# Data Management
## Do you ensure that critical data (e.g., payment card number) is properly masked and that only authorized individuals have access to the entirety of the data.
Yes, the payment card data is masked and encrypted to ensure that the access only lies in the hands of authorized individuals.
## How do you protect digital identities and credentials and use them in cloud applications?
We use AES 256-bit encryption for data at rest for securing digital identities.
## What data do you collect about the tenant (logs, etc.)? How is it stored? How is the data used? How long will it be stored?
The only user data stored within the system is their personal information - names, emails and contact numbers. This data is not put to any use by Xoxoday and resides within the system. The data can be deleted upon the tenant's request.
## Under what conditions might third parties, including government agencies, have access to my data?
Your data is completely secure. Third parties have no access to the given data.
## Can you guarantee that third-party access to shared logs and resources won’t reveal critical information about tenant?
Yes, as stated above, your data is completely encrypted and secure, hence no critical information shall be revealed to the third parties.
## Do you have a data-integrity monitoring / change-detection software?
No. Our data is stored in secured databases and there is no window to alter any data without it being logged into the system records.
## Do you have data loss prevention (DLP) solutions implemented for web, email, and end-point getaway?
Yes, our web assets, email records, and end-points are sealed with data loss prevention techniques.
## Do you have technical controls capable of enforcing customer data retention policies?
Yes, our technicalities are built in tandem with the customer data retention policies.
## Will you use other companies whose infrastructure is located outside that of owned premise/Data Center?
No, we only rely on our ironclad infrastructure to ensure maximum security of data.
## Can you provide details about policies and procedures for backup? this should include procedures for the management of removable media and methods for securely destroying media no longer required.
The Xoxoday platform operates on the cloud, which means there are no removable storage devices in question.
## Can you specify the steps taken to ensure that data which has been deleted is completely wiped and cannot be accessed by other service users?
Our data cleansing process goes through an organized purge. Once the data is purged, it's purged from all places.
## What checks are made on the identity of users with privileged access?
There are user roles available for privileged and authorized members, access to which is provided via oAuth-2.0.
## Are there different levels of identity checks based on the resources accessed?
Identities of users are verified on the events they access any resources.
## What processes are in place for de-provisioning privileged credentials?
A support ticket has to be raised to the customer support team, after which the de-provisioning of privileged credentials will be taken care of in the back-end.
## How are the accounts with the highest level of privilege authenticated and managed?
The accounts with highest privilege are authenticated and managed via oAuth-2.0, which can be used to implement secure access to confidential data.
## Are any high-privilege roles allocated to the same person? Does this allocation break the segregation of duties or least privilege rules?
No, roles of high privilege are allocated to a chosen few so that it doesn't break the segregation of duties.
## How do you allow for extraordinary privileged access in the event of an emergency?
In case of an emergency, tenants can raise a request to the customer support personnel or the key account manager. The privileged access shall be given from the back-end promptly.
## How are privileged actions monitored and logged? Is there a way to check and protect the integrity of such audit logs?
Infrastructure logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our Elastic Search server and retained in the long term cloud storage.
## Is there mutual authentication? How could strong authentication be used? For example RSA SecurID? Is there any limitation?
Yes, mutual authentication exists for strong authentication via AES 256-bit encryption.
## Please provide detail about what information is recorded within audit logs and for how long this is retained.
1\. Infrastructure logs are collected using AWS Audit Trail
2.Application related logs are collected in our Elastic Search server and retained in long term cloud storage.
## Is the data segmented within audit logs so they can be made available to tenant without compromising other customers?
No. Since we are a multi-tenant system, our logs contain information of all the tenants. We cannot isolate a single customer's information from our logs.
## How are audit logs reviewed? What recorded events result in action being taken?
Administrative logs are part of Cloud Dashboard and are regularly reviewed.
## Do you use multiple ISPs?
Yes, we have multiple internet service providers for uninterrupted coverage and maximum uptime.
## Do you have DDoS protection, and if so, how?
There are gateways in place to defer DDoS attacks.
## Can you provide availability of historical data?
No, historical data cannot be provided due to its confidentiality.
## What is your downtime plan (e.g., service upgrade, patch, etc.)?
We don't face any downtime and keep our service uninterrupted even in the events of upgrades and patches.
## Can you accommodate timely forensic investigation (e.g., eDiscovery)?
Yes, in case there's a need for a forensic investigation, we can accommodate time and make it happen.
## Do you follow Data input and output integrity routines (i.e., reconciliation and edit checks) for application interfaces and databases to prevent manual or systematic processing errors, corruption of data, or misuse?
Yes. We comply with this requirement, we follow multi-layer application architecture to isolate database access.
## Do you follow a defined quality change control and testing process (e.g. ITIL Service Management) with established baselines, testing, and release standards that focus on system availability, confidentiality, and integrity of systems and services?
Yes. We follow a defined quality change control and testing as per the Organization's policies and procedures.
## Do you assign Data and objects data by the data owner based on data type, value, sensitivity, and criticality to the organization?
Yes. We follow a data classification policy and access control policy to provide access to the individuals based on data type, value, sensitivity, and criticality to the organization.
## Do you follow Data Security & Information Lifecycle Management Ownership / Stewardship?
Yes, We comply with this requirement. All data has been designated with stewardship, with assigned responsibilities defined, documented, and communicated as per the compliance requirements.
## Do you make sure that Each operating system has been hardened to provide only necessary ports, protocols, and services to meet business needs and have in place supporting technical controls such as: antivirus, file integrity monitoring, and logging as part of their baseline operating build standard or template.
Yes. We make sure that we follow access control policy and data protection policy to make sure that only authorized individual has access to the required data. And we have controls such as antivirus, file integrity monitoring, and log monitoring as per the compliance requirements.
## More info below:
| **`Questions`** | **`Answers`** |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Do you enforce data access permissions based on the rules of Authentication, Authorization and Accountability (AAA)? | Access to data and systems are based on the principles of least privilege for access.
Accordingly, all information systems and data are classified and further segregated to support role based access requirements. Furthermore, while defining job roles and designing access roles, privileges leading to conflicts of interests are to be avoided. A strong identification and authentication system and logging systems are deployed and provides a centralized control to administer, monitor and review all critical access
events.
|
| Are access privileges to physical media assigned based on role and responsibilities? | We have implemented the Role based access control machanism. |
| Is there a process for secure disposal of both IT equipment and media? | Our data cleaning process goes through an organized purge. Once the data is purged, it's purged from all places.
We have implemented the Media protection procedure and Data retension & Disposal policy to make sure that we dispose the data securely.
|
| Are development, test and production environments separate? | Yes. All are separate. |
| Is production data ever used in a test environment? | We do not use. |
| Does the client scoped data include the disclosure of account numbers or identifiers to the consumer's account?
| We not disclose or share any of the clients data. |
| Do fourth-parties, (e.g., subcontractors, sub-processors, sub-service organizations) have access to or process client scoped data? | They do not have access. |
| Is there appropriate segregation between the customer Work area & other facility ? | Yes. Segregation is done. |
| Does the organization have security controls to restrict physical entry & exit to restricted areas containing sensitive data within the physical security perimeter? | Yes, we have implemented the physical security and only authorised individual can have access. We have also deployed security guards for maximum security. |
| What is your retention policy for retaining these logs? (30 days, 60 days, 1 year, etc) | At least 180 days |
| Is there a process of frisking or manual check for personal storage devices? | Yes, we do not allow any personal storgae devices. |
| Does the vendor agreement with CSP clearly define the data ownership mentioning that the ownership lies with vendor's customers? (the customer in this case) | Yes, we will delete the data upon termination of the contract of request of the end users. |
| Is there any data retention or data destruction period discussed with the CSP as per the requirements from vendor's customer (the customer)? | The data will be entered by the end users and will be deleted upon the termination of the contract. |
| Are the procedures for the customer’s data handover documented, if the customer wants to terminate the service from CSP/ vendor? | Upon termination of the contract we confirm the data deletion. |
| Does the requirement for secure disposal of all information / data from CSP environment, immediately after termination of service, discussed and agreed with the customer? | We securely dispose the data upon termination of the contract and confirm you within a specified period of timeline. |
| Do you have a secure disposal management (Asset decommission) procedure ?
Do you ensure that sensitive data has been deleted or overwritten before disposing off the equipment ?
| We have implemented the Data Retention and Disposal Policy. Attached the document.
We do not store customer information in any equipments, all the information will be stored on AWS Cloud virtual platform.
We make sure that all the any data stored in any electronic devices are deleted before disposing of the equipments.
|
| Do you allow access to administration tasks for your employees from Portable Devices (phones, PDAs, Tablets, etc...) or their own devices, if yes, please refer to section "Mobile Security". | NO |
| What method do you use when deleting customer data if requested to do so. Do you provide customers with a certificate that his data was properly sanitized from all computing resources and portable storage media | The secure deletion standard like DoD 5220.22-M ECE is being followed and we provide a certificate that the data was properly sanitized from all computing resources and portable storage media |
| Are rules pertaining to remote access monitoring configured on DLP solution? | We have implemented the data loss prevention techniques to make sure that the data is not lost permanently. |
| Are policies configured to monitor and detect data leakage over different file types? | It’s a part of our data loss prevention techniques |
| Is the current DLP solution capable of enforcing policies even when the endpoint is disconnected from corporate network? | our web assets, email records, and end-points are sealed with data loss prevention techniques even when the endpoint is disconnected from corporate network |
| Does the client scoped data include the disclosure of account numbers or identifiers to the consumer's account?
| We dp not disclose or share any of the clients data. |
| What will be the frequency of data purging? | Since we are into SAAS business we purge the data upon termination of the contracts or request by the customer. |
| Contract end facilitates the return of customer data to the customer in a the customer usable format. | As per the compliance requirements we will delete the data upon a request from the customer.
Our data cleaning process goes through an organized purge. Once the data is purged, it's purged from all places.
|
| the customer data is not used for test purposes, unless properly sanitized or anonymized, and agreed upon with the customer. | We do not use any of our customer data for testing. |
| Wherever relevant, Personally Identifiable Information (PII) is stored according to relevant laws and regulations. E1. Storing of Personally Identifiable Information (PII) is transparent to the user, i.e. report is available for an employee specifiying what personal data is stored for her in the solution and who has access to it. | We collect only the name and email from the customer as a mandatory PII and these data stored on AWS - Singapore region.
We always transparently inform the customer about the data storage location.
|
| Do you intend to process the Personal Data you process on behalf of the customer for your own purpose, such as product development, research or analytics, and if so, what is the legal basis for such processing? | No.We do not use our customer data for any of these purposes. |
| For how long will data be stored and available after end of term? | We adhere to Data Retention and Disposal Policy and make sure that the personal information of the data subject will be deleted upon requests or termination of the contract. |
| Can you provide assurance that Htec data stored or created within the solution will be exportable in common industry formats without loss of fidelity (and context) | We have implemented the Data Loss Prevention techniques and Backup of data will be taken on regular basis automatically on AWS Platform. The data backup is also encrypted and there are no possibilities of loosing the data stored. |
| Is the Company able to immediately erase customer data, both at the Supplier’s and its service provider’s premises? Please briefly describe the erasure process and used tools. How can this be validated? | The data can be deleted upon the tenant's request or termination of the contract.
Our data cleaning process goes through an organized purge. Once the data is purged, it's purged from all places.
|
| Can you ensure that all customer data is erased at the end of service? | The data can be deleted upon the tenant's request or termination of the contract. |
| Do you have a rigorous testing and acceptance procedure for outsourced and packaged application code? | We conduct the code review and get the necessary approvals from authorised personnel before releasing the new versions or developments. |
| Do you have a managed process for approving new 3rd Party Libraries? | This is part of the code review process wherein the reviewer checks the utility and security of the 3rd party library. |
| Is the supplier willing to cooperate with the FDA if necessary? (site inspections, providing documentation, etc.) | NA. We do not store any Health information or PHI. |
| Data Retention: How long does the service store customer data after account termination? | 7Years. But we delete the data upon customer request as per the GDPR. |
| What kinds of our company’s information is involved for your platform? Is there any sensitive information involved? Such as user information, our company’s product information, marketing data or code information?
| The employees Name, Email ID, DOB, designation will be involved. And other information posted on the groups will be involved.
|
| If cardholder data is involved, does the Vendor have a PCI certificate? | Cardholder data is not involved. |
| Are controls in place to provide content monitoring and filtering, and data loss prevention? | Yes, our web assets, email records, and end-points are sealed with data loss prevention techniques. |
| Describe the circumstances in which customer data is allowed leave your production systems? | We can delete the customer data upon their request or after the termination of the contract.
Our data cleansing process goes through an organized purge. Once the data is purged, it's purged from all places
|
| All production information/data from test environments shall be securely deleted immediately after the testing is complete. | We do not use any data from our production environment for testing purposes. |
| Test/development/integration environments shall be physically and logically protected. | Our testing and production environment is on a different account. Its logically segregated for maximum security. |
| Copying or use of production data into test environment shall be periodically audited. | We do not use any data from our production environment for testing purposes. |
| Information consisting of vulnerabilities and potential non-compliance shall be considered as ”Sensitive” information and be treated accordingly. | We treat this as sensitive and confidential |
| Service Provider shall ensure that the customer data will be erased securely in accordance with acceptable standards upon termination of service. | We securely delete the data upon termination of the contract |
| Service Provider shall have a procedure for securely destroying storage media which contains the customer assets. | Our data cleaning process goes through an organized purge. |
| What are the contract termination processes? How will we have access to our data on termination of the service? Would our data be completely deleted from the vendor's servers after termination? | We will delete the data upon termination of the contract and confirm you. Our data cleaning process goes through an organized purge. Once the data is purged, it's purged from all places. |
| How is data loss prevented and how is high availability ensured? What are typical measures such as MTBF (failure time) or MTTR (recovery time)? | our web application, email records, and end-points are sealed with data loss prevention techniques. We have the capability to do it immediately. |
| What security standards are used for application development? | our products comply with all the industrial benchmarks and standards when it comes to the Software Development Life-cycle (SDLC). All software development procedures are supervised and monitored by Xoxoday so that they include:
• security requirements
• independent security review of the environment by a certified individual
• code reviews
Quality monitoring, evaluation, and acceptance criteria for information systems, upgrades, and new versions shall be established and documented for the clients' reference.
|
| Describe your approach to ensuring data security in the SaaS environment. | We have implemented policies and procedures as per ISMS and GDPR requirements. We also conduct periodical Internal and external Audit by the third party Auditor.
We have deployed our application on Cloud Virtual platform for maximum security. We use Bitdefender End point security software to prevent from malware and protect the data. In addition to that we also have AWS Guard Duty threat detection service that continuously monitors for malicious activity and unauthorized behaviour.
We conduct periodical Vulnerability assessment and Penetration Testing from the Inductry approved authorized vendor to make sure that all the vulnerabilities are closed and having secured applications.
We use logical data isolation with the help of company specific encryption keys. Data in non production environment is not updated with the production data. We generate separate test data Data at transit - TLS1.2 encryption, Data at rest - AES256
As per the Information security policy and Data protection policy only the authorised individual have an access to the data through internal approving and ticketing system.
|
| Is PII deleted (or scheduled to delete) from the application in case its retention period is over or on the request of a data subject? | Upon request or termincation of the contract we delete the data and confirm. |
| Does the application allow access of PII from a different region/country in which Personal Information is collected? If yes, then specify the region/country. | Since we are a SaaS solution, PII is collected through our application and stored on AWS virtual platform cloud. We do not provide access to anybody except an authorised individual of our product teams. |
| How data is stored and handling at Vendor location(whether the the customer data is encrypted, kept in logical segregation location etc). | we logically segregate the tenant's data and the application.Each tenant data is uniquely encrypted using client specific key. We use TLS1.2 encryption for Data at transit and AES256 Data at rest for maximum security. |
| What will be the frequency of data purging? | Since we are into SAAS business we purge the data upon termination of the contracts or request by the customer. |
| PCI-DSS in case the CSP handles card holder data if card data is processed and stored. | NA. We do not handles the card holder data. |
| Does your solution provide Transaction Authorization Code? Please provide detail explanation | Yes. OTP will get generate before making the payment. |
| Does the organization is having data security controls in place? If yes please explain and share evidence? | We have the Data security Controls in place. We have established the Data Management System and Information Security Management system to ensure that the data is managed during the
conduct of business in a safe and secure manner in delivering the business values to the
interested parties.
Nreach Online Services Pvt ltd, respects the individual right to their personal information and
is committed to use minimum personal data with transparency, accuracy & protection of confidentiality, integrity, availability, privacy, authenticity & trustworthiness, non�repudiation, accountability and auditability of the data received, stored, processed and destroyed for business purposes.
Atatched the Xoxoday GDPR Data Security Policy
|
| For all external data transmission, certificates must be signed by a recognized and reputable Certificate Authority (CA) and not expired. | We do not transfer any data to any external parties. |
| Session tokens generated must be sufficiently long and highly random to withstand session guessing attacks. | We are equipped to detect and mitigate Threats, DDOS attacks, session hijack, login spoofs or any other data extraction strategies. |
| PSJH or authorized administrators are to delete PSJH data or render PSJH data unreadable when an employee or workforce member's access is terminated. | We deleted the data upon termination of the contract or if received the request from the customers/users.
Our data cleaning process goes through an organized purge. Once the data is purged, it's purged from all places.
|
| PSJH full disk encryption software is required on servers and/or workstations containing PHI or sensitive data. | NA. We do not process any PHI. |
| Where PHI/PII is stored and processed as part of service delivery for a client engagagement the collection, use, maintenance, sharing & disposal of must be clearly established internally and agreed with client as applicable. | NA. We do not process any PHI. |
| Disclosures of Personally Identifiable Information (PII), Personal Healthcare Information (PHI) to third parties must be recorded, including what PII/PHI has been disclosed, to whom, at what time, purpose, validity, secure processing requirements, secure disposal requirements shall be documented in consultation with legal, privacy & compliance teams of providence. | We do not share or disclose any PII to the third parties.
We do not store PHI.
|
| Implement controls to enforce certificate based authentication for SFTP communication. | Not application. All the data enters via our application. |
| System Architecture document must depict high-risk environments and data flows, system architecture, and potential legal compliance impacts illustrating the processing, transmitting, and storing of PHI/PII.
System architecure shall clearly call out the internal connections, external conenctions, data flow.
- Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of PSJH information;
- Describes how the information security architecture is integrated into and supports the enterprise architecture; and
- Describes any information security assumptions about, and dependencies on, external services;
- Reviews and updates the information security architecture periodically to reflect updates in the enterprise architecture; and
- Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and PSJH procurements/acquisitions.
The developer of the information system, system component, or information system service to produce a design specification and security architecture that:
a. Is consistent with and supportive of PSJH's security architecture which is established within and is an integrated part of PSJH's enterprise architecture;
b. Accurately and completely describes the required security functionality, and the allocation of security controls among physical and logical components; and
c. Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection.
Administrative Documentation: Create/ Obtain administrator documentation for the information system, system component, or information system service that describes.
a.1. Secure configuration, installation, and operation of the system, component, or service;
a.2. Effective use and maintenance of security functions/mechanisms; and
a.3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
b. Create/ Obtain user documentation for the information system, system component, or information system service that describes:
b.1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
b.2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
b.3. User responsibilities in maintaining the security of the system, component, or service;
c. Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes actions in response;
d. Protects documentation as required, in accordance with the risk management strategy; and
e. Distributes documentation to CISO/ Information Security Services. allocated security safeguards operate in a coordinated and mutually reinforcing manner.
| We do not process any PHI. We process the PII(name, email ID, phone#) and all are encrypted. We use TLS1.2 encryption for Data at transit and AES256 Data at rest for maximum security.
Attached the Network architecture diagram and data flow.
|
| What controls are in place to ensure secure data disposal upon termination of agreement with Infosys? (i.e. Disk Wipe , Degaussing , physical destruction etc. | We will be deleting the data securely as per the Data retension and data disposal policy
Yes, our policies and procedures are established as per implemented mechanisms for secure disposal and removal of data from every storage media. By this, it rests assured that the data can't be recovered by any computer forensic means. We assure secure data disposal when storage is decommissioned or when the contract comes to an end."
|
| Detail Out the secure coding guidelines ( e.g. OWASP Guide, SANS CWE Top 25,CERT Secure Coding etc.) and code review practices that are followed for the application (if any), which is used for providing services to Infosys. | Yes, we follow all the technical guidelines for development of our code and applications that come under the Open Web Application Security Project. |
| Is any unsecure protocol like FTP is used for data transfer? | We collect the data only through our application. |
| Have there been incidences of security breaches resulting in the failure of core systems (e.g., Distributed Denial-of-Service
(DDOS) the attack, etc.)
| There have been no incidences of security breaches resulting in the failure of core systems.
We are equipped to detect and mitigate Advanced Persistent Threats or DDOS. We use AWS Cloud watch for monitoring the configuration and infrastructure changes. This will identify several types of denial of service (DoS) attacks
|
| What happens to the customer data at service termination? | The data can be deleted upon the tenant's request or termination of the contract.
Our data cleaning process goes through an organized purge. Once the data is purged, it's purged from all places.
|
| What security features exist if the provider transmits data from one location to another (if
applicable)?
| NA. We do not transmit data from one location to another. |
| What are the provider’s data leak prevention capabilities? | Our web assets, email records, and endpoints are sealed with data loss prevention techniques. |
| How often does the provider delete data? | We delete the customer data upon termination of the contract or request from the data subject. |
| Is verification provided that data has been securely deleted? | Yes. We confirm once the data is securely deleted from all the sources. Our data cleaning process goes through an organized purge. Once the data is purged, it's purged from all places. |
| What happens to the customer data when the provider is terminated? | We delete the customer data upon termination of the contract or on request of the data subject. |