We comply with this.

Do you have controls to prevent storing of any confidential or highly confidential data on the desktop? Please describe any specific controls in place to prevent data leakage from your environment (e.g., segregated network, user activity monitoring, egress data monitoring etc.)

We monitor the user activities and spread awareness about data storage, access, sharing etc. All the custoer data is stored on AWS cloud. We are not storing any information on the computers.

Is there a backup and recovery document covering the customer processes? Is it communicated to employees working for the customer operations?

Data backups are done daily and in a secured way in AWS

Does the Backup & recovery procedure identify - - essential business information & software to be backed up? - servers to be backed up? - audit trail & logs? - frequency of backup? - Logging of Backup activity? - Retention period for backup? - Roles & responsibilites defined & assigned?

Yes. We have implemented the Backup Recovery Procedure

Is there a secure process for onsite & offsite backup media protection during storage pertaining to the customer operations?

Yes. Data backups are done daily and in a secured way in AWS

Does the organization reuse, test & restore the customer backups on frequent basis?

We do not use the backup. We only take the backup on AWS and its stored on AWS platform itself.

What is the distance of the backup facility from the primary location?

Its hosted on AWS

Is there an alternate location facility & supporting facility to continue the customer operations? Does the recovery location use different power and telecommunications grids from those used by the primary site? Is testing done for movement of the customer operations from primary site to alternate site?

BCP and DR facilities has been provided by AWS. We do not have any other data centers

Can the backed up data be restored and made available at the alternate site at any point in time? How can the critical data be restored and in what time frame ?

Since we are hosting our application on AWS, they are providing us a service for backup, BCP and DR for seamless customer experience.

β€’ Is your DR backup facility provided internally or externally? β€’ If external, please indicate the name of the service provider and the backup location, along with the date of last COB test at the Disaster Recovery facility. β€’ Does the Electronic Transportable Media (ex. tapes) contract adequately cover DR invocation to another location?

Since we are hosting our application on AWS, they are providing us a service for backup, BCP and DR for seamless customer experience.

Who is the Cloud Service Provider (CSP)?

Amazon web service (AWS)

What all services are being opted from CSP?

AWS Virtual platform cloud And AWS MSK

What will be the percentage up time agreed by vendor with CSP for the customer related services? (e.g. 99%)

99.00%

Does the requirement agreed that CSP/ Vendor should not use or share the the customer data without prior consent?

Yes. Xoxoday or AWS does not share the data.

Does the requirement discussed and agreed that CSP shall ensure data destruction (whether single or multiple copy of data) upon request or post the retention timeframe, across all locations, includes slack in data structure and on the media and in whatever format whenever required by vendor's customer (the customer)?

We have deployed the application on AWS and we have the controls in place to destruction upon request or post the retention timeframe. Since we are GDPR compliant we provide this option to our end users.

Does the requirement has been discussed between vendor and the customer and agreed with CSP that core the customer data should remain within India? If not, please detail the plan for local hosting.

We have deployed the application on AWS Singpore.

Does Data Retrieval time from primary/ backup location for the customer specific data discussed and agreed with the customer?

Data backup and retrieval happens on AWS platform.

What is the deployment model? (Private Cloud/Public Cloud/Hybrid Cloud/Community Cloud)

We use Public cloud for hosting

How does Vendor ensure Incident management for the customer services in Cloud?

we have an intrusion detection/monitoring application that alerts on unauthorized access.

How does vendor ensure Auditing, Logging and Monitoring requirements for the customer services on cloud?

We use Amazon CloudWatch and Grafana polemique which allows us to monitor instances and alerts us through emails.

How does vendor ensure Secure configurations of Web Server on cloud?

We have deployed the application on cloud and have AWS Guard Duty threat detection service that continuously monitors for malicious activity and unauthorized behaviour.

How vendor will ensure capacity and demand management with respect to the customer services on cloud?

Its provided by AWS, it’s a part of AWS service.

How does vendor ensure that CSP shows compliance to applicable laws and regulations related to data security?

Please click here for more details about AWS Compliance Programs - https://aws.amazon.com/compliance/programs/

How does vendor along with CSP will ensure that all the customer related core systems and data hosted in India and at no point in time those shall be moved to other country?

It will be hosted on AWS singapore

Does the CSP is using appropriate Data Loss Prevention (DLP) solution to identify, monitor and protect sensitive data and manage the data risk for the customer?

Data backups are done daily and in a secured way in AWS. The customer data cannot be lost permanently. We also have Business Continuity Policy and Business Continuity Management Procedure in place and effectivly working.

How does vendor ensure Patch Management activity for components/ devices require to deliver the customer services?

Data backups are done daily and in a secured way in AWS. The customer data cannot be lost permanently. We also have Business Continuity Policy and Business Continuity Management Procedure in place and effectivly working.

How does Vendor ensure that CSP have robust backup procedure for the customer related services? Does the CSP provide results / assurance on regular Backup-Restoration testing?

Data backups are done on daily basis and in a secured way in AWS. We monitor the same.

Provide the details of types of data that will be: - Collected - Stored/ Retained (mention the time period of retention) - Processed

We collect, store and process Name, email ID and Phone numbers and it will be stored on AWS cloud and will be deleted upon termination of the contract.

What is the backup site physical address?

AWS Singapore

Technological competence of the service provider. For example technology available to support the outsourced activity

Are media containing information (customer data, personal data, bank data) protected against unauthorized access, misuse or corruption during transportation beyond the organization’s physical boundary ?

We have deployed our application on AWS virtual platform cloud and do not store any data outside cloud for security reasons. All the customer data is encrypted for maximum security. We use TLS1.3 encryption while data in transit and AES256 while data at rest

Are redundant power supplies available for supplying power to critical equipment? Is there a Uninterruptible Power Supply (UPS) or DG set backup for computer systems? Is lightning protection applied to the buildings and lightning protection filters fitted to all incoming power and communications lines at the premise housing work area and information processing facilities ?

Yes. We have the backup for power supply and computer systems can be used without any interruption. We have applied the lightning protection metallic rods for the buidling for protection of premises.

Do you have a secure log-on procedure documented ? Are general notices/message banner displayed upon login into the application, network, database systems ? Do you log successful and unsuccessful attempts on Application, OS, Network and Database layer ? Are all user workstations and laptops part of the active directory ? Does the User Account get automatically Locked out after predetermined unauthorized attempts ? Do you terminate inactive sessions (idle) after a defined period of inactivity?

Infrastructure logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our ElasticSearch server and retained in the long term cloud storage. All the workstations are part of the Active directory. User accounts get locked after 15 minutes of inactivity. The accounts will get locked after the predetermined unauthorised attempts for security reasons.

Have you implemented data protection and privacy measures such DLP, IRM / DRM etc.? Have you deployed any encryption / protection mechanism (data at rest) on databases, file servers, desktops and laptops handling business data, customer data, personal data (account numbers, employee details, bank accounts, password, card magnetic stripe data, etc.) in compliance with all relevant rules, laws, regulations, legal and contractual obligations, country specific data privacy laws, sector specific data privacy laws ?

Yes, our web assets, email records, and end-points are sealed with data loss prevention techniques. All the customer data will be stored on only AWS virtual platform cloud. We do not store it offline for security reasons. AWS Guard Duty threat detection service that continuously monitors for malicious activity and unauthorized behaviour. The data is stored in our secure database and is transit scrambled for maximum security. We use TLS1.3 encryption while data in transit and AES256 while data at rest

Can the Cloud servers be configured to send their audit logs to a centralized log collector at the customer

Infrastructure logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our ElasticSearch server and retained in the long term cloud storage. logs are automatically audited, but are not integrated with tenant's security operations. In case the tenant requests for logs, they can share when asked by the clients.

All Appliciton changes to be routed through the PMS system driven by IT Application Owner. Necessary approvals to be documented

Attached the Infrastructure Change Control Procedure

Are critical trasactions identified by function to be reviewed

We use Amazon CloudWatch and Grafana polemique which allows us to monitor instances and alerts us through emails. Infrastructure logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our Elastic Search server and retained in the long term cloud storage.

Are critical transactions logged and made available as a report through front end

The logs are automatically audited, but are not integrated with tenant's security ops. In case the tenant requests for logs, they can shared when asked for by the clients.

All Security logs need to be enabled within the application for all menu's and screens

The logs are automatically audited, but are not integrated with tenant's security ops. In case the tenant requests for logs, they can shared when asked for by the clients.

Minimum Audit logging scenarios: β€’ Login successes and failures β€’ Addition/ deletion/ modification of users β€’ Changes to security settings β€’ Changes to logging and auditing settings β€’ Application requests and user activity β€’ Privilege ID monitoring Minimum Information to be captured: β€’ Event ID (Pre-defined for each type of action. E.g. successful login, Failed Login etc.) β€’ Timestamp β€’ Username β€’ Source IP β€’ Link Used / Application details (Hostname / IP / URL / DB Instance) β€’ Impacted Object (Username, DB Table, Record etc.) β€’ Action (Login, Log Off, User Added, Changed Security Class, Delete record etc.) β€’ Result of Action (Success / Failure) β€’ Standard Description of Event β€’ Severity (High / Medium / Low) Individual events to be logged and no aggregation or rewriting of events to be done

The logs are automatically audited, but are not integrated with tenant's security ops. In case the tenant requests for logs, they can shared when asked for by the clients.

Logs should be protected against overwriting by using mechanisms such as log rotation and the log files to be retained for minimum of 3 months on the server

We retain the logs for at least 180 days.

Has your organisation evaluated pandemic preparedness of critical third-party suppliers

AWS is one of the critical third party for us as we have deployed our application on AWS VPC. AWS is ISO 27001 and SOC 2 certified organization and compliant with the business continnuity requirements.

Operational risk arising from technology failure covering from any of below means (including system downtimes issues also) : - Failure of understanding business team requirements - Failure of technological platform at vendor's end - Failure of interface between the customer and vendor system - Failure of technological platform at the customer 's end impacting services to be rendered by vendor

Xoxoday application application has deployed on AWS Cloud virtual platform for securtity reasons and imlemented the business continuity plan. Xoxoday endeavours to provide 99.9% Uptime each month 24 hours a day 7 days a week. Business day will be considered as 24*7 and will be available for 365 days in a year for the customer support services to be provided to the Client

Where are data subjects whose Personal Data is processed located?

The data will be stored on AWS Virtual platform cloud – Singapore region.

How is Personal Data being processed by Supplier?

The personal data will be uploaded on application application for rewards and recognition purposes and will be stored on AWS virtual platform cloud.

Who at Supplier will have access to the Personal Data, and for what purpose?

We have deployed our application on AWS Virtual platform cloud. We do not have physical access to the location where the personal data is stored.

What are the measures in place to prevent unauthorized personal from gaining physical access to premises, buildings or rooms where the data processing systems are located?

We have deployed our application on AWS Virtual platform cloud. We have the physical access controls in place. For ex – Access cards, Biometric machines, ID cards, CCTV etc..

What are the locations where Personal Data will be housed or accessed? Will Personal Data be stored on an the customer Cloud or on the customer prem? Will Personal Data be stored on a Supplier Cloud an on prem environments? Where? (I.e. Supplier owned cloud or 3rd party cloud,) If 3rd party - whose Cloud Physical location of cloud environments

The personal information will be collected through application platform and stored on AWS virtual platform cloud – Singapore region.

Can Supplier provide country location(s) for all Supplier personnel or subcontractors that may have access to Personal Data or privileged access to servers hosting Personal Data

We have only one data center and deployed our application of AWS virtual platform cloud. By Default, Xoxoday will not have access to Service Data (customer’s account/application and the associated data processed as part of using our services). The access control to the accounts (who can access the application instance) is managed by the admin from the customer end.

Describe the type of solution proposed (public/private/hybrid cloud, IaaS/Paas/CaaS/Saas/ASP, single-tenant/multi-tenant, etc.)

We use Public cloud for hosting (AWS Singapore)

Describe where the servers hosting the customer's data are located and, if the data is hosted on multiple locations, provide detailed information as to the transport of the data between the concerned locations. Also explain how you make sure the data does not migrate beyond the agreed geographical locations

AWS Virtual Platform Cloud - Singapore region.

Describe how you monitor changes to the regulatory requirements in relevant jurisdictions, adjust your security program for changes to legal requirements, and ensure compliance with relevant regulatory requirements, namely with regards to the EU Personal data regulations.

We have deployed our application on AWS Virtual platform cloud and Xoxoday is GDPR certified. We have implemented the policies and procedures as per the ISMS and GDPR and implemented across the organization. We collect only three PIIs on our platform such as - Name, email ID and phone number. Xoxodau GDPR - https://www.xoxoday.com/gdpr Xoxoday Privacy - https://www.xoxoday.com/privacy-policy

Do you contractually guarantee that your data centers are not located in places that have a high probability/occurrence of high-impact environmental risks (floods, tornadoes, earthquakes, hurricanes, etc.

Yes. We have deployed our product on AWS virtual platform cloud.

Describe how you manage restoration of environment and/or data for a specific customer (software/provider independent restore and recovery capabilities, independent hardware restore and recovery capabilities, etc.)

The data backups are done on AWS Virtual platform cloud on regular basis and implemeted the Data loss prevention techniques. We have all the capabilities to recover the data or restore. Data is available for restore within a few minutes of a backup job completing on the daily schedule. Attached the Backup Recovery Procedure

Provide a description of the physical security of your Datacenter both inside (security mechanisms and redundancies implemented to protect equipment from utility service outages like for example, power failures, network disruptions, etc.) and outside the DataCenter itself (fences, security guards or patrols, reception desk, authentication mechanisms, etc.) as well as the procedure applied to authorize personnel to enter the premises and how often the authorizations are reviewed.

AWS is responsible for providing physical security to the data center as we have deployed our application on AWS. AWS provides physical data center access only to approved employees. All employees who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. Requests are reviewed and approved by authorized personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions. Third-party access is requested by approved AWS employees, who must apply for third-party access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. These requests are approved by authorized personnel, and access is revoked after request time expires. Once granted admittance, individuals are restricted to areas specified in their permissions. Anyone granted visitor badge access must present identification when arriving on site and are signed in and escorted by authorized staff.

Provide an overview of how capacity planning is managed to limit the risk of system overload and what are the allowances/restriction of use of oversubscription capabilities present in the Hypervisor for customers. Also indicate how capacity planning and usage information is communicated to the customer.

We have deployed our application on AWS Virtual platform cloud. Our solution is using state of the art Cloud Native infrastructure technologies along with microservices architecture allows us to scale our operations as per the demands.

Describe to procedure in place for responding to requests for tenant data or connection logs from governments or law enforcement bodies and how you ensure logs will be legally admissible.

Infrastructure logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our Elastic Search server and retained in the long term cloud storage. We make these logs available upon tenents request.

Can logs be generated by the various components of the proposed solution be forwarded to the customer's log concentrator / SIEM / SOC

We make these logs available upon tenents request

Describe how you manage to isolate logs for a specific tenant

The logs are collected using the AWS Audit Trail and application related logs are collected in our Elastic Search server.

Is physical access to data processing equipment (servers and network equipment) restricted?

We have deployed our product on AWS Cloud virtual platform. AWS provides physical security to the data center as a part of our subscription. AWS physical security - https://aws.amazon.com/compliance/data-center/controls/

Does the organisation outsource its data storage?

AWS Cloud virtual platform.

Are computer systems (servers) backed up according to a regular schedule?

Data backups are done on daily basis and in a secured way on AWS

Does the organisation replicate data in another region

Data backups are done on daily basis and in a secured way on AWS

Does the organisation have a "Hot" recovery site?

Its on AWS cloud virtual platform.

Are Cloud Hosting services subcontracted?

We have deployed our product on AWS Cloud virtual platform.

Are default hardened base virtual images applied to virtualized operating systems?

Applies to all.

In case any the customer information is stored on vendor corporate network/systems, is there access available to employees using remote access?

We have deployed our application on AWS cloud virtual platform and the data is stored on it. Only approved users will have an access and We use a cloud hosted VPN with strict access controls to allow our employees to access the official network. This VPN is managed by our IT team and it's linked with the SSO/Active Directory.

Do employees/contingent workers who have remote access connect to the customer network?

We do not connect to the customer network. Since it’s a SaaS prodcut and deployed on cloud virtual platform only authorised individual have an access to the our production environment on need and approval basis.

Is client scoped data collected, accessed, transmitted, processed, or retained that can be classified as personally identifiable financial information under the Gramm-Leach-Bliley Act?

We have implemented the security measures to manage the risks introduced during the use of Organization’s information assets used for managing Personally Identifiable Information. Attached the Personally Identifiable Information (PII) Policy.

Are environmental protections installed in your data centres including at minimum the following? Β·Cooling systems Β·Battery / UPS and generator backup Β·Redundant communications lines Β·Smoke / water detectors Β·Fire Suppression Β·Raised Flooring"

We have deployed our application on AWS cloud virtual platform. AWS provides physical security to the data center and it’s a part of our subscription. AWS physical security - https://aws.amazon.com/compliance/data-center/controls/

Are necessary tools utilised to monitor environmental protection systems and alert personnel in the event of warnings or failures?

We have deployed our application on AWS cloud virtual platform. AWS provides physical security to the data center and it’s a part of our subscription. AWS physical security - https://aws.amazon.com/compliance/data-center/controls/

Are actions taken to resolve alerts generated by the monitoring tools?

We have deployed our application on AWS cloud virtual platform. AWS provides physical security to the data center and it’s a part of our subscription. AWS physical security - https://aws.amazon.com/compliance/data-center/controls/

If hosted on public cloud ( Amazon , Google , Azure etc ) - security configurations are aligned with public cloud vendor security requirements?

We have deployed our application on AWS Virtual platform cloud. We use Web application firewall, IDs/IDs, AWS Audit trail, Amazon guard duty etc..

Have you applied data backup mechanism ? If yes what is the frequency of backup ?

Yes. Data backups are done on daily basis in a secured way in AWS

Does MFA is applied while accessing cloud environment / applications remotely (VPN, VDI)?

Yes.

Does access to privilege users / admin has MFA enabled?

Yes.

Does the DR is setup in some other city in India?

Its on AWS Cloud virtual platform Cloud.

Does the DR site also has the same level of security controls as the production site?

Yes

Where will vendor store the customer data? Is it stored over any shared location for all clients or the storage location is dedicated for the customer.

The data will be stored on AWS cloud virtual platform Singapore. Since we are a multi tenant system, we have common infrastructure for all clients.But All data volume is encrypted with AES 256-bit encryption to prevent any external snooping or unauthorized access in the multi-tenant environment.

Which all in-house or third party applications Vendor will use for the customer operations?

We do not use any in-house devoloped applications. We have deployed our application on AWS cloud virtual platform. And AWS is SOC 2, ISO 27001, ISO 27017 and ISO 27701 certified organization. Shared the certificates.

If Vendor is using in-house developed or third party applications for the customer process then VAPT report of application and Network is to be shared.

We do not use any in-house devoloped applications. We have deployed our application on AWS cloud virtual platform. And AWS is SOC 2, ISO 27001, ISO 27017 and ISO 27701 certified organization. Shared the certificates.

Are there any Cloud services which is used by vendor for the customer process? Please confirm details.

We have deployed our application on AWS cloud virtual platform.

Type of Cloud services and its use in the customer operations.

We have deployed our application on AWS cloud virtual platform.

Please confirm on Cloud License details and data storage location (domestic or International).

Data storage location will be AWS Singapore.

Please share details of Data Backup Procedures.

Data backups are done on daily and in a secured way in AWS. Attached the Backup Recovery Procedure.

Points of presence of supplier infrastructure is identified

We have deployed our application on AWS Virtual platform cloud - Singapore and we operate from our corporate office located in Bangalore, India.

It is possible for the customer data to be restricted to a geographical location, if required.

We have deployed our application on AWS Virtual platform cloud - Singapore region and all the data will be stored there. All the end users from various parts in the world can access the platform. We inform the customer if we need to change the data center location.

Supplier has a multi-tiered firewall functionality in place, with network as well as application level protection (e.g. stateful network firewall, instance-independent the customers, application level firewall - WAF, Network Intrusion Detection - NIPS, behavioral anomaly detection, cloud security gateways etc.).

As part of Web Application Firewall (WAF), rate limiters are installed to block multiple requests from specific IPs in order to prevent DDOS-type attacks. The Cloudflare Web Application Firewall (Cloudflare WAF) checks incoming web requests and filters undesired traffic based on the set of rules. pfSense generation firewall helps to monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules We also have implemented the IDS/IPS and Amazon guard duty which continuously monitors our AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.

Vendor has a detailed backup and restoration plan in place. E2. Security controls are applied in the same fashion for all the customer data, be that data actively used (online) or data stored in backup space.

We have implemented the data backup policy and attached the same. The data backups are done daily in a secured way in AWS and tested on weekly basis.These backup process are automated and does not require any mannual effort. Since we are SAAS product, we maintain backup and restore all the customer data by ourselves. We use AES 256 encryption for data at rest. All the backups are stored on Cloud and does not store any data off-cloud.

Hardware decommissioning policies are in place (when hardware is controlled by the vendor). .

NA. We have deployed our application on AWS Virtual platform cloud.

There are security control mechanisms in place to counter denial of service attacks.

We have deployed our application on AWS Virtual Platform cloud. application is a cloud based application. As part of Web Application Firewall (WAF), rate limiters are installed to block multiple requests from specific IPs in order to prevent DDOS-type attacks. These are powered by intelligent daemons that detect other identifiers like URLs accessed or other client properties to automatically blacklist possible threats either temporarily or permanently.

When infrastructure is shared between tenants (typically a Cloud environment), threats and attacks directed toward other tenants do not impact the customer services provided by this infrastructure.

We have tools that analyze various traffic patterns and correlate network events. We have configured early warning signals that trigger alerts to our team based on event patterns and strict thresholds. We are equipped to detect and mitigate Threats, DDOS attacks, session hijack, login spoofs or any other data extraction strategies AWS Guard Duty threat detection service that continuously monitors for malicious activity and unauthorized behaviour. The data is stored in our secure database and is transit scrambled for maximum security. We use TLS1.3 encryption while data in transit and AES256 while data at rest. We also conduct periodical Vulnerability assessment and penetration testing and fixes the vulnerabilities identified in order to eliminate the risk.

There is a activity and security logging process in place, and these logs are synchronized with the same network time server (NTP)

Infrastructure logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our Elastic Search server and retained in the long term cloud storage. Administrative logs are part of Cloud Dashboard and are regularly reviewed. We use Amazon CloudWatch and Grafana polemique which allows us to monitor instances and alerts us through emails. We use a synchronized time-service protocol (e.g., NTP) to ensure all systems have a common time reference

There is data/log retention process in place.

Yes, systems must be configured to log all successful and unsuccessful login attempts by accounts with privileged access. These authentication logs must be retained for a minimum of 180 days and in accordance with the Company’s records retention guidelines.

When infrastructure is shared between tenants (typically a Cloud environment), the data and/or logs are also separated for all tenants. E2. There is an intelligent system and/or process in place for analysing these logs.

We use logical data isolation with the help of company specific encryption keys and its solated from other customers data. Yes, audit logs are reviewed and recorded on a regular basis automatically. These logs are integrated with security operations/SIEM solutions.

Does the cloud provider deliver data back up and/or data mirroring? If yes:

The data backups are done daily in a secured way on AWS and tested on a weekly basis. These backup processes are automated and do not require any manual effort. Since the data backup is automated and happening on a daily basis the data backup will get replaced every day and restored, if necessary/required.

Is the Cloud Provider Privacy Shield certified?

Yes, AWS is certified under the EU-US Privacy Shield. https://www.privacyshield.gov/participant?id=a2zt0000000TOWQAA4

Can customers define the transient and persistent points of their data (i.e. the legal jurisdiction in which their data is transported and stored - including backup and archive locations).

All the data will be stored on AWS cloud virtual platform cloud - Singapore region.

Is there an ability to monitor user activities? (E.g.: all actions taken by admin users)

All user activities are logged in the audit trail.

What availability measures do you employ to guard against threats and errors?

As part of Web Application Firewall (WAF), rate limiters are installed to block multiple requests from specific IPs in order to prevent DDOS-type attacks. In addition to that we also have AWS Guard Duty threat detection service that continuously monitors for malicious activity and unauthorized behaviour.

Do you have DDoS protection, and if so, how?

As part of Web Application Firewall (WAF), rate limiters are installed to block multiple requests from specific IPs in order to prevent DDOS-type attacks

What application security measures are used in the production environment (e.g., application-level firewall, database logging / auditing, etc.)?

We use Web application firewall, IDs/Ips, AWS Audit trail, Amazon guard duty etc..

Do you logically and physically segregate production and non-production environments?

We have a dedicated non-production environment which is in a different AWS account and allows us to segregate data from the production environment.

Do you have a policy that requires endpoints (laptops,desktops,etc) to perform backups of specified corporate data?

We have implemented the Backup Recovery Procedure to protect the organization information asset from the damages that may be caused due to failure of hardware system, corruption of software etc..

Is there an audit log available which covers user/api actions?

Infrastructure logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our ElasticSearch server and retained in the long term cloud storage. The event logs are stored in a bucket wherein nobody can access them without an approval from the high authorities i.e. the Chief Technical Officer. In case the tenant requests for logs, that can be shared.

If the application can be hosted in PwC's private cloud

At present, application application has been deployed on AWS Virtual platform cloud.

Cost to host in PwC private cloud

NSE’s data & information shall be stored in data centres within India.

All the data will be stored on AWS Singapore

The redundant site where NSE’s data & information are replicated shall also be in India in a separate location from the primary site.

All the data will be collected only through our application and stored on AWS cloud platform and its situated in Singapore.

All backup media (physical, logical & virtual) of NSE’s data & information shall be stored securely in India.

All the data will be stored on AWS Singapore

The Cloud Service Provider shall provide visibility to NSE into its infrastructure and processes, and to allow NSE to check the integrity and security of the cloud computing services and compliance to applicable policies and regulations.

We are cloud security alliance level 1 compliant. We would be happy to help NSE for checking the integrity and security of the cloud computing services and compliance to applicable policies and regulations.

Cloud Service Provider shall ensure no management ports / console shall be accessible over the internet.

We agreee. We comply with CSA STAR Level 1 compliance requirements.

NSE shall ensure that no insecure ports on the Cloud infrastructure are open to the internet

We comply with this. We have deployed our application on AWS to ensure maximum security of data.

Cloud Service Provider and NSE shall monitor the network & security devices, virtualization platforms, operating systems, databases, applications, web servers and associated infrastructure, for security alerts and known attack vectors and ensure that the remediations are implemented based on mutually agreed timelines.

We agree. We combine enterprise-class security features with comprehensive audits of our applications, systems, and networks to ensure customer and business data is always protected. And our customers rest easy knowing their information is safe, their interactions are secure, and their businesses are protected. We do conduct internal and external audits and ensure that required remidiations are implemented.

Where will UP data be hosted (geographic location)?

The data is hosted on Amazon Web Services (AWS) For accurate latency, the data center is selected as Singapore region for Asia specific data and Oregon for US specific data which are defined as data centers.

What is the standard used for destroying data on retired or failed hardware?

The Xoxoday platform operates on the cloud, which means there are no removable storage devices in question. We have Media protection procedure to handle the locally stored data. We complied with the compliance requirements.

What options are available to transfer data between UP and the Supplier?

We do not take any data directly. The data will be provided through our platform or application and its hosted on Amazon Web Services (AWS)

How is uptime measured?

We rely on AWS Cloud for Uptime mesurement.

Is your service run from your own (a) data center, (b) the cloud, or (c) deployed-on premise only

Yes. We have deployed our application on AWS cloud platform

Have you researched your cloud providers best security practices?

Yes. Please visit here for more details about AWS Cloud Security - https://aws.amazon.com/security/

What systems do you have in place that mitigate classes of web application vulnerabilities? (e.g.: WAF, proxies, etc)

As part of Web Application Firewall (WAF), rate limiters are installed to block multiple requests from specific IPs in order to prevent DDOS-type attacks. These are powered by intelligent daemons that detect other identifiers like URLs accessed or other client properties to automatically blacklist possible threats either temporarily or permanently.

How do you log and alert on relevant security events? (this includes the network and application layer)?

We use Amazon CloudWatch and Grafana polemique which allows us to monitor instances and alerts us through emails We have implemented IDS/IPS Firewall. Our security information and event management (SIEM) system merge data sources (app logs, firewall logs, IDS logs, physical access logs, etc.) for granular analysis and alerting.

What processes and methods will be put in place, to securely back-up the system? Where will the Back-up data be stored?

We predominantly work on cloud-based infrastructure from Amazon Web Services which provide backup and restore services to build scalable, durable, and secure data-protection solutions Please refer to AWS site for more details: https://aws.amazon.com/backup-restore/

Will any the customer data be held on removable media including Back-ups? If so, will it be encrypted?

It will be stored on AWS, and It will be encrypted (AES 256-bit encryption)

What firewalls and network/host protection measures (e.g. IDS or IPS) will be in place to protect the customer data? Describe how you will configure, maintain the above and monitor alerts generated.

Yes. We have implemented IDS/IPS Firewall. Our security information and event management (SIEM) system merge data sources (app logs, firewall logs, IDS logs, physical access logs, etc.) for granular analysis and alerting.

What information will be contained within logs?

The only user data that will stored within the system is employee personal information - names, emails and contact numbers. Infrastructure logs are collected using AWS Audit Trail

AWS Provide physical security services to our data centre.

Please visit for more details - https://aws.amazon.com/compliance/data-center/controls/

Is this a Cloud Solution?

Our application is deployed on AWS cloud platform.

All privileged and service system, network or application level passwords, required for correct operations of business units must be backed up and kept in secure location available for extraction to a specified number of people on specific circumstances. Passwords backups should be updated with every password change.

We are Compliant. We have implemented the data backup policy. We do take backup of the all the users and securely stored. All our application users data back up including password will happen through AWS cloud virtual platform.

Where technically feasible, implement network and/or host-based technical controls that detect changes in access to shared networks and shared resources.

We have controls in place. We have implemented the firewall and IDS/IPS for detection and prevention of security.

System testing and commissioning ensures security capabilities of the system are appropriately configured and verified.

During the testing phase we make sure that we are meeting all the security requesrements and validate the same before the deployment.

Encryption for protection of information/data transported by carriers, tapes, removable media devices or across communication lines shall be employed.

All the data will be stored on AWS cloud and encrypted with Client specific keys. We do not transfer data to any external drives or media devices.

Application logs shall be verified to ensure there are no known anomalies before system deployment.

We monitor these logs periodically

Backup media shall be kept in a secured manner against tampering, theft, fire, flood or damage until retention period elapsed.

Backup data is stored on AWS cloud for maximum security.

Where technically feasible, and based on the criticality of the asset, backups shall be tested to ensure their availability and integrity for the customer recovery efforts and confirm compliance with established RPO/RTO.

We test the backup on a periodical basis to make sure that we follow the availability and integrity principles.

To ensure effective testing, restoration procedures shall be fully documented and tested.

We have documented our Data backup procedures.

For each asset, all activities/events and its details to be captured in all type of available logs for all hardware devices, operating systems, system usage, installed applications and security related events shall be identified. Vendor recommendations should be evaluated of proven performance and quality check.

We monitor the logs as per the compliance requirements.

Logs shall be protected against tampering and unauthorised access.

We are compliant.

Fault logging shall be enabled in equipment wherever technically feasible: Β· Fault logs shall capture enough information so that it can be appropriately analysed and resolved. Β· Fault logs shall be analysed and reviewed by personnel with appropriate training and skills.

All the logs are recorded in the system.

In all instances where automated logging and monitoring is not feasible, compensating mechanisms to record and retrieve manual logs shall be provided.

We always make sure that componentory controls in place if monitoring is not feasible.

Service Provider shall have solid high-availability infrastructure in line with the customer requirements

We have deployed our application on AWS cluod virtual platform

Only authorised personnel can access to the data centre(s). The data centre(s) have security controls such as man-traps, CCD security cameras, and on-site 24x7 security staff.

It’s a part of cloud security services

The data centre is a purpose-built facility with environmental controls including: redundant power supply, redundant cooling, UPS, generator, fire suppressant, temperature and moisture monitors.

It’s a part of cloud security services

What are the controls to prevent complete and permanent loss of customer data?

Data backups are done daily and in a secured way in AWS. The customer data cannot be lost permanently. We also have Business Continuity Policy and Business Continuity Management Procedure in place and effectivly working.

Which databases are used in the backend? Which database optimization approaches are taken?

The data is only stored on our application and its deployed on AWS Cloud. Our data is stored in secured databases and there is no window to alter any data without it being logged into the system records

What are security approaches along the architecture stack? Is end-to-end security ensured? Does the platform allow standardized security mechanism, e.g. Kerberos, LDAP?

We have deployed our application on Amaon web services (AWS) cloud platform. We are using MySQL, Salt stack, Nodejs and MongoDB technology. LDAP, SAML2, Normal username-password

Describe the hosting infrastructure.

We are a SAAS solution. We are cloud hosted.

How does the system scale to support growing user populations?

We are a SAAS Solution and have all the capabilities to supoprt huge number of users.

Describe the data center power backup.

Data center services are provided by AWS

Describe data backup and restore procedures.

Data backups are done daily and in a secured way in AWS

Do you own the data centers?

No. Application is deployed on AWS Cloud.

Scale Up / Down capabilities? (Storage capacity, Computing Power)

We have both horizontal and Vertical Scaling

Scale Out Capabilities? (Module / Feature addition / removal)

We have auto scaling and self healing.

What are the controls to prevent complete and permanent loss of customer data?

Data backups are done daily and in a secured way in AWS. The customer data cannot be lost permanently. We also have Business Continuity Policy and Business Continuity Management Procedure in place and effectivly working.

What tools are used to monitor application availability? Expected availability is 99.999% monthly basis

We use a variety of tools and plugins integrated with Prometheus & Cloudwatch along with health checks for facilitating our uptime/service availability

Where are your DR sites located?

AWS Cloud virtual platform

Are there security controls (like log generation, access control) in place to store the PII downloaded from the application?

We use Amazon CloudWatch and Grafana polemique which allows us to monitor instances and alerts us through emails

Are there plans in place to handle/manage contingent events or circumstances (e.g. what if the person with the key to the server room is sick)?

Yes. We have deployed our application on AWS virtual platform cloud. And we have the process in place to handle or manage any contingent events or circumstances. We have implemented the Business continuity management and tested annually to validate the effectiveness of the controls. Attached the Business continuity management plan.

How are physical access controls authorized?(who is responsible for managing and ensuring that only appropriate persons have keys or codes to the facility and to locations within the facility with secure data)?

We have an Admin/Facility department who is responsible and manage the Physical security and we have provided the access cards to all the employees and visitors and installed biometric machines at all the entry and exit areas. We have also installed the CCTV cameras in our building and will be monitored 24*7 for maximum security. AWS Data centre physical security – We have deployed our application product on AWS virtual platform cloud. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. AWS only provides data center access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to data centers by AWS employees is logged and audited routinely.

Will any Personally Identifiable Information (PII) be stored with vendor? Please mention specific reports that are to be stored.

PII will be entered through application and stored it on AWS cloud virtual platform. We store Name, email ID and phone number of the users.

Where will vendor store the customer data? Is it stored over any shared location for all clients or the storage location is dedicated for the customer.

The data will be stored on AWS cloud virtual platform Singapore. Since we are a multi tenant system, we have common infrastructure for all clients.But All data volume is encrypted with AES 256-bit encryption to prevent any external snooping or unauthorized access in the multi-tenant environment.

How will Vendor share reports/data to the customer i.e. through SFTP, mail with some encrypted way or in a simple excel/pdf format.

Reports can be generated by the admins through the application. If there are any additional support needed, our customer support team would be able to help and guide on generating report.

Does the DR is setup in some other city in India?

Its on AWS Cloud virtual platform Cloud.

Have you employed sub processor (s) for processing TCS data?

The data will be stored on AWS Cloud and we do not share or transfer the data

A copy of any security focused questionnaires prepared for the product/environment (Cloud Security Alliance CAIQ, Shared Assessments SIG, etc.).

Xoxoday is CSA STAR LEVEL 1 Compliant. Please click here to download CAIQ - https://cloudsecurityalliance.org/star/registry/nreach-online-services-pvt-ltd-xoxoday/services/nreach-online-services-pvt-ltd-xoxoday/

A list of your data center locations (primary, secondary, etc.) where services are provided from and all locations/countries where information may be processed.

We have deployed our application on AWS Virtual platform cloud – Singapore region.

A list of third service providers utilized to conduct any aspect of the contracted service in scope.

Not Applicable. We have not outsourced.

Describe your security architecture

We have deployed our application on AWS Cloud virtual platform for maximum security. The data center is hosted completely in isolation so that the access is limited and controlled. Load balancer allows shifting incremental load and can auto scale based on data load experienced by application. We have implemented Amazon Cloud watch to enable monitoring of the functioning of the application. The data is encrypted using 256-encryption based SSL certificate. To manage security of data we conduct a quarterly VAPT based security audit of application.

Does product have security mechanisms against intrusion?

Yes, all the mechanisms related to security are implemented to facilitate timely decision and investigation by root-cause analysis. These incidences are analyzed with network intrusion detection (IDS) tools.

Please furnish historical data with reference to the solution proposed highlighting the errors /fixes/patches within security category and the resolutions undertaken to cater those.

We have implemented the Patch management procedures. Critical patches will be deployed immediately High patches will get deployed within 5 days Medium Patches will get deployed within 15-day Low will get deployed in 25 days.

Do you provide free security patch to the customer at no additional cost?

Yes. Since it’s a SAAS Product we do not charge any additional cost.

Do you have a specific R&D team that keep improving your solution security through patch release. Please elaborate (how, many, where)

We have a team of 15+ who works for improving our solution security. We conduct periodical Vulnerability assessment and Penetration testing with the help of the Authorized third-party vendors and Fix the observations found during the testing in order to mitigate the risk. Our team is based out of Bangalore location.

Is your system able to operate on hardened web services system? Please also provide ports required for your system to operate

Yes. Our SAAS solution has been deployed on AWS cloud virtual platform.

Can the security module be integrated with Middleware to provide the security services? If yes, describe the mechanism?

Its SAAS Product and implemented the security controls in order to provide secure services and make sure that the customer data is protected.

How easy & convenient your solution authentication and security features for the customer.

We have deployed our application on AWS Cloud platform for maximum security. The data will be provided through our platform or application and its hosted-on Amazon Web Services (AWS) Our solution is very easy to use with convenient security features.

CLOUD SERVICE PROVIDER (CSP) must save access logs for any inbound and outbound access of CLIENT Cloud Infrastructure.

Infrastructure logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our Elastic Search server and retained in the long term cloud storage. Administrative logs are part of Cloud Dashboard and are regularly reviewed.

CLOUD SERVICE PROVIDER (CSP) must have security infrastructure for securing any inbound and outbound connection to any of their infrastructure where CLIENT system and/or data reside. Those infrastructures may be at least but not limited to web application firewall, firewall, host firewall, SIEMM, IDS and IPS. All access is authorized on a "deny by default" base policy.(encrypted channel)

We use a cloud hosted VPN with strict access controls to allow our employees to access the official network. This VPN is managed by our IT team, and it's linked with the SSO/Active Directory

CLOUD SERVICE PROVIDER (CSP) must provide onsite security as a service as the first security line to CLIENT asset that resides on CSP premises.

We have deployed our application on AWS Cloud virtual platform. AWS is met all the data center compliance requirements.

What types of controls are in place to mitigate the risk of malware infection and external hacking?

We use a cloud hosted VPN with strict access controls to allow our employees to access the official network. This VPN is managed by our IT team and it's linked with the SSO/Active Directory We have implemented intrusion detection tools, we ensure timely detection and investigation in a prompt manner. File integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation. We also have Endpoint security software for all the computers for Protection from exploits, malicious web downloads and softwares, Application and device control etc.

Will any data be hosted with, or accessed by a sub-contractor?

We have deployed the application application on AWS Cloud platform.

Do any sub-contractors reside in offshore jurisdictions?

The data center is in the Singapore region

Do you have contracts with third party service providers who may have access to FINCARE data (controls such as - Confidentiality agreements, NDAs, review mechanism etc.)

We have deployed our application on AWS cloud virtual platform. but, We have not outsourced any of services and third party will not have access to FINCARE data.

Is a process in place to regularly monitor your third party service providers to ensure compliance with security standards?

Yes. We monitor their compliance, security standards, certifications and Audit Etc.

Do you have an independent audit performed on your dependent third parties who have access to your Company or clients data?

Please explain the data flow/information flow from source to destination, including all the components in the data processing lifecycle.

All the data will be provided through the application and it will be stored on AWS cloud virtual platform. We use Cloudflare web application firewall for maximum security. We have encrypted the data while in transit and at rest. We use TLS1.2 encryption for Data at transit and AES256 Data at rest for maximum security. Attached the application data flow diagram

Does the organization is having network security controls (including boundary controls) in place? If yes please explain and share evidence?

We have the security controls in place. We have installed the firewalls to monitor and control the incoming and outgoing network traffic based on predetermined security rules. It helps us to establishes a barrier between a trusted network and an untrusted network. We use a cloud hosted VPN with strict access controls to allow our employees to access the official network. This VPN is managed by our IT team and it's linked with the SSO/Active Directory. Attached the Network Access Control and Security Procedure.

Is anti-Virus / malware installed on the desktops/ laptops/ Servers and are regularly updated?If yes please explain and share evidence?

Yes. we have installed Bitdefender end point security in all the devices for maximum security and have controls on Anti-Virus / Malicious Software throgh End point security. We have also enabled Network Threat Prevention, Advanced Threat Defense, Web Attack Prevention, Multi-Layer Ransomware Protection. Attached the sample screenshot of Bitdefender end point security.

Applications must be deployed in PSJH Cloud environment, reviewed & approved by EIS. Development, test, and production environments must be segmented from each other.

The application is deployed on AWS Virtual platform cloud - Singapore region.

Application, network, infra & hosting teams shall establishe an alternate storage & processing site including necessary agreements to permit the storage and retrieval of information from alternative site; and Ensures that the alternate storage/ processing site provides information security safeguards equivalent to that of the primary site.

application application is deployed on AWS virtual platform cloud and storgae and scaling up would not be a challenge.

Application, network, infra & hosting teams shall conduct backups of a. User-level information contained in the information system at least once every 12 months. b. System-level information contained in the information system at least once every 12 months; c. Information system documentation including security-related documentation at least once every 12 months; and Protect the confidentiality, integrity, and availability of backup information at storage locations. Application, network, infra & hosting teams shall test backup information regularly to verify media reliability and information integrity.

Data backups are automated and done daily and in a secured way on AWS. The data at rest in encrypted only authorised individuals (CT0/Production head) will have access to protect the confidentiality, integrity, and availability of the information. These data backups are reviewed on weekly basis and has been validated during the internal and external audits.

Configure event logging for all system components to audit access and activity to individual users, including proxy users of applications and databases. Audit logs must capture these events at minimum: Successful logins, failed logins, data views, data modifications, and data deletions. Maintain logs that record access to specific records or sensitive data within the application, including which user accessed the record and when. Server configuration modifications are to be logged. Use internal system clocks to generate time stamps for audit records; and records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets at least thirty (30) seconds accuracy

We use Amazon CloudWatch and Grafana polemique which allows us to monitor instances and alerts us through emails. Infrastructure logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our Elastic Search server and retained in the long term cloud storage. Administrative logs are part of Cloud Dashboard and are regularly reviewed.

Centrally manage and audit event logs utilizing security monitoring tools (eg. Microsoft Sentinel SIEM, XSOAR, & ServiceNow solutions) where available (including applications, network devices, operating systems, databases, Servers and security event logs)

Yes, audit logs are reviewed and recorded on a regular basis automatically. These logs are integrated with security operations/SIEM solutions. We use Amazon CloudWatch and Grafana polemique which allows us to monitor instances and alerts us through emails. Infrastructure logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our Elastic Search server and retained in the long term cloud storage. Administrative logs are part of Cloud Dashboard and are regularly reviewed.

Use only secure and up to date third party or open source components that have been formally approved by EIS, Providence Legal, IT Contracting, and any other applicable Providence approval and governance groups

We have deployed our applicaiton on AWS Virtual platform cloud. We do not use any unauthorised applications accross the organization as per the Information security policy.

Developers must not have access to both the development/test and production environments. Use cases where developers need access must be reviewed by ISRA for approval.

At Xoxoday the test environment and production environment has been seperated. We have dedicated non-production environment which is in different AWS account and allowing us to segregate data of production environment.

Employ controls to protect REST services against Cross-Site Request Forgery attacks.

we use Cloudflare Web application firewall (WAF), AWS Guard Duty threat detection service, Amazon CloudWatch, IDS/IPS etc.. for maximum security of data.

Implement controls to prevent log injection.

Compliant. We do not allow un-trusted and un-validated inputs and attacker cannot insert malicious data and false entries into the logs.

Implement controls to prevent sharing of source code without authorization. Application teams to use Enterprise approved Source Control Repository & Contineous deployment mechanism.

We do not share the source code. Our code reviews and analysis run through stringent eyes of automated technologies as well as manual source code overview to cover any security loopholes prior to the production phase.

Implement controls to restrict and limit access to source code to authorized users. Access to be extended only to PSJH accounts.

At Xoxday the source code is restricted to only the authorised individuals

The solution is scalable to support the customer size and complexity: - 170,000 co-workers - 10% new co-workers yearly, 40% co-workers turnover - Minimum 35 countries

Yes. Our solution is using state of the art Cloud Native infrastructure technologies along with microservices architecture allows us to scale our operations as per the demands.

Security model of storage of data - Please describe shortly how data is stored, in relation to vendor's data, is protected at use, in transit and at rest

We have deployed our application on AWS Cloud virtual platform and all the data is stored on AWS. All the confidential/PI data are encrypted at rest and in transit with a split key mechanism to ensure that every client's key is unique. We use TLS1.3 encryption while data in transit and AES256 while data at rest.

Are there any subcontractors involved (4th Parties to Infosys) in providing services to Infosys? If yes, detail out the current process in the organization for ensuring adequate security governance in terms of periodic due diligence review/ audits being performed and all Infosys mandated security requirements being contractually passed to the 4th party.

we use Amazon Web Services (AWS) as our Communication service provider. We review the adequate security governance periodicall to make sure that they are also complied with all the Security and Privacy compliance requirements.

Do you process personal data as part of engagement with Infosys?

We are the Data processor. application is GDPR compliant. At Xoxoday, we ensure that the data is gathered, stored, and handled with respect to individual rights.

Is the logs maintained for login successful and failure attempts?

The audit logs are reviewed and recorded on a regular basis automatically. These logs are integrated with security operations/SIEM solutions.

Is application configured for audit trails?

At Xoxoday Infrastructure logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our Elastic Search server and retained in the long term cloud storage.

Is the code repository established and back-up are taken regularly?

The backup is automated and happen on AWS on regular basis.

Is the application server have latest operating system, licensed and supported?

We have deployed our application on AWS Virtual platform cloud - Singapore region.

Is the database server are hardened for security and maintained?

The application and database server are hardened.

Is security audit logs and alerts are configured for application server?

Infrastructure logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our Elastic Search server and retained in the long term cloud storage.

Is any server or data mentioned of/from/by application hosted or shared outside of Indian legal and juridiction bounderies? Credit Risk Data Liquidity Risk Data Market Risk Data System & Subsystem Information Internal & Partner IP Schema Network Topography & Design Audit/Internal Audit Data System Configuration Data System Vulnerability Information Risk Exception Information Supplier Informtion and its dependencies related data

We have deployed our application on AWS Virtual platform cloud - Singapore region. All the application data is stored there on AWS - Singapore.

Does the provider use a third party to provide the required services? If so, explain the services to be provided by the third party and the type of relationship between the provider and the third party.

We use third party to provide necessary services to the organization on need and approval basis. For ex – Background verification vendor, VA/PT authorised third party vendor, Eternal Auditors, AWS Virtual platform cloud service providers, Google workspace etc

Are the services provided by the provider scalable? Are there any limits?

We predominantly work on cloud-based infrastructure - Amazon Web Services which provides the Backup and Restore services to build scalable, durable, and secure data-protection solutions. No limits.

What is the process to restore data from the provider’s back-up?

Data backups are done daily and in a secured way in AWS. And Our team review the same on regular basis.

Till how long data backup will be retained?

Data backups are done on daily basis and in a secured way in AWS. We have the mechanism in place to delete the data upon termination of the contract upon customer request. In addition to safeguarding the rights of data subjects under the GDPR, we have implemented the Data Retention and Disposal Policy ensuring that excessive amounts of data are not retained by us.

If using virtual infrastructure, does the solution include hardware independent restore and recovery capabilities?

We have deployed our application on AWS Virtual platform cloud and they provide these services.

Last updated