Governance, Risk, & Data Compliance

Are policies and procedures established for labelling, handling and the security of data and objects that contain data?

Yes, there are established policies and procedures for labelling, handling, storing, transmitting, retention/disposal, and security of TCCC data and objects which contain data, per the TCCC Information Classification Standard and Protection Measures.

Are mechanisms for label inheritance implemented for objects that act as aggregate containers for data?

Yes, there are established policies and procedures for label inheritance of TCCC data and objects which contain data, per the TCCC Information Classification Standard and Protection Measures. Mechanisms for label inheritance shall be implemented for objects that act as aggregate containers for data.

Do you adhere to tenant's retention policy?

Yes, we adhere to the retention policy that the tenant sends out for optimal collaboration and smooth user experience with Xoxoday's products and services.

Can you provide a published procedure for security mechanisms to prevent data leakage in transit and data at rest leakage upon request?

Your data is of the utmost importance. All the security mechanisms and policies are established and implemented in such ways that data leak can be prevented, in transit as well as at rest.

Can you provide tenants, upon request, documentation on how you maintain segregation of duties within your cloud service offering?

Yes, the policy, process, and procedure is implemented to ensure proper segregation of duties. These can be asked for and delivered upon tenants' requests. In the event of user-role conflict of interest, technical controls shall be implemented to mitigate risk (if any) from unauthorized/unintentional modification/misuse of organizations' information assets.

Do you use industry standards (Build Security in Maturity Model [BSIMM] benchmarks, Open Group ACS Trusted Technology Provider Framework, NIST, etc.) to build in security for your Systems/Software Development Lifecycle (SDLC)?

Yes, our products comply with all the industrial benchmarks and standards when it comes to the Software Development Life-cycle (SDLC). All software development procedures are supervised and monitored by Xoxoday so that they include:

  • security requirements

  • independent security review of the environment by a certified individual

  • code reviews

    Quality monitoring, evaluation, and acceptance criteria for information systems, upgrades, and new versions shall be established and documented for the clients' reference.

Do you use automated and manual source code analysis tools to detect security defects in code prior to production?

Yes, our code reviews and analysis run through stringent eyes of automated technologies as well as manual source code overview to cover any security loopholes prior to the production phase.

Do you review your applications for security vulnerabilities and address any issues prior to deployment to production?

Yes, an independent security review is conducted by certified professionals to look for any security vulnerabilities in order to solve them before deploying to production.

Do you verify that all of your software suppliers adhere to industry standards for Systems/Software Development Lifecycle (SDLC) security?

Yes, our products comply with all the industrial benchmarks and standards when it comes to the Software Development Life-cycle (SDLC) security standard.

Do you provide tenants with documentation that describes your production change management procedures and their roles/rights/responsibilities within it?

Yes, changes to the production environment are documented, tested, and approved prior to implementation. Production software and hardware changes may include applications, systems, databases, and network devices requiring patches, service packs, and other updates and modifications. Any change in roles, rights, or responsibilities shall be documented for a seamless experience.

Are any of your data centers located in places that have a high probability/occurrence of high-impact environmental risks (floods, tornadoes, earthquakes, hurricanes, etc.)?

We have a consistent and unified framework for business continuity planning, disaster recovery, plan development. All the appropriate communications shall be established, documented, and adopted to ensure consistency in business continuity. This includes protection against natural and man-made disasters (e.g. fire, flood, earthquake, war, volcanic activity, biological hazard, civil unrest, mudslide, tectonic activity, utility services outages, etc.).

Do you provide tenants with geographically resilient hosting options?

Our hosting options are limited to Xoxoday's jurisdiction and are backed by prominent business continuity plans. Hence, we don't find the need to provide geographically diverse hosting options.

Do you provide tenants with infrastructure service failover capability to other providers?

The capability to transfer infrastructure service failover to other providers is not provided to the clients.

Are business continuity and disaster recovery plans subject to test at least annually and upon significant organizational or environmental changes to ensure continuing effectiveness?

Business continuity plans shall be subject to test at least annually or upon significant organizational or environmental changes to ensure continuing effectiveness.

Do you allow tenants to view your SOC2/ISO 27001 or similar third-party audit or certification reports?

Along with an aligned enterprise-wide framework, we perform independent reviews through industry professionals along with formal risk assessments. These are done at least annually or at planned intervals to determine the likelihood and impact of all identified risks. With qualitative/quantitative methods ensuring our compliances with policies, procedures, and standards, we stick to the best standards.

Do you conduct annual network penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance?

Yes, our stringent checks and tests are conducted annually to keep up the cloud service infrastructure hygiene as per the industrial standards.

Do you perform annual audits (internal and external) and are the results available to tenants upon request?

Annual audits are processed both internally and externally. The audit results can be sent over to tenants upon request.

Are the results of the penetration tests available to tenants at their request?

Yes, the tenants can request for penetration results and get the reports from our end.

Are you storing, transmitting, and/or processing payment card data on behalf of our organization?

No, we do not process your payment card data for any reason other than billing purposes.

Can you prove that you are compliant for: Indian IT Act 2000?

Yes, we are compliant with the Indian IT Act of 2000.

Is there a formal process that details the transition of data from unsupported systems and applications to supported systems and applications?

There is no such process available from our end.

What will you deliver back to us on the end of service?

We will terminate the contract as per rules and statutes. Meanwhile your data will be stored with us and won't be given back to you. However, if the tenant wants the data to be erased, it can be done so upon request.

Do you conduct information audits to determine what personal data is being stored/processed and where is it being stored?

Yes, we store data that's required for seamless rewarding and recognition. We conduct regular audits to ensure safety of data like employees' names, emails, employee numbers, etc. are used for verification and rewarding purposes.

Do you have a dedicated information/cyber security team responsible for information security governance across the organization?

Xoxoday's information and cyber-security team keeps a watchful eye on all potential sources of threats and areas of compromise when it comes to information security.

Have you defined the information security roles and responsibilities?

Roles are systematically defined for information security measures to tactfully align all operations, preventing any security breaches.

Do you have an acceptable usage policy which is signed/agreed by all employees on annual basis?

Employees must agree with the acceptable usage policy of peripherals and devices to prevent malicious activities from the inside and out.

Is your environment SOC-2 Type-II attested or certified for the scope of the service being offered to tenant?

Our environment has all the capabilities to be SOC-2 Type-II compliant but the certification is yet to come through. It shall be updated soon.

Is your environment CSA-certified for the scope of the service being offered to tenant?

No, our environment is not CSA-certified.

Are all relevant legislative, statutory, regulatory and contractual security requirements identified, documented and tracked?

Xoxoday keeps track of all security requirements with respect to legislations, statutes, and contracts. They are documented in all steps.

Are appropriate procedures implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products?

We have our own procedure for control of documents and records that ensures compliance related to intellectual property rights and use of proprietary software.

Our record management criteria checks all boxes of legislative, regulatory, contractual and business requirements.

Do you monitor effectiveness of cyber security controls through regular metrics?

With different metrics tracking cyber-security measures, Xoxoday keeps the effectiveness in check with regular monitoring.

Do you have an approved HR Policy document?

Xoxoday's Human Resource operation procedure takes all measures of employee confidentiality into consideration.

Are your employees screened before joining the organization? Are they bound to keep security of information intact even after their employment contract has ended?

Yes, Xoxoday performs a thorough background check on every employee before they get onboard. The Non Disclosure Agreement ensures that the information is secure even after the contract is terminated.

Do you take services from any third party which directly or indirectly impacts services given to tenant or Client of tenant?

Yes, our Xoxoday Store vouchers are procured from third-party vendors. These vouchers are shared with the tenants in order to be showcased to users of Xoxoday platform.

Can you provide details of these third parties including the name of the third party and the services they will be performing on your behalf?

No, the third parties and vendors we deal with our confidential to Xoxoday. Hence, this list cannot be shared.

Do you have a Third Party Security Policy?

Yes, there's a third-party security policy present to safeguard the interests of Xoxoday's tenants as well as the end users.

Do you regularly monitor the third party's compliance with security obligations?

Yes, our third party security policy deems it clear to comply with security obligations and we monitor their compliance regularly.

Is there a process to address any risk that may occur due to change of services being provided to the tenant?

Yes, we have a detailed risk management procedure in place to address situational issues like change of services being provided to tenants.

Do you permit the use of contractors in roles supporting customer operations?

No, our customer requests are addressed by the Xoxoday customer support team for maximum efficiency.

Do you have subscription to brand protection services?

Yes, Xoxoday's brand protection caters to any malicious interruptions and fallacies as they are addressed in prompt time.

Do you monitor media platforms as well for brand protection?

Yes, with media platforms being the biggest pedestal for information sharing, we keep an eye out for any brand protection issues.

Do you have the capability to detect/prevent unauthorized or anomalous behavior based on network traffic and host activity?

Yes, in the event of a rapid spike/slump in network traffic or host activity, Xoxoday analyzes the traffic to detect and prevent unauthorized or erratic behavior.

Do you have mandatory and regular privacy training and awareness module?

Yes, in order to ensure airtight security of data, we have a mandatory and sessional privacy training and awareness module.

What is CSA ?

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.

Did you list your organization for CSA STAR LEVL – 1 self-assessment?

Yes, Please visit the link to view the registry - https://cloudsecurityalliance.org/star/registry/nreach-online-services-pvt-ltd-xoxoday

What are the important features of CSA STAR LEVEL – 1?

Important features of CSA STAR LEVL – 1 are listed below

  • Operating in a low-risk environment

  • Wanting to offer increased transparency around the security controls they have in place.

  • Looking for a cost-effective way to improve trust and transparency.

Are the applications and programming interfaces (APIs) designed, developed, deployed, and tested in accordance with leading industry standards (e.g., OWASP for web applications) and adhere to applicable legal, statutory, or regulatory compliance obligations?

Yes, we ensure the same as part of our code review, static code analysis, and Web Application Firewall.

Do you comply with the Physical security perimeters (e.g., fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks, and security patrols)?

Yes, We comply with these requirements. Our Cloud Security Platform, (CSP) Amazon Web Services (AWS) provides these securities to our data centers.

Do you use Production data in a non-production environment?

Production data shall not be replicated or used in non-production environments. We do not use LIVE data in any other environment. We comply with the requirement.

Do you obtain prior to relocation or transfer of hardware, software, or data to an offsite premise?

We take prior authorization from the concerned authority as per the Media protection procedure before relocation or transfer of hardware, software, or data to an offsite premises

Do you have a documented application validation process to test for mobile device, operating system, and application compatibility issues?

As per Mobile Security Compatibility compliance requirements we have a documented application validation process to test for mobile device, operating system, and application compatibility issues.

What is the California Privacy Rights Act (CPRA)?

The California Privacy Rights Act (CPRA) is a state-wide data privacy bill that amends and expands the existing California Consumer Privacy Act (CCPA). The CPRA works as an addendum to the CCPA, strengthening data privacy rights for California residents, tightening business regulations, and establishing the California Privacy Protection Agency (CPPA) as lead enforcer and supervisor.

Is Xoxoday compliant with California Privacy Rights Act (CPRA)?

Yes. We are compliant with CPRA, and Our solution will continue to offer full compliance with the new and updated data privacy regime.

Do you provide rights to the consumers with regards to the data processing as per California Privacy Rights Act (CPRA)?

Yes. We support our consumers to exercise their rights as per the CPRA.

Did you implement all the CPRA Privacy controls as per the compliance requirements?

Yes. We have implemented all the privacy controls and audited the same with the help of external Auditors.

Do you make the CPRA Attestation report available for the customers?

Yes. Please reach out to our sales representative/Xoxoday POC to have access to the CPRA report.

Do you collect any data from California citizens who are not 18 years old?

No. We do not collect any data from any users across the globe who are not 18 years old.

Can the data subject authorize an agent (an “Authorized Agent”) to exercise their rights?

Yes. The data subject can authorize an agent (an “Authorized Agent”) to exercise their rights. To do this, the data subject must provide your Authorized Agent with written permission to do, and we may request a copy of this written permission from your Authorized Agent when they make a request to exercise the rights.

How can we submit our request to exercise our Rights Under the CCPA/CPRA?

You may submit a Valid Request by emailing cs@xoxoday.com.

Do you sell, rent, or share Personal Data with third parties outside of our company?

No. We will not sell, rent, or share Personal Data with third parties outside of our company. But Personal Data may be provided where we are required to do so by any privacy laws.

What is SOC 2 compliance?

SOC 2 compliance is part of the AICPA Service Organization Control reporting platform. The goal of SOC 2 is to evaluate organization security and internal controls around security, availability, processing integrity, confidentiality, and privacy.

What are SOC 2 requirements?

SOC 2 Compliances are developed by the American Institute of CPAs (AICPA), it defines criteria for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality, and privacy.

Is Xoxoday SOC 2 certified?

Yes. Xoxoday is SOC 2 certified organization. We have implemented all the required SOC 2 controls and got them Audited with the help of Certified Public Accountants (CPA)

Is your cloud computing platform (AWS) SOC 2 Compliant?

Amazon Web Services (AWS) has achieved SOC 1, SOC 2, and SOC 3 reports. These reports detail the AWS controls environment and implemented controls for AICPA Trust Services Criteria (TSC) and can be leveraged as part of a cloud customer security program. AWS SOC-covered cloud services are audited periodically against the SOC reporting framework.

How do I request Xoxoday for SOC 2 report ?

You may reach out to our sales representative/Xoxoday POC to have access to the SOC 2 report

Who performs the independent third-party audit of Xoxoday for the SOC Report?

Laika Compliance LLC performs the SOC 2 audit for Xoxoday.

How long is a SOC 2 report valid?

The SOC 2 Type I report is valid for one year following the date the report was issued.

Is SOC 2 an international standard?

Yes. SOC 2 is an internationally recognized standard. The SOC 2 report and certification involve an independent audit by a third party.

Do you conduct a SOC 2 audit every year?

Yes. We do conduct the SOC 2 Audit on an annual basis.

Did all applicable compliances and controls are audited during the SOC 2 attestation process?

The Auditor has validated and tested all the applicable SOC 2 controls as per the compliance requirements.

Do you process Protected Health Information (PHI)?

We do not process (Collect/Store) Protected Health Information (PHI)

Is Xoxoday compliant with the Health Insurance Portability and Accountability Act (HIPAA)?

Yes. Xoxoday is compliant with Health Insurance Portability and Accountability Act (HIPAA)

Do you make the HIPAA Audit report available for the customers?

Yes. Please reach out to our sales representative/Xoxoday POC to have access to the HIPAA Audit report.

Do you have the process in place for providing Access Rights to the data subject as per EU GDPR?

Yes. We have implemented the Data Subject Access Rights Procedure to make sure that all the data subjects will have the opportunities to exercise their rights as per the privacy laws.

What method do you use when deleting customer data if requested to do so?

The secure deletion standard like DoD 5220.22-M ECE is being followed and we provide a certificate that the data was properly sanitized from all computing resources and portable storage media.

Do you have procedures in place for responding to a data subject request that involves a customer’s Personal Data?

Yes. Xoxoday is GDPR Compliant. We have implemented the Data Subject Access Rights Procedure as per the GDPR and made all the data subject rights available as per the data protection laws. This procedure sets out the key features regarding handling or responding to requests for access to personal data made by data subjects, their representatives or other interested parties.

Do you perform audits on its Sub-processors to demonstrate their compliance?

Yes. We validate the compliance requirements of the Sub-processor and obtain the Compliance certificates and audit reports such as – ISO 27001:2013, SOC 2 Type II, ISO 27017, ISO 27701, ISO 27018, Cloud Security Alliance Controls, etc.

More info below:

QuestionsAnswers

Do you conduct independent audits? (Third-Party)

We conduct the independent Audits for - ISO 27001:2013, SOC 2 Type I, CPRA/CCPA, HIPAA, VA/PT Assessments.

Does your organization have a plan or framework for business continuity management or disaster recovery management plan and policy in place? Frequency of testing?

Xoxoday maintains a disaster recovery program to ensure services remain available or are easily recoverable in the case of a disaster. Customers can stay up-to-date on availability issues through a publicly available status website covering scheduled maintenance and service incident history. The BCP and DR Plans are tested and reviewed every year. The Xoxoday BCP and DR plans are reviewed and audited as part of ISO 27001 standards and SOC 2 Type II covering availability as one of the trust service principles.

Do you have controls in place to restrict and monitor the installation of unauthorized software onto your systems?

Users are not having admin access to their computer machines and only IT Support admins can install or uninstall the softwares.

Are the responsibilities regarding data stewardship defined, assigned, documented, and communicated?

CTOs and Production heads are responsible for safeguarding the customers data. Only authorised individual will have access to the production environment.

Can you provide a published procedure for exiting the service arrangement, including assurance to sanitize all computing resources of customer data once a customer has exited your environment or has vacated a resource?

We delete the customer data upon request/termination of the contract and confirm the secure deletion. Our data cleaning process goes through an organized purge. Once the data is purged, it's purged from all places.

Do you classify your assets in terms of business criticality, service-level expectations, and operational continuity requirements?

We clasify the Information assets into Confidential, Restricted , Internal and Public etc..

Do you maintain a complete inventory of all of your critical assets located at all sites/ or geographical locations and their assigned ownership?

We maintain the records of all our assets.

Do you have procedures and technical measures in place for data access segmentation in multi-customer system architectures?

we logically segregate the tenant's data, and it is segregated with a client-specific key for proper handling and security reasons.

Is user access to diagnostic and configuration ports restricted to authorized individuals and applications?

We have restricted the ports for all the users as per Xoxoday IT Policy

Do you support password (e.g., minimum length, age, history, complexity) and account lockout (e.g., lockout threshold, lockout duration) policy enforcement?

The password needs to be minimum 8 characters long and should contain at least one capital letter, special characters among '# $ % * &' and 1 digit Maximum Password Age – 45 days Minimum Password Age – 1 day Computer machines will lockout in 15 mins from the time it became inactive.

Is physical and logical user access to audit logs restricted to authorized personnel?

Yes. Only authorised individual have access.

Can you provide evidence that due diligence mapping of regulations and standards to your controls/architecture/processes has been performed?

We use best practices and industry standards to achieve compliance with industry-accepted general security and privacy frameworks. We use enterprise-class security features and conduct comprehensive audits of our applications, systems, and networks to protect customer and business data. Our customers rest easy knowing their information is safe, their interactions are secure, and their businesses are protected. Please click here to know about Xoxoday Security framework - https://www.xoxoday.com/security

Is system performance monitored and tuned in order to continuously meet regulatory, contractual, and business requirements for all the systems used to provide services to the customers?

We are compliant. We monitor the system performance.

Do you maintain current architecture diagrams that include data flows between security domains/zones?

Yes. We maintain current architecture diagrams that include data flows between security domains/zones

Are operating systems hardened to provide only the necessary ports, protocols, and services to meet business needs using technical controls (e.g., antivirus, file integrity monitoring, and logging) as part of their baseline build standard or template?

All operating systems are hardened as per Xoxoday hardening guidelines.

Do you use a network segregated from production-level networks when migrating physical servers, applications, or data to virtual servers?

We are compliant. We have deployed our applications on AWS Virtual platform cloud.

Do you provide policies and procedures (i.e. service level agreements) governing the migration of application data to and from your service?

Please click here for SLA - https://drive.google.com/file/d/1LatFZLoRzeRlQf4mEemzL8XsO71YGahk/view

Do you maintain liaisons and points of contact with local authorities in accordance with contracts and appropriate regulations?

Appropriate roles and responsibilities have been defined and documented. Finance, Leagl, Admin, Infosec departments are active part of it.

Do you integrate customer requirements into your security incident response plans?

Since its SaaS platform is not applicable.

Have you tested your security incident response plans in the last year?

Yes. we conduct the testing on frequent basis to comply with the requirements.

Does your incident response plan comply with industry standards for legally admissible chain-of-custody management processes and controls?

Yes. Its compliant with ISO 27001 and SOC 2 trust service principles.

Do you design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privileged access for all personnel within your supply chain?

Yes. We mitigate all the risk identified.

Do you make security incident information available to all affected customers and providers periodically through electronic methods (e.g., portals)?

We inform the customer if there is any incidents as per the security and privacy laws.

Do you perform annual internal assessments of conformance and effectiveness of your policies, procedures, and supporting measures and metrics?

Yes. We do conduct an internal Audit.

Do third-party agreements include provision for the security and protection of information and assets?

Yes. Privacy and security is a part of the Master Service agreements.

Are systems in place to monitor for privacy breaches and notify customers expeditiously if a privacy event may have impacted their data?

Xoxoday is compliant with GDPR, HIPAA, CCPA/CPRA privacy laws. And we inform the customer if there is any data breaches as per the compliance requirements.

Do you have the ability to measure and address non-conformance of provisions and/or terms across the entire supply chain (upstream/downstream)?

Yes. We provide report on SLA.

Do you mandate annual information security reviews and audits of your third party providers to ensure that all agreed upon security requirements are met?

We do conduct an External Audit with the help of the independent auditor.

Do you verify that your software suppliers adhere to industry standards for Systems/Software Development Lifecycle (SDLC) security?

Yes. we conduct the assessment on annual basis.

All sub-processors are subject to regular due diligence

AWS is a sub-processor as we are storing data on AWS VPC. And they are AWS SOC 2, ISO 27001, ISO 27017 and ISO 27018 certified We monitor the compliances of sub-processor on frequent basis.

Privacy training is provided to all staff on induction and at least annually thereafter

We continuosly train employees on privacy and security.

Do you have a member in your organisation with dedicated information security duties?

Yes. We have member in our organisation with dedicated information security duties. Xoxoday’s primary security focus is to safeguard our customers or users data. This is the reason that Xoxoday has invested in the appropriate resources and controls to protect and service our customers.

Do employees have a unique log-in ID when accessing data?

All our employees are having the unique log in IDs.

Are network boundaries protected by firewalls?

We have installed the firewall for maximum securty and configured to restrict unauthorized traffic

Are all servers, end user devices (All systems) configured according to security standards as part of the build process?

All are configured according to security standards as part of the build process

Has the Data back-up and recovery process been verified?

Its part of our Internal and external Audits and validated by the indeendent auditors.

Is there formal control of access to System Administrator privileges?

We have implemented the access control policy and access will be provided only upon need and approval basis. Attached the access control policy.

Are servers configured to capture who accessed a system and what changes were made?

We have track of the changes. Infrastructure logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our Elastic Search server and retained in the long term cloud storage.

Are computer rooms protected against fire and flood?

We have installed Smoke detectors and Fire extinguishers for physical security.

Are security incidents reviewed to capture the root cause and act on key learnings?

security incidents reviewed to capture the root cause.

Does the organisation receive an SSAE-16 SOC Report?

We are SOC 2 compliant and we have engaged Laika Compliance LLC, an independent assessor firm, to conduct a SOC 2 Type 1 and SOC 2 Type 2 examination for the Xoxoday Platform against the Security and Confidentiality Trust Services Categories.

Does the organisationis been audited for ISO 27001 or for other security standards?

Attached the ISO 27001:2013 certificate.

Does the Cloud Hosting Provider provide independent audit reports (e.g., Service Operational Control - SOC) for their cloud hosting services?

We provide Software as a Service.(SAAS). We are ISO 27001 certified and GDPR compliant. Attached the document.

Is the Cloud Service Provider certified by an independent third party for compliance with domestic or international control standards (e.g., the National Institute of Standards and Technology - NIST, the International Organization for Standardization - ISO)?

We are ISO 27001 certified and GDPR compliant. Attached the document.

Do employees/contingent workers who have remote access connect to the customer network?

Since it’s a SaaS prodcut and deployed on cloud virtual platform only authorised individual have an access to the our production environment on need and approval basis.

If an employee no longer requires remote access to the customer network, is there a process to inform the the customer in a timely manner to revoke access?

We inform the client to revoke access.

Are controls implemented to restrict sharing of files via conferencing/collaboration tools to the external parties (Microsoft Teams, Skype, Cisco WebEx etc.)?

We use Google workspace and have secure mode of sharing the data.

Does the current DLP solution have the capability to monitor all the endpoints within the Organization?

We can manage all the enpoints centrally.

Is client scoped data collected, accessed, transmitted, processed, or retained that can be classified as personally identifiable financial information under the Gramm-Leach-Bliley Act?

We have implemented the security measures to manage the risks introduced during the use of Organization’s information assets used for managing Personally Identifiable Information.

Is there a formalized Risk Assessment process that identifies, quantifies, and prioritizes risks based on the risk acceptance levels relevant to the organization?

We have a formal risk assessment process and conduct the risk assessment annually.

Do contracts with all subcontractors include Non-Disclosure/Confidentiality Agreements, data breach notification, Indemnification/liability and termination/exit clause?

All the contractors/vendors have signed the NDA and contracts All the necessary clauses has been included in the agreements with regards to Confidentiality, liabilities, termination etc

Is Risk Assessment Activity carried out for the organization covering the processes and assets of the customer operations?

Yes. We do conduct the Risk Assessment every year.

Does the organization has a mechanism to classify & protect sensitive IT assets covering the customer operations?

Yes. We have implemented the Data security and Information clasification policy. Attached the same.

Do all employees, contractors and third party users sign terms and conditions of employment stating that they agree to adhere to the information security requirements for their role(s) within the organization?

Yes. They have signed for the agreements.

Describe the security controls in place to restrict physical entry & exit (e.g. badge access control systems, biometric systems, man traps, etc)

We have a biometric systems and access cards. only authorised individual can have access.

What are the fire protection & detection mechanisms placed in critical IT locations pertaining to the customer operations?

We have deployed Sensors for fire detection and fire extinguishers to detect and protect from the fire.

Are the major changes affecting the risk profile of the provider environment notified to the customer?

Yes, we will notify

Is there an established SPOC for notifying these changes and ensuring documentation?

Yes. Our Customer support team will notify.

Are user e-mail accounts at the vendor processing facility created after necessary management / HR approvals?

Yes. We create an email accounts only after the approval from reporting managers.

Are e-mail ids created if the vendor operations are outsourced / sub-contracted to other parties? If yes, Are proper approvals taken for the same?

We have not outsourced and does not create any email ids

Is there a structured mechanism for ensuring accountability of shared email accounts, if any?

Yes. IT Team is responsible.

Describe your company's policies, procedures, and practices regarding email security controls?

Yes. We have a Email Security Policy and attached the same

Is attachment size defined ? Are the mail attachments for the customer process scanned for Virus and other malicious content?

Yes, we have implemented the security controls for email with the help of Google workspace and installed the end point security for all the laptops of the employees. All the incoming and outgoing attachments are scanned.

Does e-mail communication from the vendor include a standard disclaimer as a part of the contents?

Yes.

Is there restriction for usage & access to internet from systems in the customer operations?

Yes, We have implemented the Acceptable Usage Policy and have restricted for usage and access to internet.

Has the vendor maintained redundancy for firewall & other network components? How it is ensured that network uptime is 100%

As part of Web Application Firewall (WAF), rate limiters are installed to block multiple requests from specific IPs in order to prevent DDOS-type attacks. Since our application is deployed on AWS cloud we will ensure the best uptime in the insudtry.

Do the modifications in the firewall rule-base for the customer operations go through the change management routine?

Yes. All the changes takes place as per the change management policy implemented.

Is there a mechanism to ensure that only licensed softwares / applications are installed on the systems?

Yes. We have software register and only approved and licensed softwares will be used.

Is each operating system up to date with patches provided by the manufacturer?

Yes, all are up to date.

Whether the capacity demands are monitored and ‎projections of future capacity requirements are made, ‎to ensure that adequate processing power and storage ‎are available.‎ Example: Monitoring hard disk space, RAM and CPU ‎on critical servers.

Yes, we have capacity planning and monitor the hard disk space, RAM, CPU etc.

Does the vendor address AntiVirus Signature Management covering systems used for the customer operations? Is frequency defined?

All the employees laptop is secured with Bitdefender end point security software

Are the AV signatures up to date?

Yes

Did the business continuity test include all third parties, including sub-contractors, that support the the customer's business process?

Yes. Taken into consideration

what is the frequency of these tests?

Annually

Does the organization have a documented IT DR plan addressing people, process & systems related to the customer operations? Is it communicated to concerned employees?

Yes. Attached the same.

What were the criteria for selecting CSP? (Capability of securely handling Critical Information, Reputation, Financial Position, Market Recognition, past security breaches, past service history, Cost etc) Please share the documents / records.

We do consider all of these, addition to that we also validate the controls in place with regards to cloud security, BCP, Uptime etc. AWS is ISO 27001, SOC 2 Type II certified and complied with CSA start level 2. Please click here for more details about AWS Compliance Programs - https://aws.amazon.com/compliance/programs/

Is there a legal agreement signed between vendor and CSP?

Yes. We have an agreement.

How does vendor ensure protection against Malicious Code and Monitoring on cloud?

We have implemented policies and procedures as per ISMS and GDPR requirements. We also conduct periodical Internal and external Audit by the third party Auditor. We have deployed our application on Cloud Virtual platform for maximum security. We use Bitdefender End point security software to prevent from malware and protect the data. In addition to that we also have AWS Guard Duty threat detection service that continuously monitors for malicious activity and unauthorized behaviour. We conduct periodical Vulnerability assessment and Penetration Testing from the Inductry approved authorized vendor to make sure that all the vulnerabilities are closed and having secured applications.

How does vendor along with CSP ensure that Change Management to be followed for changes related to the customer services at cloud environment?

Xoxoday and AWS both are ISO 27001:2013 certified and implemented the change management procedure. We ensure that we follow the policies and procedures with regards to any changes to be made.

Does security controls implemented by CSP are as per Internationally accepted guidelines / standards (e.g. CSA Cloud Matrix, NIST, SANS, CIS Critical Controls, OWAPS, ISO) ?

Yes. AWS is ISO 27017, ISO 27001:2013, ISO 2018, SOC 2 certified.

Is there a provision of demanding and review of compliance certificate like ISO27001 / PCI:DSS / NIST etc from CSP?

Yes. Attached the AWS ISO 27001 certificate

Does CSP is having documented and tested Business Continuity (BCP) and Disaster Recovery Plan (DRP) available with consideration of multifacility deployment within India for the customer related services?

Yes. Tested our BCP plan

How does vendor and CSP ensure the confidentiality, integrity, availability and privacy of data collected, processes, stored and disposed through cloud services?

We ensure that we maintain confidentiality, integrity, availability and privacy of data collected, processes, stored through implementing policies and procedures. And we do conduct the internal and external Audits periodically to make sure that all the controls are working effeectively.

Are the roles and responsibility / duties for cloud services engagement clearly been segregated between the customer and vendor and between Vendor and CSP?

Yes

Is there a communication procedure available along with escalation matrix for vendor?

Yes

In event of legal / federal investigation of CSP / other tenants, how the security (C, I & A) of Vendor / the customer data is being maintained?

Since we have logically segregated the data and ISO 27001 certified and GDPR compliant we do not disclose or provide any of the the customer data.

Has the service been audited in the past year for any of the following, by any independent entities? - Privacy - Information Security - Disaster Recovery - Operations - Technology - Other:

Yes. Audited by the independent Auditor and all the aspects of Privacy, information security, BCP, DR, Production, VAPT has been validated.

Have any of the audits addressed above resulted in any exceptions or findings?

NO

What is the production site physical address (DC, DR and Operations Location)?

Production Site - No.17, Bhagyalakshmi Square, 2nd Floor, Sector 3, HSR Layout, Bangalore -560102 We have deployed our application on AWS Singapore. Since we have deployed our application on AWS cloud they only provide DR Services.

Are there any additional location(s) where target data (the customer data) is stored/ accessed/ processes/ transferred/ administered?

No other location

Please provide details in the following areas in scope to services being provided to the customer: - Operating system(s) - Workstations # of devices - Servers # of devices - List Applications in scope. - Number of employees by function (e.g., development, systems operations, information security)

We provide our application to the customer. We have 230+ employees. 100+ employees are involved in the production/devolopment and we have a sepearate team for IT Support and Information security. We have provided separate computers to each employees. Altogether we are having around 250 computer machines. Our application is deployed on AWS cloud virtual platform.

Share following certifications/ assessment reports: - any Security/ privacy/ compliance related certifications, clearly mentioning all the scoped location and services/ applications/ products/ platforms (ISO 27001; SOC - 2 Report etc.) - latest cloud security reports (e.g. AWS Inspector Report; Azure Security and Compliance Centre Threat Management report etc.)

We are ISO27001;2013 certified and GDPR compliant.Attached the ISO 27001:2013 certificate. We are SOC 2 compliant and in the last phase of final Audit. Attached the engagement letter that we have with our external Auditors.

Details of control mechanism which will be deployed by the function to ensure that the service provider does not violate the internal norms of the insurer or the regulatory requirements set in the local regulator's guidelines? For example sample testing, maker checker, system controls, etc.

Xoxoday is ISO 27001:2013 certified, GDPR compliant and SOC 2 type I certified organization and have all the required technical and organizational controls in place and auditred during the internal and external audits.

Are all the information systems equipment's maintained in accordance with the supplier’s recommended service intervals and specifications ? Are records kept of all suspected or actual faults and all maintenance activities performed on equipment's ? Is the maintenance carried out by authorized personnel only?

We are ISO 27001 Certified organization. We make sure that all the required records are maintained and compliant with the requirements.

Do you have documented procedures for the identification, capture, tracking, escalation and resolution of operational problems/incidents (all systems, applications or facility-related problems) ? Do you have any Security incident reporting / handling and breach response procedures? Are procedures established to intimate BSLI of information security incidents concerning BSLI data?

Attached the Security Incident Reporting & Response Procedure and Incident Management Procedure

Do you maintain an information labelling and handling procedures ? Are documented information tagged/labelled as per your asset classification schema which is at par with BSLI Information classification policy?

We have implemented the Information classification Policy to protect against unauthorised access, disclosure, modification, or other misuse. All our assets are labelled as per the requirement.

Are access privileges associated with each system product allotted to users on a need-to-use and event-by-event basis? (e.g. operating system, database management system and each application, and the users to which they need to be allocated identified) Are users provided administrator rights on their systems ? Do you maintain a repository of personnel with administrator privileges and other high-level privileges per application, OS, database, network system ? Do you have specific procedures established and maintained in order to avoid the unauthorized use of generic administration user IDs (super admin, super user IDs), according to systems’ configuration capabilities

Access to data and systems are based on the principles of least privilege for access. Accordingly, all information systems and data are classified and further segregated to support role-based access requirements. A strong identification and authentication system and logging systems are deployed and provide a centralized control to administer, monitor and review all critical access. We have a role-based access system through access control policy to make sure that only the authorised individual has access to the required information. An Identity and Access Management (IAM) solution has been defined to manage user access through role-based access profiles that support the implementation of accesses based on the principles of need-to-know basis and support segregation of duties. The approvers are either the Product Heads or respective function Heads are their authorized delegates.

Are secure work areas adequately protected against environmental hazards? Do you have fire alarm/suppression systems installed across office (secure areas/work areas) ? Do you have a VESDA system installed ? Do you have temperature and humidity controls deployed ? Do you have UPS and DG set systems in place ? Do you have precision AC's installed ? Do you have smoke detectors installed ?

We have the Fire alarams, Smoke detectors, UPS, Temperature controler, Air conditioner, etc.. for protecting against the environmental hazards.

Are users required to sign a statement to keep personal secret authentication information confidential and to keep group information (i.e. shared) secret authentication information solely within the members of the group ?

Yes, all our - both full-time and on-contract are bound by an agreement of non-disclosure and a confidentiality agreement as a condition of employment to protect the customers and tenant's information.

Do you use CCTV cameras to monitor the facility on a 7x24-hour basis? If Yes, are all cameras operating and positioned properly to view activity at all entrances/exits to the facility and sensitive areas (e.g.. call center, computer room)?

We use the CCTV cameras to monitor the building on a 24*7*365 basis. All the enterances, exit, restricted areas are under surveilance for security reasons.

Is there a dedicated team responsible for Information Security ?

Yes. We have the Information security team.

Whether all network Infra (Router, Switch, Firewall, etc.,) are integrated with the Service provider Domain and that a central IDAM solution or TACACS (Radius) is implemented for managing access to the network components ?

We are compliant

Whether audit requirements and activities involving ‎checks on operational systems are carefully ‎planned and agreed to minimize the risk of disruptions ‎to business process ? Do you agree to allow BSLI Auditors or Contracted Third Parties conduct IS Audit at your premise ? Do your agree to allow Surprise Adits to be conducted by BSLI Auditors or Contracted Third Parties ?

In accordance with Data Protection Laws, we make available to Controller on request in a timely manner such information as is necessary to demonstrate compliance by Processor with its obligations under Data Protection Laws. Upon Controller’s written request and subject to the confidentiality obligations set forth in the Agreement, we will make available to Controller a copy of Nreach the most recent third-party audits or certifications, as applicable. We do not agree for the Surprise audits.

The organization has a Disaster Recovery Plan in place to support its key products & services? The organization has a Test Calendar in place to test its Disaster Recovery Plan? Disaster Recovery Plan is tested atleast once in a year and test results/learnings are communicated to the customer ? The organization has a Business Continuity Policy in place?

We have the Buiness continuity and Disaster Recovery Plan in place. These controls has been tested at least annually as per the compliacne requirements. Attached the policies for your referrence.

The organization has a Crisis Management in place for any Crisis Impacting its Operations ? The organization has a Business Continuity/Alternate Site Plan in place to support/resume its key products & services? The Business Continuity plan complies to the recovery requirements of the customer (RTO,RPO & ROL) The organization has a Pandemic Plan in place to support its key products & services ? The organization has a Test Calendar in place to test its Business Continuity / Alternate Site Plan ? Business Continuity / Alternate Site Plan is tested atleast once in a year and test results/learnings are communicated to the customer ?

We have the Crisis management is in place. Attache the same. We have provided an option to work from home/remotely due to this pandamic with necessary infrastructure and security. Business continuity plan has been tested on annual basis and audited during the internal and external audits. Atatched the business continuity policy and plan.

No Generic IDs to issued / used within the application

Generic IDs are not used

Appropriate architecture and processes to be set to ensure application meets the availability requirements through implementaton of HA / DR and Processes like Backup and restoration For SaaS applications SLAs need to be adhered to as well for uptime assurances provided

Ability to selective delete any Sensitive / PII information basis retention policy, customer request or as needed due to any business requirement

We have the ability to delete the data upon request by the data subject or termination of the contract. Attached the data retension and disposal policy.

Does your organisation have a pandemic plan? Please submit a copy of the Pandemic plan mentioning the business continuity strategies for services rendered to the customer

We have implemented the Business continuity policy and we have the ability to resume our operation from potential threats, Pandemic, flood, fire, earthquake etc. Due this pandemic/WFH situation, VPN access has been enabled with 2FA For such authorized individuals, for ensuring business continuity. We have the required controls in place for working from home or remotely due to this pandemic situation.

Is there a designated point-of-contact for pandemic preparedness activities within the organisation? If yes, please share details

Its a part of our Business continuity plan and IT Support Head, HR Head, CTO, Infosec Head will be involved in the preparedness activities.

How would your company protect its employees and clients against getting infected in the Workplace? Please elaborate

We have provided WFH option to all the employees to get protected from COVID 19.

Is there a mechanism to identify and send sick employees or visitors home? Please elaborate

We have provided WFH option to all the employees to get protected from COVID 19.

Are the mentioned business continuity strategies tested in the last 12 months?

We test the Business continuity plan on annual basis. It was tested in the month of Aug 2021 for the last time.

Does the business continuity strategies defined for pandemic fulfill the Recovery Time Objective, Recovery Point Objective & Revised Operating Level (MBCO) requirements as agreed contractually or mutually

It has been well defined in the in the Business continuity policy and plans. Attached the same for your referrence.

Are Crisis communicaiton procedures defined to notify the customer in case of any impact to your organisation due to pandemic situation and providing periodic updates on the developments.

We inform our customer on any crisis and if that is effecting on our customers.

Details of control mechanism which will be deployed by the function to ensure that the service provider does not violate the internal norms of the insurer or the regulatory requirements set in the local regulator's guidelines? For example sample testing, maker checker, system controls, etc.

Xoxoday is ISO 27001:2013 certified, GDPR compliant and SOC 2 type I certified organization and have all the required technical and organizational controls in place and auditred during the internal and external audits.

Does Supplier consider itself a Controller or Processor, or Joint Controller with the customer?

Xoxoday is a data processor.

Does Supplier have an automatic method for advising the customer of new Sub Processors?

NO. We obtain consent before such activities from the customer.

Does Supplier have adequate written agreements on data protection requiring appropriate technical and organisational measures in place with such Sub Processors or will be put into place prior to any subcontracting?

We have the DPA and appropriate controls in place – We are compliant.

What certifications does Supplier have in place (i.e. SSAE 16 or ISAE 3402, ISO 27001 etc.)?

ISO 27001;2013, SOC 2 Type I Certified and GDPR compliant.

Does Supplier have business continuity plans that have been implemented and tested?

YES. We have implemented the Business continuity plans and tested them annually.

Does Supplier have cybersecurity insurance? If so, please provide material details of the coverage?

No. But we are in the process of getting the insurance from the Insurance company.

Confirm how Supplier demonstrates compliance with its data processing obligations.

We conduct the internal and External audits on a periodical basis as per the compliance requirements and obtain Audit reports and certifications. We provide the same with the customers.

Provide any details on whether the Supplier is subject to any enforcement actions, investigations, inquiries, or litigation related to privacy or information security relating to the processing of Personal Data?

NO. We are not subjected to any actions as such.

Provide the detailed Technical Architecture description of all the components of the proposed solution including monitoring solutions used by the provider

application by Xoxoday, the RnR platform is a cloud-based SaaS platform hosted on VPC infrastructure of AWS. The data centers are hosted completely in isolation so that the access is limited and controlled. Each instance (EC2 Instance) under fortified VPC network is further conglomeration of Docker Container Web Services and APIs and application layer running on top of it. This helps in managing various aspects and features of application without affecting the functioning of each other and achieving a modular architecture to work as plug and play model. Amazon Cloud Watch is implemented to enable monitoring of the functioning of the application. We have Web application firewall (WAF), IDS/IPS, AWS Guardduty, and the data has been encrypted for security reasons. Attached the Architecture diagram.

Can you list the security certifications of you company and can the customer get a certificate/report of the relevant certications

Xoxoday is ISO 27001:2013 certified and GDPR compliant.

Provide an overview of the various standards, methodologies, processes and tools used to build in Security in your SDLC and detect security defects and vulnerabilities in your applications (internal or outsourced developments) prior to deployment to production (BSIMM, NIST, Manual or automated source code analysis, peer review, etc)

Xoxoday is ISO 27001:2013 certified and GDPR compliant. And we follow ISO 27001, NIST, CSA standards and best practices. We have Web application firewall (WAF), IDS/IPS, AWS Guardduty, Coudflare and the data has been encrypted for security reasons. We conduct code reviews as per the compliance requirements. We also conduct the Vulnerability assessment and penetration testing on annual basis with the help of the third party authorised vendor. Attached the latest VAPT certificate and ISO 27001 certificate.

Can the customer get a copy of the last 2 reports of each of the audits performed and the action plan conducted to fix the identified issues ?

Attached the ISO 27001:2013 certificate and 1st Year Surveilance audit report. We did not have any non-confirmities.

Describe the status of your readiness regarding European Directive EU 2016/1148 (NIS Directive) regarding the Security of the Network and Information System

We are compliant with the data privacy and security requirements. We are having the controls in place with regards to Cyber security, Risk management, crisis management, business continuity, Network security, application security etc. Attached the Business continuity management and Cyber Crisis Management Plan, incident management procedures, SDLC etc.

Provide the Continuity of Activity plan in place, including the frequency of the tests performed to ensure continuing effectiveness

Attached the Business continuity plan and procedure. We test the BCP controls on annual basis as per the compliance requirements and it has been auditted during the internal and external audits.

Provide an overview of the various standards, methodologies, tools, policies and processes in place to support service operations (ITIL v4 and COBIT 5, etc.)

Xoxoday is ISO 27001:2013 certified, CSA START Level 1 and GDPR compliant. And we follow ISO 27001, NIST, CSA standards and best practices. We have Web application firewall (WAF), IDS/IPS, AWS Guardduty, Coudflare and the data has been encrypted for security reasons. We conduct code reviews as per the compliance requirements. We also conduct the Vulnerability assessment and penetration testing on annual basis with the help of the third party authorised vendor. Attached the below policies and procedures - 1. Encryption Policy 2. Password Management Policy 3. IT Policy 4. Information Classification Policy 5. Threat and Vulnerability Management 6. Cyber Crisis Management Plan 7. Backup Recovery Procedure 8. Access Control Procedure 9. Incident Management Procedure 10. Change Management Procedure

Describe how high availability of the proposed solution is addressed including redundancy mechanisms, geographical resilient hosting options, service failover capability to other providers, etc. Also describe the process in place to test redundancy and how frequent the test is performed.

Data centers are designed to anticipate and tolerate failure while maintaining service levels. In case of failure, automated processes move traffic away from the affected area. These are tested on annual basis. AWS is also ISO 27001, ISO 27017, ISO 27701, ISO 27018, SOC 2 compliant organizatin. Please click here for more details - https://aws.amazon.com/compliance/programs/ Please click here to know more about AWS security - https://aws.amazon.com/compliance/data-center/controls/ Please click here to know more about Xoxoday Service level agreement - https://drive.google.com/file/d/1LatFZLoRzeRlQf4mEemzL8XsO71YGahk/view

Describe the SLAs you are committed to regarding the impact of any disruption of your organization to your customers (degraded performances, service interruption, etc.) and what security KPI are made available to the customer in the contractual SLAs engaging the provider

Please click here to know more about Xoxoday Service level agreement - https://drive.google.com/file/d/1LatFZLoRzeRlQf4mEemzL8XsO71YGahk/view

Provide an overview of your Data Governance policy and its associated management system to monitor continuous compliance.(i.e. identification and location of sensitive data, protection from unauthorized use, access, loss, etc...)

Please click here to know more about data governance - https://www.xoxoday.com/gdpr

Provide the documentation regarding your program in place to manage risk

Attached the Risk Management Procedure

Do you have a cyber insurance ?

We have plan for having the cyber insurance. - In progress.

Describe how you provide training about Security and compliance to your staff, how often the awareness is performed, how you document their acknowledgment and the formal disciplinary or sanction policy established for employees who have violated security policies and procedures.

Each employee, when inducted, signs a confidentiality agreement and acceptable use policy, after which they undergo training in information security, privacy, and compliance. Furthermore, we evaluate their understanding through tests and quizzes to determine which topics they need further training in. We provide training on specific aspects of security that they may require based on their roles. We have implemented the Information security policy and Disciplinary policy.

Describe how firewalling and vulnerability assessments accommodating the virtualization technologies is performed (e.g. virtualization aware)?

As part of Web Application Firewall (WAF), rate limiters are installed to block multiple requests from specific IPs in order to prevent DDOS-type attacks. These are powered by intelligent daemons that detect other identifiers like URLs accessed or other client properties to automatically blacklist possible threats either temporarily or permanently.

What is your process to monitor that system performance continuously meets all requirements (contractual, business, regulatory) to provide proper service to your customers. Can the customer run his own performance measurement ?

Please click here to know more about the Application SLA - https://drive.google.com/file/d/1LatFZLoRzeRlQf4mEemzL8XsO71YGahk/view?usp=sharing

How often do you perform revalidations of the policies of FW, IPS, WAF, etc. and document the business justification in the access control lists.

We review and get an approval from the management on annual basis as per the compliance requirements.

Describe the process to manage the Antivirus/antimalware and specify how frequently the patterns are updated and controlled.

We have installed End point security on all the computers and monitored and updated on regular basis.

Describe how your tenants can report Bugs and security vulnerabilities and the process in place to remedy reported defects. Are your customers informed of discovered defects and the relevant remediation plan ?

Yes. Our tenants can report the Bugs and security vulnerabilities to cs@xoxoday.com We also have Bug Bounty Program at Xoxoday and please click here to know more about - https://www.xoxoday.com/bug-bounty

Describe how reversibility is addressed, and more specifically can virtual machine images be downloaded and ported to a new cloud provider or to on-site storage, how long the customer's data is available for his retrieval, under what format (e.g. OVF), etc.

Since application is a SaaS platform and deployed on AWS virtual platform cloud

If you are relying on supplier/subcontractors, provide a full list of those involved in providing the contracted service and specify if you will stand Accountable for any security breach originating from one of your suppliers/subcontractors

NA. We have the full time employees.

Provide an overview of the periodic reviews you perform to check the conformance and effectiveness of your policies, procedures and supporting measures and metrics. Specify how these reviews extend to all your partners upstream/downstream

We conduct the review and update the policies, procedures etc..and take an approval from the management on annual basis as per the compliance requirements. We also communicate all the policies and procesures to all the employees, contractors through HRMS platform.

If administrators are allowed to access the infrastructure hosting the proposed solution using mobile devices, provide an exhaustive overview of your centralized MDM solution and more specifically of how you control integrity and security level of the private device and how you guarantee that no customer data is locally cached on the personal device

We do not allow to access the infrastructure hosting.

Have the information security policy and standards been approved by senior management?

All the information security policy and standards been approved by senior management.

Is antivirus software installed on workstations?

We have installed the antivirus on all the workstations and servers.

Does the organisation have security measures in place for data protection?

Customer data security is an essential part of our product, processes, and team culture. Our facilities, processes and systems are reliable, robust, and tested by reputed quality control and data security organizations. We continuously look for opportunities to make improvements in the dynamic technology landscape and give you a highly secure, scalable system to provide a great experience. Attached the GDPR - Data security policy.

Has the Data back-up and recovery process been verified?

Its part of our Internal and external Audits and validated by the indeendent auditors.

Are End User Devices (Servers, Desktops, Laptops, Tablets, Smartphones) used for transmitting, processing or storing Data has anti-malware, file integrity monitoring or application whitelisting deployed in the organisation?

We have installed Bidefender endpoint security and restricted the access of external hard drives, USB etc to have restriction on data transfer. we use file integrity and network intrusion detection (IDS) tools to help facilitate timely detection, investigation by root cause analysis, and response to incidents

Are non-company managed PCs used to connect to the company network?

We do not use.

What is the frequency of BC/DR plan Testing?

Annually

Have BC/DR drill been conducted at reguralar planed intervals?

We have conducted the BCP test on 6th Aug 2021. Attached the Business continuity policy.

Are computer rooms protected against fire and flood?

We have installed Smoke detectors and Fire extinguishers for physical security.

Is there an established incident management program approved by management, communicated to appropriate constituents, maintain and revieweed?

Attached the incident management procedure. All our policies are reveiwed annuaaly and approved by the top level management.

Are security incidents reviewed to capture the root cause and act on key learnings?

security incidents reviewed to capture the root cause.

Does the organisation have a formal Incident Response plan?

Attached the Security Incident Reporting and Response Procedure

Are all potential incidents assessed to determine appropriate classification, severity and impact?

Classification of Incidents are done. Attached the Incident Management Procedure

Has the organisation experienced an information security breach in the past three to five years?

No Security breaches till date.

Does the organisation receive an SSAE-16 SOC Report?

We are SOC 2 compliant and we have engaged Laika Compliance LLC, an independent assessor firm, to conduct a SOC 2 Type 1 and SOC 2 Type 2 examination for the Xoxoday Platform against the Security and Confidentiality Trust Services Categories. Attached the engagement letter .

Does the organisationis been audited for ISO 27001 or for other security standards?

Attached the ISO 27001:2013 certificate.

Do contracts with third party vendors that access or host your organization's information assets contain security requirements commensurate with your organization's security standards

We make sure that they have adequate controls in place and meet the security standard.

Is the Cloud Service Provider certified by an independent third party for compliance with domestic or international control standards (e.g., the National Institute of Standards and Technology - NIST, the International Organization for Standardization - ISO)?

We are ISO 27001 certified and GDPR compliant. Attached the document.

Are Global Blocklist and Whitelist configurations (such as URL's/domains inaccessible/accessible through the organization's proxies) enabled and reveiwed annually

We review these to make sure the all the controls in place.

Users may have a legitimate business requirement to access blocked websites. If such a need arises, is there a process to request and obtain approval for the same?

We provide access only upon need and approval basis.

Are controls implemented to restrict sharing of files via conferencing/collaboration tools to the external parties (Microsoft Teams, Skype, Cisco WebEx etc.)?

We use Google workspace and have secure mode of sharing the data.

Does the current DLP solution have the capability to monitor all the endpoints within the Organization?

We can manage all the enpoints centrally.

Is there a formalized risk governance plan that defines the Enterprise Risk Management program requirements?

Attached the Risk Management Procedure

Is there a formalized Risk Assessment process that identifies, quantifies, and prioritizes risks based on the risk acceptance levels relevant to the organization?

We have a formal risk assessment process and conduct the risk assessment annually.

Do contracts with all subcontractors include Non-Disclosure/Confidentiality Agreements, data breach notification, Indemnification/liability and termination/exit clause?

All the contractors/vendors have signed the NDA and contracts All the necessary clauses has been included in the agreements with regards to Confidentiality, liabilities, termination etc

Is the Saas Solution deployed on public cloud or cloud hosted by Saas Vendor?

The SaaS solution is deployed on Public cloud.

Are hardening standards defined and followed for all infrastructure components (OS, Network Devices, Servers, Firewalls, DBs etc.)

Yes

Are you using Anti-Virus tool if yes, share the name of the tool.

Yes. We are using Bitdefender endpoint security.

Is VPN and VPC services used for transmitting data securely e.g. tunneling services?

Yes. We use for security reasons

What kind of access the vendor employees will have on the application and how access to the customer data in the application is restricted from being accessed by Vendor employees?

Our employees will not have access by default. The data will be accessed only upon need an approval basis. The access is controlled through the AWS Identity and Access Management system that also enforces two-factor authentication

What policies are configured for restricting PII leakage from the system ?

We collect only 3 types of the personal Information such as Name, email ID, phone#. , personal data is to be transmitted using firmly approved encrypted systems. We have implemented the role based acccess control to make sure that the acccess has been granted to only authorised individual.

Is user access controlled and has limited access to the data and configuration settings on cloud?

Yes.

Vendor shall immediately inform the customer about any security incident.

Yes. We inform the client about any security incidents.

Do you have change and incient management process in place to record, response and resolve an incident within SLA and to control the changes in the system / application? If yes, please share.

Yes. Attached Incident management policy and SLA

Does the agreement contains right to audit the service provider Information System

Yes

Compliant with all regulatory requirements

Yes

Compliance to IT Act and other Acts applicable to data

We are compliant.

ISO 27001:2013 or any equivalent Information Secuirty Management System

Yes, We are ISO 27001:2013 certified. Attached the certificate.

Service Organization Control SOC type 2 or any equivalent compliance report

We are SOC 2 Type 1 compliant. The audit has been completed and auditor is working on the Draft audit report. We will be able to share once the report is finalized.

ISO 27018:2018 Code of Practice for Protection of PII in Public Cloud, if PII data is stored on the cloud.

NA. But AWS Virtual platform cloud is ISO 27017 and 27018 certified and attached the report.

PCI-DSS in case the CSP handles card holder data if card data is processed and stored.

NA. We do not handles the card holder data.

Which all processes Vendor is handling currently and how the customer is sharing the data with them ?

the customer will be using the application product and all the information will be entered only through our application.

How data sharing between vendor and the customer will take place ?

The data sharing between vendor and the customer will take place only through application product. There will be no manual data sharing or transfer.

Will any Personally Identifiable Information (PII) be stored with vendor? Please mention specific reports that are to be stored.

PII will be entered through application and stored it on AWS cloud virtual platform. We store Name, email ID and phone number of the users.

Sub-contractor responsibilities and dependencies are clarified, and risks of employment of subcontractors are fully managed. Subcontractor is subject to all requirements the Contractor is.

We do not have any sub-contractors. We have deployed our application on AWS Virtual platform cloud. And AWS is ISO 27001, SOC 2, ISO 27017, ISO 27018, ISO 27701, CSA Compliant etc..

Vendor has relevant encryption capabilities, and is able to apply encryption at the customer data at rest and in transit (when solution is to be hosted on the customer datacenter solution, it should be secured using a the customer approved digital certificate), whenever deemed necessary and required by the customer or relevant external regulation. The solution should provide secure and reliable ways to exchange data with the customer backend systems and SaaS applications as well.

We have deployed our application on AWS Virtual Platform cloud. application is a cloud based application. We have encrypted the data while in transit and at rest. We use TLS1.2 encryption for Data at transit and AES256 Data at rest for maximum security. All the confidential/PI data are encrypted at rest and in transit with a split key mechanism to ensure that every client's key is unique We do not decrypt the data until and unless if there any specific request from the customer.

Sufficient service uptime is guaranteed, meeting the customer expectations (on availability, RTO, RPO). Vendor has a BCP and DRP in place, ensuring service downtimes are kept as short as possible.

Xoxoday endeavours to provide 99.9% Uptime each month 24 hours a day 7 days a week (“Agreed Hours of Service”). Uptime is measured based on the monthly average of availability, rounded down to the nearest minute. Please click here to know about Xoxoday SLA - https://drive.google.com/file/d/1LatFZLoRzeRlQf4mEemzL8XsO71YGahk/view Xoxoday has a formal Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) defined and implemented to enable people and process support during any crisis or business interruptions. The BCP and DR Plan is tested and reviewed on a yearly basis as per the compliance requirements. The BCP and DR plan of Xoxoday is reviewed and audited as part of ISO 27001 standards and SOC 2 Audits by the independent auditor. Attached the Business Continuity Plans (BCP) and Disaster Recovery Plan (DRP) documents.

There is proper control in place for the usage of system utilities to circumvent application controls, and this possibility is disabled.

Since it’s a SaaS platform, there are no process as such.

Contractor is certified under external security best practices and standards (e.g. ISO). E2. Contract shall include an audit clause that gives the customer the right to obtain independent audit reports (ISAE 3402 type 2, SOC 2, SSAE 18, ISO27k, PCI-DSS Level 1, etc.). network/application penetration testing reports, and vulnerability scanning results. The results can be summarized (not containing confidential technical details), or detailed when limited to the systems used by the customer. E3. Furthermore, the customer should be allowed to initiate independent vulnerability scanning / penetration testing on the services received by the Vendor.

Attached the below mentioned coompliance certifications - Attached the Audit reports. 1. ISO 27001 certificate 3. VAPT Certificates 4. VAPT Audit reports 5. SOC 2 Audit reports. 6. GDPR Data Privacy Impact assessment report 7. California Privacy Rights Act (CPRA) attestation report. 8. CSA STAR LEVEL 1 compliant - https://cloudsecurityalliance.org/star/registry/nreach-online-services-pvt-ltd-xoxoday We conduct these audit on annual basis and we will share it upon request.

Guarantees are offered to the customer on resolving security incidents / outages.

We always provide our best service to resolve security incidents / outages. Attached the Service Level Agreement (SLA)

Provide a general description of the information security measures applicable to the services you offer to the customer.

Xoxoday is committed to ensuring the integrity, confidentiality, availability, and security of its physical and information assets and maintaining privacy when serving the customers and organization's needs while meeting appropriate legal, statutory, and regulatory requirements. To provide adequate protection for information assets, Xoxoday has built the Information Security Management System (ISMS), enabling everyone to follow these policies diligently, consistently, and impartially. Xoxoday will implement procedures and controls at all levels to protect the confidentiality and integrity of information stored and processed on its systems and ensure that information is available only to authorized individuals as and when required. Please click here to know more about Xoxoday Security - https://www.xoxoday.com/security

the customer requires transfer outside of the EEA to have a valid legal basis. Please describe the legal basis for each of the countries that personal data is transferred to.

We have deployed our application on AWS Virtual platform cloud - Singapore region. We are GDPR compliant. And we have an agreement and Standard contractual clauses (SCC) as per GDPR Compliance requirements.

Are you, or have you been involved in any legal proceedings, civil or public, relating to processing of Personal Data in connection with the services that you offer to the customer, in the last five years? If so, please elaborate on the nature and document the outcome of these proceedings.

NO

Are you aware of any legal proceedings, civil or public, that any of your (sub) processors have been involved in, relating to processing of Personal Data in connection with the services that you offer to the customer, in the last [five] years? If so, please elaborate on the nature and outcome of these proceedings.

NO

Have you reported any Personal Data Breaches, as defined in art. 4 (12) of the GDPR, relating to your processing of personal data in connection with the services that is offered to the customer, to any of your Customers, any Data Protection Authorities or any Data Subjects, in the last five years? If so, please elaborate on the nature of the breach(es).

No. There were no Personal Data Breaches.

To the extent applicable: 1) Describe the certifications and audit scheme that you have or will put in place, to allow the customer to verify compliance with applicable law and the Data Processing Agreement during the contract period 2) Describe the regularity and scope of any third party audits with regard to information security, data protection compliance and to what extent (sub) contractors are covered by the audit schemes 3) Describe how the customer will obtain access to reports from audits for any transfer of Personal Data to countries outside the EEA.

Xoxoday is committed to ensuring the integrity, confidentiality, availability, and security of its physical and information assets and maintaining privacy when serving the customers and organization's needs while meeting appropriate legal, statutory, and regulatory requirements. To provide adequate protection for information assets, Xoxoday has built the Information Security Management System (ISMS), enabling everyone to follow these policies diligently, consistently, and impartially. Xoxoday will implement procedures and controls at all levels to protect the confidentiality and integrity of information stored and processed on its systems and ensure that information is available only to authorized individuals as and when required. Attached the below documents - 1. ISO 27001 Certificate 2. SOC 2 Audit report. 3. California Privacy Rights Act (CPRA) attestation report. 4. VAPT Certificates 5. GDPR DPIA Assessment report. 6. CSA START LEVEL 1 Compliant - https://cloudsecurityalliance.org/star/registry/nreach-online-services-pvt-ltd-xoxoday the customer can request the Xoxoday POC for these reports and we will provide the latest Audit reports upon request.

Through discussions with the vendor, try to obtain an overview of the value chain from the cloud vendor and backwards to subcontractors

We are storing all the customer data on AWS Virtual platform cloud – Singapore region and consider AWS as a Sub-Processor as per EU GDPR. AWS is ISO 27001, SOC 2, ISO 27017, ISO 27018, CSA STAR, ISO 27701 certified organization. Please click here to know about AWS Compliance offerings - https://aws.amazon.com/compliance/programs/

Does the contract detail the scope and functionality of the online services?

Scope and functionalities are the part of the agreement.

Any written documentation for the SLA? Are SLA objectives measurable and have relevant penalties? Do they cover availability, response times or other? What does the SLA cover?

Please click here for SLA - https://drive.google.com/file/d/1LatFZLoRzeRlQf4mEemzL8XsO71YGahk/view We do not offer any credits/ penalties.

Are there any technical and organisational measures that aim to remedy the risks entailed by lack of control and lack of information featuring in the cloud computing environment? E.g. measures aimed at ensuring availability, integrity, confidentiality, isolation, intervenability and portability.

We have implemented all the technical and organisational measures to ensure the integrity, confidentiality, availability, and security of its physical and information assets and maintain privacy when serving the customers and organization's needs while meeting appropriate legal, statutory, and regulatory requirements. To provide adequate protection for information assets, Xoxoday has built the Information Security Management System (ISMS), enabling everyone to follow these policies diligently, consistently, and impartially.

What kind of certifications does the cloud vendor have (ISO 2001, SOC report etc.)?

Is there a clause saying that no data shall be processed by Supplier or any subcontractors for other purposes than the one specified in the contract?

We do not process the data for other purposes than the one specified in the contract,

Does the contract specify that Supplier may not communicate the data to third parties, even for preservation purposes unless it is provided for in the contract that there will be subcontractors?

We do not share the data with third parties. But we store it on AWS Virtual platform cloud and we consider AWS as a Sub-processor. We do not disclose any of our customers personal information to any third parties. We reserve the right to disclose PI if required by law or if we reasonably believe that use or disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or comply with a law, court order, or legal process. We reject any non-legally binding requests for disclosure.

Does the data processing agreement specify the types of personal data processed by Supplier?

We process only the Name, phone# and Email ID as mandatory information.

Does the contract ensure a logging of processing operations on personal data performed by Supplier and its sub-contractors?

We process the information as per the terms of use - https://www.xoxoday.com/terms-of-use

Does the Supplier ensure lawfulness of cross-border data transfers and do they have a list of locations in which the services may be provided from? May the customer limit the vendor's right to change or disregard such a list?

We are storing all the customer data on AWS Virtual platform cloud and we operate or provide services from Bangalore, India.

Does the contract include any clause specifying that Supplier must inform the customer of any intended changes in regards to changes in sub-processors? the customer shall retain at all times the possibility to object to such changes or to terminate the contract.

We inform the customer of any changes in regards to changes in sub-processors.

Any specific restrictions in the right to use? Acceptable use policy is one example that should be considered versus the customer's needs..

Xoxoday Terms & conditions - https://www.xoxoday.com/terms-of-use

Does the cloud provider have right to suspend services for specific reasons? As an example, in a situation with non-payment? If yes, is there a notice period or other important conditions to be observed?

Yes, the cloud provider does have a right to suspend services for specific reasons; more detailed in Section 3.3 of the Master Services Agreement. Section 3.3(a) read along with Section 2 of the MSA

Which law is the contract subject to? What are the legal venue for disputes arising under the contract? What are the regulations around dispute resolution?

The Contract is subject to the laws of India. For disputes arising under this contract, courts of Delhi has an exclusive jurisdiction. Arbitration & Conciliation Act, 1996

Do you perform a regular information security risk assessment?

We conduct the periodical Risk assessment. and it has been audited during the internal and external audits.

Do you provide customers with ongoing visibility and reporting of your SLA performance?

We also provide SLA performance report to the customer on need basis.

Do you have the capability to respond to security alerts, and report security vulnerabilities and information security incidents within 24 hours of discovering them

we have the capability to respond to security alerts, and report security vulnerabilities and information security incidents within 24 hours of discovering them

Are there policies and procedures in place to triage and remedy reported bugs and security vulnerabilities for product and service offerings?

Do you specifically train your employees regarding their specific role and the information security controls they must fulfil?

We train our employees on their role and responsibilities and also comminicate before joining the organizatin

Name and description of the software/service.

application is an all-in-one employee engagement and motivation platform that offers Rewards & Recognition, Pulse Surveys, 1-on-1 Feedback, Social Intranet and People Analytics in one powerful solution.

Is there a respondent information security function responsible for security initiatives?

Information security department is responsible for security initiatives and the Head of the Information security reports to the Board of Director of the company.

Can the respondent do Creation, review and approve of information security policies?

The policies and procedures have been created, reviewed and approved by the Top level management of the company.

Is there an information security policy that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy? Kindly share the artefact

The information security policies have been uploaded on KEKA HRMS Application and communicated to all the employees. Attached the screenshot for your reference.

Is there a risk management framework pertaining to the information security and privacy program management? Kindly share the artefacts?

Attached the Risk Management Procedure.

Kindly share the recent internal audit report for information security and privacy program management

Attached the internal audit report.

What are your data leak prevention capabilities?

Your data is of the utmost importance. All the security mechanisms and policies are established and implemented in such ways that data leak can be prevented, in transit as well as at rest.

Do you have a policy that requires endpoints (laptops,desktops,etc) to have anti-malware software? What capabilities does the anti-malware solution has? (Signature based detections, NGAV, EDR, etc.)

We have installed Bitdefender endpoint security in all the endpoints. Bitdefender is based on a layered next-gen endpoint protection platform with the industry’s best prevention, detection and blocking capabilities, using proven machine learning techniques, behavioural analysis and continuous monitoring of running processes.

Does your IT provide remote wipe or corporate data wipe for all endpoints (laptops,desktops,etc) and company-accepted BYOD devices?

We have the capability to wipe out the data remotely for all endpoints including BYOD devices.

Is the solution provided to Customer part of a valid ISO 27001 certification? If so, please provide a valid ISO/IEC 27001 certificate with corresponding SOA - Statement of Applicability

Attached the ISO 27001:2013 certificate and Statement of applicability.

Do you allow tenants to view your SOC2/ISO 27001 or similar third-party audit or certification reports?

We provide these compliance certifications upon request.

Does the Company use Software Development Life Cycle (SDLC) process to ensure quality and correctness of the solution built?

We use the Software Development Life Cycle (SDLC) process. It is aligned with ISO 27001;2013 and SOC 2 frameworks.

Are security related requirements specially marked during development?

During the development and testing security related requirements are specially considered.

What is the strategy around application Secure Code Scanning & management?

We have SDLC Policy as per ISMS requirements and we follow General Coding Practice. For example - We Conduct data validation on a trusted system, All cryptographic functions used to protect secrets from the application user.

Is there a status page available for communication about the application's untime status, or any ongoing and past incidents ?

We can also provide uptime status on a need basis.

Are the retained logs sufficient to permit forensic analysis on security events?

We have proper forensic procedures for data collection and analysis for incident responses

Does the provider’s logging and monitoring framework allow isolation of an incident to specific tenants?

Yes, in case specific incidents arise for particular tenants, our logging and monitoring framework allows isolation of incidents.

What is your SLA - uptime and availability?

Xoxoday endeavours to provide 99.9% Uptime each month 24 hours a day 7 days a week. Uptime is measured based on the monthly average of availability.

What is the penalty offered to the customers for SLA violations?

We do not offer any penalty.

What level of support is provided to the clients? Mention the time slots where support is available

Attached the SLA

ISO certification for the APP and Security related documentation required to proceed with security reviews internally 1. Application Pentest results 2. Architecture Documentation to show the dataflow and data security in the hosting location 3. Hosting Vendor ceritification similaret to Microsoft MCST 4. SLA and Support Documentation

Attached the below documents - 1. ISO 27001:2013 certificate 2. VA/PT Certificate 3. VA/PT Executive report 4. application Architecture Diagram 5. We have deployed our aplication on AWS Virtual platform Cloud and attached AWS Compliance certificates - ISO 27001, ISO 27017 & ISO 27018. 5. application SLA

Please provide support covered under standard annual license and annual maintenance where applicable

Customer Support is available on all working days (Mon - Fri) between 3.30 AM GMT to 1:30 PM GMT.

Details of certifications Which includes for each certification: Certification Body First Certification Date Current Certification date

Xoxoday is – ISO 27001:2013 certified CPRA (California Privacy Rights Act) EU GDPR Compliant CSA STAR LEVEL 1 Compliant – Click here Vulnerability Assessment and Penetration Testing (VAPT) Attached these above certificates and Reports.

The vendor should detail how frequently backups of customer data are made, how long they are retained, and how soon customer data is purged following deletion by an end user

The backups are automated and taken on a daily basis. We delete the data upon receiving the request from the customer/end users/termination of the contract. Our data cleaning process goes through an organized purge. Once the data is purged, it's purged from all places.

Define Service monitoring.

We have an ELK setup in place to ensure data monitoring in the most optimal manner. The audit logs are reviewed and recorded on a regular basis automatically. These logs are integrated with security operations/SIEM solutions.

Does the role of Quality unit during product development and/or during service provision define?

As per the SDLC Policy we follow several distinct stages, including planning, design, building, testing, code review, deployment and maintenance etc. Our code reviews and analysis run through stringent eyes of automated technologies as well as manual source code overview to cover any security loopholes prior to the production phase.

When our company needs to access the logs of Vendor and our company or that of our company’s users for case investigation, how long does it take Vendor to provide complete logs to our company? (1-24 hours is appropriate)

It would depend on the criticality of the investigation and the type of service subscribed. Our team will be able to provide the ETA as soon as they receive the request from you and start acting immediately.

In the admin console, is there an interactive interface to look up our company's user’s detailed information?

Yes. You can check this information from the user management option available for Admin console.

What kind of permission request process do Vendor’s O&M personnel, including DBAs, would go through if they want to refer to our company’s data stored in the Vendor backend system?

You can reach out to us with the help of the help center or can write an email to customer support team

When the Vendor’s operation and maintenance personnel, including the DBA, try to refer to our company’s data stored in the Vendor backend system, is there an audit log record of the entire operation process?

Yes. We maintain and record the Audit logs and complying with various compliance requirements.

When the logs which described above are needed, whether or not can it be completely provided to our company when there is a need for case investigation?

Yes. You may reach out to our support team anytime for requesting these records and they would be able to help you out on this requirement.

When the logs which described above are needed, how long does it take Vendor to provide them to our company? (1-24 hours is appropriate)

It would depend on the criticality of the investigation and the type of service subscribed. Our team will be able to provide the ETA as soon as they receive the request from you and start acting immediately.

Is your system and related data is set to back up automatically on a regular basis?

Yes. We deployed our application on AWS and AWS provides the data backup service as well.

Are there any other compliance qualifications? If so, please list out in detail

Yes. We are ISO 27001:2013 certified and GDPR Compliant.

Summary of key risks based on risk assessment reports

We have implemented the risk assessment procedure and conduct the risk assessment annually as per the compliance requirements.Risk assessment is used to identify the risks encountered by the information-processing facilities (or individual system components). The aim is to estimate the impact and probability of a threat occurrence. The risk assessment procedure is having Risk, Likelihood and Impact. The risk ranking is done based on the Residual Risk Rating such as High, medium and low. Attached the Risk Management Procedure for your reference.

A risk management process shall be used to balance the benefits of cloud computing with the security risks associated before engaging with a Cloud Service provider.

Risk Management Procedure has been used to validate the security compliance of AWS. AWS Compliance certifications and attestations are assessed by a third-party independent auditor and result in a certification, audit report, or attestation of compliance. AWS is ISO 27001, SOC 2 Type II certified and complied with CSA start level 2. Please click here for more details about AWS Compliance Programs - https://aws.amazon.com/compliance/programs/

The risk assessment framework adopted by NSE may be used for the cloud service risk assessment.

Yes. We can use the risk assessment framework adopted by NSE for cloud service risk assessment.. Please provide the same.

The outcome of the risk management process shall determine the model and controls that shall be adopted.

We comply with this requirement. The risk assessment procedure has defined the Risk Acceptance Criteria, Benefits, Components, Impact Rating, Risk Treatment, Risk Acceptance etc and all the controls identified in our risk assessment as per the industrial standard like ISO, SOC2, NIST, GDPR etc.

The Cloud Service Provider shall ensure that it will demonstrate compliance with NSE policy requirements and regulatory requirements.

Sure. We are ISO 27001;2013 and GDPR compliant. We have policies and procedures in place with all the required compliance controls.

The Cloud Service Provider shall conduct annual audit by an independent third-party auditor to check the design effectiveness as well as their operating effectiveness of their internal controls covering the principles of Security, Availability, Confidentiality, and Privacy.

We comply with this requirement. We conduct annual audit by the independent auditors to test the controls in place with regards to Information Security management system(ISMS) and also for testing the service organization controls(SOC)covering the principles of Security, Availability, Confidentiality, and Privacy. AWS is also SOC 2 certified.

NSE shall be provided access to these reports as and when required.

Sure. Attached the ISO certificate and we are in the Audit process for SOC 2. we will provide the same once the audit is completed.

The Cloud Service Provider shall provide complete visibility to ensure NSE's services are being processes and delivered in a secure manner.

We are ISO 27001;2013 certified, GDPR compliant and in the process of SOC 2 audit. We make sure that our customer data is safe and secure and meet all the compliance requirements and industry best practices. Xoxoday has built the Information Security Management System (ISMS) which includes the respective policies to be followed in a diligent, consistent, and impartial manner.

NSE shall have all the Service Level arrangements documented in the agreement/ contract with the Cloud Service provider guided by NSE’s Outsourcing Policy.

Our legal team would review and agree the terms and conditions.

NSE shall review the Service Level Agreements (SLA) for amendments, annually or as when required.

We agree. NSE can review.

Cloud Service Provider shall provide regular reports on the SLA achieved and compliance to the agreement/contract to NSE. The frequency of reporting shall be mandated in the agreement / contract.

Our legal team would review and agree the terms and conditions.

Any breach in the SLA by Cloud Service provider shall be reported as mandated by NSE.

We will inform NSE if there is any breach.

In a multi-tenant cloud architecture, the Cloud Service Provider shall ensure that NSE's data shall be isolated and inaccessible to any other tenants.

The data isolated between customers. We use logical data isolation with the help of company specific encryption keys.We use TLS1.2 encryption for Data in transit and AES256 for Data at rest

Any access by other tenants to NSE’s data shall be considered as a breach and the Cloud Service Provider shall ensure the breach notification process is followed.

We agree. We have implemented the data breach notification procedure.

Cloud Service provider shall notify NSE of any potential breach incident or any actual breach as mandated by NSE.

We agree. We will notify NSE.

NSE shall ensure that the cloud computing services can be ported to any other Cloud Service Provider or to other data centres with least impact to business.

We agree.Currently, we do not have any plans as such.

The Cloud Service Provider shall ensure all the information related to NSE is handed over to NSE in a useable format.

All the data will be stored on AWS cloud We have the disposal policy in place and implemented mechanisms for secure disposal and removal of data.

On completion of the transfer, the Cloud Service Provider shall delete all the data and information from its infrastructure and provide a certificate to NSE that the data has been securely deleted and the same cannot be recovered by any means.

We agree. We will delete the data upon termination of the contract or request and confirm. Our data cleaning process goes through an organized purge. Once the data is purged, it's purged from all places.

Wherever applicable, NSE shall maintain an up to date inventory of hardware, software and virtual assets hosting NSE’s applications and data.

We have implemented Asset Management Procedure in place and maintain all the records of IT Assets like, hardware, software, licenses, accessories etc.

The inventory shall be reviewed and updated as per the Asset Management Policy of NSE.

We review and update the inventory as per the Asset management policy.

Cloud Service Provider shall ensure that no database server, application server or storage devices hosting NSE’s data & information be made publicly available over the internet.

The database server, application server or storage devices hosting NSE’s data & information is not made available publicly. We isolate our machines, network and storage with respect to the AWS Standards in order to keep it safe and secure

When is live (standard service) phone technical support available? Is backup (phone or email) available for off-hours?

Yes, one can write to us at our 24*7 support team at cs@xoxoday.com

Describe the training that is available with the initial system installation.

We help the clinets in setting up from both admin and end user side, and traiing is also provided on how application can be used for hasslefree awards distribution

What type of training does your company recommend, require, and offer?

We provide trainging over internet , if possible we provide telephonic assistance also.

Do you provide "on-demand" training over the Internet? If so, what training is available to users? Is there an associated cost?

Yes we provide "on demand training" , this incur no additional cost to the company

What is your escalation process for support issues? Describe in detail.

We have a 24*7 available support team, once a ticket is generated , It is assigned to one of the cs team executive and we intent to solve the issue within next 24hrs.

Who will have access to UP data? (Just Supplier employees? Contractors? Employees and contingent employees?)

Xoxoday employees and third party would have an access. We provide acess on case to case basis as per the Information security and access control policy. We also have role based access system to meet the compliance requirements of the data security . The data is hosted on Amazon Web Services (AWS)

Describe your employee and contractor background checks

We do conduct employees and contractors background verification as per the compliance requirements before onboarding process. We will onboard them only after passing the background verification. We are ISO 27001:2013 certified organization.

How do you monitor third parties that have access to UP data?

We conduct periodical review of the access provided and make the necessary chages as per the Role based access management and access control policy. We also conduct Internal and external audits in a timely manner.

Does the cloud service provider require the use of two-factor authentication for the administrative control of servers, routers, switches and firewalls?

Our Information security compliance policies and procedures are established and implemented to enforce two-factor authentication

How is user access monitored and documented?

We are ISO 27001:2013 certified organization The User access are monitored and recorded internally as per the compliance requirement and Access Control Procedures.

i. Network IDS?

Yes we have implemented intrusion detection tools, we ensure timely detection and investigation in a prompt manner.

ii. Host IDS?

Yes. file integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation.

iii. SIEM?

Yes. Implemented SIEM

Are security controls audited on an annual basis?

Yes. All the controls are audited annually.

Can documentation be provided that can show how UP data cannot be compromised by other customers or non-customers of the Supplier?

Yes, We will share the Data protection policy. Access control policy and Information security policies

What is the size and relevant experience (in years) of the security and incident response teams?

Size of the team is 5 and all are having 5+ years of experience

What data is required to be shared and stored by the Supplier?

personal data is stored are registered databases that comply to all necessary inputs of a standard inventory repository and its transit scrambled for maximum security.

How is the data stored?

We use AWS Platform for storing the data. Our data is stored in secured databases and there is no window to alter any data without it being logged into the system records. Our data is stored in secured databases and there is no window to alter any data without it being logged into the system records.

How are users authorized to access data through provided service?

As per the Information security policy and Data protection policy only the authorised individual have an access to the data through internal approving and ticketing system.

Is planned/scheduled maintenance included in the calculated uptime? Will it count against the SLA?

No. Planned downtime will not be calculated uptime

Does planned/scheduled maintenance count against the SLA?

No. Planned downtime will not count against the SLA

What is your resiliency, reliability, back-up and disaster recovery strategy?

We have Business Continuity Policy and Business Continuity Management Procedure in place and effectivly working.

How often are these processes tested?

We test it annually once as per the compliance requirements.

Describe your established maintenance window.

Xoxoday's architecture goes through constant upliftment and experiences no downtime during upgrades and maintenance windows.

Describe in detail your service or mitigation plans to continue to make the service available to customers during a denial of service attack.

We have Business Continuity Policy and Business Continuity Management Procedure in place and tested periodically. And also our Policies has been reviwed and Audited annually.

Does the architecture of the provided service include redundancy of security systems, including firewalls, IDS/IPS, any other critical security service?

Yes. We have implemented IDS/IPS, Firewall and our security information and event management (SIEM) system merge data sources (app logs, firewall logs, IDS logs, physical access logs, etc.) for granular analysis and alerting

Does Supplier have established procedures for cooperating with local government and law enforcement requesting customer data?

Yes. We have procedures in place to support Government

Describe your established procedures for cooperating with local government and law enforcement requesting customer data.

We have the clauses for suppporting local government and law enforcement requesting customer data in data protection policy. We will share the copy of it.

Which cloud providers do you rely on?

We have deployed our application on Amaon web services (AWS) AWS is designed to help us build secure, high-performing, resilient, and efficient infrastructure for our applications. AWS is also ISO 27001:2013 and SOC 2 type II Certified and provide all applicable security to the data center.

Does the penetration test follow an industry approved methodology, please describe

Yes. We have industry approved vendor called Appknox for Vulnerability assessment anf Penetration Testing. Appknox performs Static, Dynamic, API, and as well as Behavioral Analysis. And they helps to detect and address security vulnerabilities.

Please describe the company/user data you require to provide your service: personal information, financial data, confidential/sensitive data, government data

We collect only personal information through our application. We collect name, email ID and mobile numbers.

Do you have capabilities to anonymize data?

Yes. We have capabilities to anonymize data. By Anonymization users are able to make use of sensitive information without having access to the identifiable data items. And its used within a secure environment with employee access on a need to know basis.

Do you keep sensitive data (as defined by your data classification matrix) in hard copy (e.g. paper copies)? If so, please describe.

No. we do not have it in hard copy

How do you regularly audit your critical vendors?

Yes. We conduct vendor Risk assessment and also external Auditor validate the critical vendor documentations during the annual and Internal Audit.

Do you have a formal Information Security Program (InfoSec SP) in place?

Yes. We have Information Security Program

Do you review your Information Security Policies at least once a year?

Yes. We review Information Security Policies every year.

Do you have a Information security risk management program (InfoSec RMP)?

Yes. We have Information security risk management program

Do you have management support or a security management forum to evaluate and take action on security risks?

Yes. Our management is supportive and evaluate, Recommend and take action on security risks

Do you have a dedicated information security team? If so, what is the composition and reporting structure?

Yes, we have Information security team and the Infosec head is reporting to Chief Operating Officer of Xoxoday.

Do you publish a path for responisble disclosure of security vulnerabilities (ie security@ or /security)?

Yes

Do you have an established bug bounty program?

Yes. Please visit here for more details - https://www.xoxoday.com/bug-bounty

Are all endpoint laptops that connect directly to production networks centrally managed?

Yes. All the endpoint laptops that connect directly to production networks centrally managed

Describe standard employee issued device security configuration/features. (Login Password, antimalware, Full Disk Encryption, Administrative Privileges, Firewall, Auto-lock, etc.)

All the employees laptop is secured with Bitdefender end point security software. We use a cloud hosted VPN with strict access controls to allow our employees to access the official network. This VPN is managed by our IT team and is linked with the SSO/Active Directory.

Does sensitive or private data ever reside on endpoint devices? How is this policy enforced?

No. sensitive or private data never reside on endpoint devices. This is enforced throgh access control policy.

How do you keep aware of potential security vulnerabilities and threats that may affect your service?

We use Bitdefender End point security software to prevent from malware and protect the data. In addition to that we also have AWS Guard Duty threat detection service that continuously monitors for malicious activity and unauthorized behaviour.

How is your Incident Response Plan tested? Include how often.

Yes. Our incient response plan is tested every year as per the ISMS requirements.

- Describe how threat modelling is incorporated in the design phase of development?

We follow SDLC policy during the design phase of devolopment. See SDLC procedure attached

How do you train developers in SSDLC / Secure Coding Practices?

We have SDLC procedure and Information System Acquisition Development and Maintenance Procedure. Devolopers are trained on the Secure Coding Practices as soon as they joined our organization

How do you monitor vulnerabilities in dependencies?

We conduct vendor risk assessment and collect all the required security policies, procedures, VAPT reports, ISO 27001, SOC 2 reports. And also our internal and exteranal auditors validate the security controls of our crtical vendors during the Audit.

Do you outsource development? (contracted with a 3rd party? open source project inclusion?)

NO

What types of security reviews do you perform on custom-built software?

NA. We do not have custom-built software

Does application support IP whitelisting for API access?

Yes

How do you conduct internal audits (audits lead by your personnel) of the service? please describe the scope, remediation process and frequency of audits.

Internal Audit has been conducted by the inhouse Infosec and ISMS Lead Auditor. All the projects, business processes and ISMS controls has been included in the scope and opportunity of improvements has been communicated to all the respective teams with the remideiation plan. And the frequency of the Internal audit is annually.

How do you conduct external (third-party) audits of the service? please describe the scope and frequency of audits.

We have the external Auditor for ISMS Audit. All the projects, business processes and ISMS controls has been included in the scope and opportunity of improvements has been communicated to all the respective teams with the remideiation plan. And the frequency of the external audit is annually.

Please provide a copy of the most recent report.

See ISOIEC 270012013 Certificate and Internal Audit report attached.

Do you seek a right to use or own customer derived data for your own purposes?

NA. We do not use for own purposes

Do you have a formal Information Security Program (InfoSec SP) in place?

Yes. We have Information Security Program

Do you review your Information Security Policies at least once a year?

Yes. We review Information Security Policies every year.

Do you have a Information security risk management program (InfoSec RMP)?

Yes. We have Information security risk management program

Do you have management support or a security management forum to evaluate and take action on security risks?

Yes. Our management is supportive and evaluate, Recommend and take action on security risks

Do your information security and privacy policies align with industry standards (ISO-27001, NIST Cyber Security Framework, ISO-22307, CoBIT, etc.)?

Yes

Are all personnel required to sign Confidentiality Agreements to protect customer information, as a condition of employment?

Yes. All the employees and third party service providers are required to sign Confidentiality Agreements to protect customer information as per ISMS compliance requirements.

Hardware security

We have dedicated IT Team and Admin team who looks after the hardware security and, we have implemented the security controls as per the ISO 27001:2013 and SOC 2 Compliance requirements. We are hosting our application on AWS, and they are providing physical security to our data centre. We have Asset Management Procedure in place to identify, classify, label, and handle the Information and Information assets according to their criticality and sensitivity. We have Media protection procedure to handle the locally stored data as per the Information security compliance requirements.

Paper Document Security

As per the Physical and Environmental Security policy we have security guards and CCTV Camera’s to safeguard the office building and also to provide an access to the building only for the authorized individuals. We also have Media protection policy which also defines on how to handle the Paper documents as per the compliance requirements. Physical documents are handled with at most care and followed the policies and procedures of an organisation to make sure that the data is protected.

Physical access control

We have Physical and Environmental Security policy and Vendor management guidelines in place and working effectively. We have implemented controls on Physical entry, Securing offices, rooms, facilities, Working in secure areas, Delivery and Loading areas etc. Only the authorised individuals will get an access upon verification. And we also conduct periodical verification of the effectiveness of these controls periodically through internal and external Audit. We provide access to the outsiders or suppliers on approval and escorting mechanism of vendor management guidelines by issuing the access cards.

Maintenance - Describe here how physical maintenance of hardware is managed

All our assets are classified, labelled, and maintained in the register by our IT Team. Access granted only to, authorized individuals. We have locked environment for our hardware’s which would store the data. We also have implemented the Media protection procedure to protect the data which are stored physically.

Backups - Indicate here how backups are managed. Clarify whether they are stored in safe place

Yes. Backups are stored in a safe place. We have backup Recovery Procedure and implemented the controls to protect the organization information asset from the damages that may be caused due to failure of hardware system, corruption of software, breaches leading to data destruction and or not being able to retrieve and use. We predominantly work on cloud-based infrastructure and the teams may consider adoption of Amazon Web Services which provides the Backup and Restore services to build scalable, durable and secure data-protection solutions. AWS claims the following benefits and the teams may evaluate the benefits to the respective context that may lead to realize the following outcomes: 1. Data Type and Durability 2. Flexibility and Scalability 3. Security and Compliance The following AWS based offering for the following use cases offered by AWS may be considered based on the contractual needs of the subject under consideration: 1. Hybrid Cloud Backup 2. Data Lifecycle Management 3. Tape Replacement 4. Global Data Resiliency 5. Data Backup 6. Archive & Compliance

Governance- Describe the documentary base setting out data protection objectives and rules

We are ISO 27001:2013 certified and GDPR compliant organization. We have Information security policy and Data security policies in place with regards to data protection. We make sure that the below principle of data security has been followed as per the compliance requirements. 1. Fairness and lawfulness When personal data processed by us, we make sure that the individual rights of the data subjects must be protected. We will ensure that the personal data is collected and processed in a legal and fair manner. 2. Confidentiality - Restriction to a specific purpose We make sure that the any processing of personal data should be lawful, fair, and transparent. Personal data will be processed only for the purpose that was defined before the data was collected. Subsequent changes to the purpose are only possible to a limited extent and require substantiation. 3. Transparency We make sure that we maintain the transparency with regards to the data collected, stored and disposed. We also provide rights to data subjects as per the GDPR compliance requirements. For ex - Right to Rectification, Right to Portability and Right to be Forgotten. 4. Integrity and data security Personal data is subjected to the data secrecy. We have controls on confidentiality, Integrity and data security. We follow secured suitable organizational and technical measures to make sure that the data is protected from an unauthorized access, illegal processing or distribution, as well as accidental loss, modification or destruction etc. Sensitive data - We do Inform involved parties about how we will process their data Inform involved parties about who has access to their information Have provisions in cases of lost, corrupted, or compromised data Allow involved parties to request that we modify, erase, reduce or correct data contained in our databases. Sensitive data - We do not Communicated informally. Stored for more than a specified amount of time. Distribute to any party other than the ones agreed upon by the data’s owner (exempting legitimate requests from law enforcement authorities. In addition to ways of handling the data the company has direct obligations towards people to whom the data belongs.

Managing Privacy Risk - Describe processes to control the risks that processing operations performed by the organisation

We have controls in place to protect the information or to maintain privacy. We conduct Data Privacy impact assessment and Audits periodically as per the compliance requirements. We have Personally Identifiable Information Policy, Data Security policy, Data Subject Access Rights Procedure, Data Retention and Disposal Policy as per GDPR compliance.

If the customer data will be held by a subcontractor to your organisation, how will you ensure that their Information Security meets required standards?

We conduct periodic vendor risk assessment. Information security documents are validated by theiInternal and external auditors during the assessments.

Will an asset register be completed to log all assets holding the customer data and who is responsible for updating it?

Yes.

How will you decide which of your staff (support, development etc.) need access to the the customer system and data? How will you manage that access and what controls are in place, to ensure that privileged access rights will be restricted and controlled?

We have an access control policy. The policy is attached for reference. Only authorised employees will have access to the data.

Is your organisation ISO/IEC 27001 or similarly certified or compliant? Please provide details. If yes please provide evidence and skip section 5.

Yes. Xoxoday is ISO/IEC 27001:2013 certified organization. See certificate attached.

If the customer data will be held by a subcontractor to your organisation, how will you ensure that their Information Security meets required standards?

We conduct periodic vendor risk assessment. Information security documents are validated by theiInternal and external auditors during the assessments.

Have all information security responsibilities within your organisation been defined and allocated including: maintaining appropriate contacts with relevant authorities and groups ensuring information security is addressed in project management ensuring that conflicting duties and areas of responsibility are segregated

Yes. We have a well-defined policy for roles and responsibilities. We have communicated each employee about their responsibilities across the organization. We do maintain appropriate contracts with relevant authorities and ensure that applicable regulations are complied with

When a person working with the customer data no longer performs that role, are their permissions to the customer data revoked?

Yes. We provide these rights to the data subject as per GDPR

Is your organisation’s Information Security Management System (i.e. control objectives, controls, policies, processes and procedures for information security) reviewed, internally and independently audited for compliance at planned intervals or when significant changes to the security implementation occurs?

Yes. We conduct internal and external audits and all the applicable controls have been validated as per the compliance requirements.

Have all relevant statutory, regulatory, contractual requirements, (including: intellectual property rights, protection of records, protection of personally identifiable information and cryptographic controls) and the organisation’s approach to meet these requirements, been explicitly identified, documented and kept up to date, for the/each the customer information system?

Yes

Describe how and when media containing the customer data would be securely destroyed and how you would evidence this?

We have a media handling procedure. See attached for reference.

Will any physical media containing the customer data, be transferred outside your organisation and if so, what procedures will be in place to protect the media from compromise?

No. We do not transfer the data outside our organization.

Is there a documented standard procedure followed for building and hardening host machines? If so please attach a copy.

Yes. See Infrastructure Change Control Procedure attached.

Are these procedures periodically reviewed and kept in line with current best practice?

Yes.

How will security incidents relating to the customer data be reported to the customer?

Security inceidents will be reported by our Information security team or customer support team within 48 hours.

What physical measures (e.g. CCTV, Coded Locks, Guards) will be in place to protect the customer data that is stored: At your offices/location At the data centre How will these controls be managed and monitored?

We have implemented physical security controls as per the compliance requirements. We have CCTV, access cards, security guards for monitoring and only authorised individual have access.

Emergency, temporary or test accounts should be documented, have a specified period of validity and terminated immediately after validity period expires.

Segregation is done for production and non-production or Testing environments. We maintain the test accounts seperately and delete or terminate the accounts immediately once the testing is completed. Only Admins have an access to create these tests accounts on need and approval basis.

Responsibilities and duties for system users shall be segregated based on the defined roles.

We have implemented the Roles and Resposibilities policy and defined the Duties of all the system users and segragated based on the defined roles. Only authorised individual will have an access to the Information system on need and approval basis.

There should be a minimum three types of user groups for systems and applications (e.g. operator, supervisor, engineer, domain administrator, etc.) where technically feasible.

We maintain these records for Audit purposes.

Role based user accounts shall be implemented for operation users (operators, supervisors, shift controller, engineer, etc.) with specific and defined privileges based on the principle of least privilege for each role.

We have controls in place to monitor the user access system. We have implemented Role based access management system through access control policy. Our application also supports Role based access control system to make sure that only authorised individual will have an access to the Information system on need and approval basis.

Privileges for all accounts used with the customer assets shall be identified and documented.

We maintain these records for Audit purposes.

All the customer system accounts shall be secured utilising the following mechanisms: - Default credentials shall be removed, disabled and/or changed (e.g. guest, administrator, factory configured user, etc.). - Authorised service accounts shall have mitigating controls in place. (e.g. no interactive login, etc.) and be configured to never expire nor auto-disable. - Interactive logon for service accounts shall be disabled and wherever feasible, managed service accounts shall be used). - Both successful and failed login attempts shall be logged. - Multi-factor authentication shall be used wherever possible for all privileged access. - Ensure that privileged accounts are used only for system administration activities. - Enable account lockout for invalid login attempts wherever feasible; when this feature cannot be enabled, ensure alternate compensating controls are in place. - Ensure password history shall not allow reuse of last ten (10) passwords.

We are Compliant. We monitor these controls on a periodical basis and also during the internal and external Audits. Successful and failed login attempts will be logged, we use privileged accounts are used only for system administration activities,we remove default credentials and use the new credentials for all our systems.

Where strong authentication and identity verification is required, authentication methods alternative, or additional, to passwords, such as cryptographic means, smart cards, tokens or biometric means, shall be used.

We use Multifactor authentication menthods to make sure that only authenticated individual have an access to the Information system wherever strong authentication is required. We use Biomentric verification and access cards methods for physical security purposes.

When an asset cannot support the use of automated mechanisms to enforce access restrictions, alternate security controls shall be used. The justification and details for those controls should be documented to support subsequent audits, including: · Restricting physical access. · Monitoring and recording physical access. · Ensuring authorised individuals are trustworthy and reliable. · Conducting post-maintenance audits to validate that changes are implemented correctly.

We have these controls in place. We have a restriction for Physical access, monitor these access periodically and validate to make sure that only the authorised individual have an access.

Temporary account user name and passwords shall be communicated in a secure manner following these practices: • When users are required to change the passwords, they should initially be provided with secure temporary authentication information, which they are immediately forced to change. • Verify the identity of a user prior to providing a new, replacement or temporary password. • Temporary authentication information shall be unique to a user. • Users shall acknowledge the receipt of temporary passwords.

The credentilas has been comminocated via secured mode to make sure that confidentiality is maintained.

All access to the customer networks and services, local or remote, shall be specifically authorised through processes prior to allowing such connections. Processes shall ensure that all entity networks and services information security requirements are met before approvals.

We are Compliant.These controls are audited during the internal and external Audits.

All users and access to the customer networks and services shall be documented.

We are Compliant.Only authorised individual will have an access.

Where technically feasible, ensure all authentication attempts (successful and unsuccessful) are logged up to the capabilities of the authentication system.

We are cothe customerant. We maintain the records of Audit logs.

Only protocol ports and services required for proper functioning of the system or application shall be allowed on each system.

We have restricted the access of external harddrives, USB etc for all the systems through Active directory and End point security.

All network filtering mechanisms (e.g. firewalls) shall apply an “opt-in” principle with a fail-safe mechanism (i.e. default deny rule that drops all traffic, except that which is explicitly allowed and if an error/failure occurs the system should fail in a secure manner: security controls and settings remain in effect and are enforced).

We have the security controls in place. We have installed the firewalls to monitor and control the incoming and outgoing network traffic based on predetermined security rules. It helps us to establishes a barrier between a trusted network and an untrusted network.

All equipment connected to the customer networks shall be identified and classified based on the defined classification scheme. All equipment connected to the customer networks should have appropriate technical and/or business justifications supporting the need for that connection.

We have implemented the asset management procedure to identify, classify, label and handle the Information and Information assets according to their criticality and sensitivity.

Unique identifiers shall be developed in, or attached to, the equipment to indicate whether the asset is permitted to connect to the network.

We have labeled the aseets in order to identify and make sure that the access control permissions are maintained.

Where technically feasible, implement network-based technical controls that detect and prevent connections and/or attempts to connect equipment to the customer networks.

we have implemented intrusion detection and prevention tools, we ensure timely detection and investigation in a prompt manner.

Detection capabilities should be augmented with event correlation (e.g. SIEM) used to correlate approved and expected connections of equipment to the customer networks.

These are integrated with security operations/SIEM solutions.

All routing equipment shall be specifically authorised through processes prior to allowing equipment or routing connections. Processes shall ensure that approvals are based on clearly defined technical and business justifications for those communications.

We take an approval from the concerned authority before procuring the equipment or routing connections and test the same before installing it.

Network devices shall be securely configured taking following measures into consideration: · Source and address violation rules. · Router protection (e.g. hardening). · Specific sub-netting for publicly accessible systems. · Boundary protection device for external connections. · Monitoring for suspicious traffic.

All the network devices are securely configured and we always make sure that we monitor the same on regular basis and take appropriate action on any detections.

Wherever feasible, vendor-supplied software packages shall be used without any changes.

We use vendor supplied softwares without any changes wherever feasible, if all the security controls are in place.

When changes to software packages are required, the following shall be considered: · Responsibility for future maintenance of the software. · Compatibility with existing application software. · Risks of existing application controls being altered or compromised.

We consider these factors before making these changes to the softwares.

Where technically feasible, any changes to software shall be tested in a non- production/test environment before moving it to a production environment.

Yes, we test the changes made on testing environment before moving it to a production environment.

Based on the information asset’s classification, controls shall be applied to restrict access to information and applications.

Only authorised individual have an acces to the approved information assets.

Service account passwords or application hard-coded passwords that cannot be changed shall be documented and additional compensating controls shall be identified to protect and monitor such systems.

we are compliant. We document or have a track of all the changes made to protect the information system.

Security requirements shall consider: • The level of confidence required towards the claimed identity of users, to derive user authentication requirements. • Access provisioning and authorisation processes, for business users as well as for privileged or technical users. • Users and operator’s duties and responsibilities. • Requirements derived from business processes, such as transaction logging and monitoring, nonrepudiation requirements. • Requirements mandated by other security controls, e.g. interfaces to logging and monitoring or data leakage detection system.

We are compliant and have these controls in place.

Contracts with vendors shall include the requirements for secure design, coding, testing practices and a warranty clause that the software/system is free from security vulnerabilities.

We have the appropriate clauses in the agreements wherever necessary.

Document/guide for secure use or operation of the supplied system or component shall be provided

We provide guidance for using our products appropriately and take all the possible benefits.

Patch management policy and process is in place to cover patch qualification, patch distribution, update and auditing process

We have the controls in place. All the Critical patches will be deployed immediately

Third parties shall address security vulnerabilities brought to its attention by the customer in a timely manner.

We inform our customers on the vulnerabilities wherever is required from the compliance perspective.

For any hardware, software or firmware, supplied, a quality certificate (QC) ensuring that all provided hardware, software or firmware is free from any dormant malicious programmes should be provided.

Our product is free from dormant malicious programmes

All systems shall be tested prior to acquisition and prior to accepting new systems into operational environment based on predefined criteria.

We test the systems before deploying into operational environment.

Identify and document criteria for testing new features or enhancements to existing systems or assets.

We have implemented the System Devolopment Life Cycle procedures and all the testing of new features are documented.

Define criteria for accepting products (e.g. in terms of their functionality), to ensure identified security requirements are met.

We conduct security assessments before accepting the products and take appropriate approval to make sure that all the security requirements are met.

Ensure tests are performed and results are documented.

All the test results are documented.

Where the functionality in a proposed product does not satisfy the specified requirement, the risk introduced, and associated controls should be documented and reconsidered prior to purchasing the product.

We record these in the Risk register and documented before purchasing the product.

All system vendors and third parties shall follow security test processes outlined in the system and services acquisition process document (e.g. FAT, SAT, unit testing, integration testing and UAT)

We make sure that these are met before acquiring and products.

the customer responsible staff shall sign-off and certify that all relevant security requirements have been tested satisfactorily before turn-over to operations.

The customer responsible staff can confirm upon validation of the security requirements.

Any variation between system design and system implementation shall be recorded and security risk assessment shall be conducted to determine mitigation strategies.

All the design and implemetation has been documented. We conduct the security Risk assessment in order to identify and mitigate the risks.

Transfer and use of production data in development and test environments is prohibited and where and when technically not feasible shall be authorised, protected (encryption, access control etc.), logged and only for a determined period.

We have kept Testing and production environment seperately. We do not use any data from our production environment for testing purposes.

All software and hardware acquisition contracts shall include identified rules and requirements and require compliance and the possibility to audit the development processes.

All our contracts or agreeements are having appropriate clauses with regards to security compliance, privacy, Audit requirements etc.

Only licensed third-party libraries and components shall be used.

we use only licensed softwares or assets

Formal change control processes shall be used to manage changes to software code, taking into account that: • Impacts of changes to software are understood using risk assessment methodologies. • Changes do not compromise exiting security and control measures. • Existing documentation is updated. • Acceptance testing is performed to validate if system behaves only as expected.

We are compliant. We maintain these records for Audit purposes.

When software or application development is outsourced, the following security requirements shall be controlled: • Licensing arrangements, code ownership and intellectual property rights related to the outsourced content. • Contractual requirements for secure design, coding and testing practices. • Provision of the approved threat model to the outsourced developer. • Acceptance testing for the quality and accuracy of the deliverables. • Provision of evidence/certification that security thresholds were used to establish minimum acceptable levels of security and privacy quality. • Rights of access for audit of the quality and accuracy of work.

We have not outsourced.

Vendors and third parties shall provide documented artefacts to ensure that security controls as requested within this manual are instituted in the system.

Attached the Information Security Manual. It prescribes the policies that govern the management and administration of the Information Security Management System (ISMS) for application.It specifies the scope and the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving the information security controls.

All supply chain requirements are also applicable to work subcontracted by vendors and third parties to develop, test or integrate systems for the customer.

We have not subcontracted or outsourced any of services with regards to the product.

All conditions under which the transfer of information/data must be protected shall be documented and maintained.

We have documented the Transfer of Information and it’s a part of our Information security policy

Actions to be taken when issues arise regarding the transfer of information/data must be identified and documented.

We do not transfer the data. But if its necessary it will be done only upon the approval of the management.

To ensure information is adequately protected during transfer, specific controls and procedures shall be identified. Security controls shall be appropriate to the strictest classification level of the information/data to be handled. Such countermeasures may include encryption and/or cryptographic signatures, physical restriction to assets and/or access control mechanisms.

We have documented the Transfer of Information and it’s a part of our Information security policy

An exchange of information agreement with each external party outlining clear roles and responsibilities of each party must be established. Consider security conditions such as: • Ensuring traceability and non-repudiation. • Responsibilities for tracking message transmission, dispatch, and receipt. • Licensing and escrow agreements. • Ownership and responsibilities for data protection, copyright, license compliance, etc. • Responsibilities and liabilities in the event of security incidents, such as loss or disclosure of data. • Selection and audit criteria for couriers or escrow agents. Maintaining chains of custody for information being stored or transferred, including documentation and management of access control levels.

We do not transfer the data. But we follow these compliance requirements if there are any data transfers. We have implemented the Information security and Data security policies in order to make sure that we secure our organizational and customers information.

Records of media transfer shall be kept.

We maintain these records for Audit purposes.

Monitor and audit the log records to ensure requirements are being met.

We monitor and audit the logs.

Document and maintain up-to-date all points of interconnection between information/data systems and the types of information/data to be protected regarding the identified interconnections.

We are complied. We have controls in place to make sure that Information system is protected.

A security risk assessment shall be conducted to determine which message’s authenticities and integrities are critical to prevent unacceptable impacts to the customer.

We conduct the Risk assessment to identify and mitigate the risks involved.

Monitor message tampering and source spoofing for messages for which authenticity and/or integrity need to be ensured.

We use Google workspace as email solution and adequate security features has been enabled to make sure that Information system is protected.

Large Screen Displays (LSD) connected through Video Controllers/Ethernet cards shall not be shared with any the customer corporate network. However, sharing direct LSD ports with any other network without connecting through Video Controller can be allowed.

We do not connect.NA

Appropriate compensating controls shall be in place to protect against security threats to weak protocols (e.g. protocols lacking encryption or authentication mechanisms).

We make sure that all the controls and compensatory controls are in place in order to protect against the Security threats.

Any traffic between OT/IT networks shall to be officially approved after a security risk assessment on the suggested traffic, and documented with business justification, the risk it represents and the controls that will be used to reduce the risk to an acceptable level.

We have implemeted the risk management procedure and defined the Risk Treatment, Risk Treatment, Risk Mitigation, and Risk transfer etc

Serial Interfaces shall be secured based on security risk taking in consideration the following: • Employ protection and detection capabilities where applicable and subject to vendor’s confirmation of proven performance. • Compensating/alternate security controls shall be employed where mitigation measures cannot be applied due to technical or operational infeasibility.

We have implemeted the risk management procedure and defined the Risk Treatment, Risk Treatment, Risk Mitigation, and Risk transfer etc We implement the Compensating security controls wherever measures cannot be applied due to technical or operational infeasibility.

Ensure security requirements and service outages are captured in service level agreements for network services. Include auditable security requirements.

We maintain these records for Audit purposes.

Audit network services provider as defined in the service agreement.

It’s a part of our Internal and external Audits.

All systems and equipment shall be maintained to assure that security has not been degraded below the accepted level. Preventive maintenance shall be performed at least once a year.

We make sure that these controls are in place and security has not been degraded below the accepted level. We also validate these controls during our internal and external Audits.

Temporary override of security controls such as application whitelisting, DLP, HIPS, etc. shall be allowed only for legitimate job requirements by authorised personnel with approval after a security risk assessment and compensating controls are implemented.

We have implemented the role based access system and change management policy in order to make sure that we provide an access to an individual only upon need and approval basis. All the changes has been tracked and maintained the records for audit purposes.

Identify all products and components (e.g. physical and logical) used within the entity that are programmable/configurable (this may be acquired through, and documented within, the asset inventory).

We have a up to date records of all the assets used.

Define and document mandatory products and components configuration baselines based on security best practices and the customer defined standards.

We make sure that we follow the Industry best practices and security standard to make sure that we secure the information asset.

Any deviations to the the customer defined configuration baseline (e.g. application/system incompatibility, lack of vendor approval, etc.) should be recorded and appropriate compensating controls shall be implemented.

We make sure that we follow the existing security controls and implement the compensatory controls to make sure that the information system is secure.

Passwords protecting the BIOS/initial logon from unauthorised change shall be implemented. For systems where it is not technically feasible to password protect the bios, alternative measures shall be implemented.

We have implemented the control.

Potential adverse impacts to the customer environment associated with the use of troubleshooting and other tools shall be evaluated through security risk assessment before approving the use of these tools.

We conduct the Risk assessment to identify and mitigate the risks involved.

Security health checks shall also be carried out and documented during each maintenance cycle. Include topics such as: · Inventory register check for any inconsistencies. · Inter-communication architecture. · Open ports and services. · System hardening. · Protection from malicious code. · Up-to-date security patches. · Equipment backup. · Performance and capacity monitoring. · Renewal of subscription licenses.

Compliant.We review and validate these controls on a periodical basis and These are part of an Internal and external Audits.

If during security health checks changes to approved baselines are discovered a report shall be generated and reviewed.

Compliant.We review and validate these controls on a periodical basis.

Records shall be maintained, for a period of five years or as legal, regulatory or operationally required, of all suspected and actual faults, and all preventive and corrective maintenance activities.

We maintain these records for Audit purposes.

All test and development environments shall be required to meet specifically defined security requirements designed to support the integrity of these environments and prevent introduction of threats to the production environment.

We have the required security controls in place.

Obsolete systems shall not be used and plans to replace/refresh must be established to reach an acceptable risk level and support.

We do not use outdated computer hardware, software, technology, services or practices

Upgrade plan for OS obsolescence, HW/SW obsolescence etc. for all systems, assets and components shall be based on the criteria that it is obsolete and/or resulting high maintenance costs and no system vendor support is available.

We upgrade the systems make sure that do not use outdated computer hardware, software, technology, services or practices

Where technically feasible, employ anti-malicious code protection mechanisms for the network devices as well as servers, workstations, laptops and other devices connected to the the customer environment.

We have installed the end point security software on all the computers and servers to keep the computer and personal information protected.

Anti-malicious code protection (including supported anti-malware products, configuration settings, etc.) for IT\OT assets shall be endorsed by the vendor.

We have installed the end point security software on all the computers and servers to keep the computer and personal information protected.

Any deviations to the entity-defined anti-malicious code requirements (e.g. application/system incompatibility, lack of vendor approval, etc.) shall be recorded. Risks due to deviations shall be managed to entity acceptable levels through compensating controls.

We are compliant.

Anti-malicious code protection tools shall be monitored for detection events and alerts.

We have enabled these features.

Anti-malicious code shall be deployed: • All asset that supports anti-malicious code software shall have it installed and enabled. • Assets for which the installation of anti-malicious code software is not technically feasible shall be documented and mitigating controls shall be applied to reduce the risk of infection. • Anti-malicious code software on assets shall be configured to automatically scan removable storage media when connected to the asset. • The frequency for performing a full scan and use of automated or manual full scans on the assets shall be determined based on an impact assessment of the scan on the operational performance of the assets. • All OT assets supporting the use of anti-malicious code software shall be updated to the latest qualified release and checked for computer malicious codes before being installed into, or connected to, the OT environment. • A centralised anti-malicious code server shall be used for system networks for deploying the definitions to the assets (e.g. workstations and servers). • Regular/periodic updates of anti-malicious code signature files shall be carried out for assets. The frequency of update, not to exceed two weeks, shall be defined in a procedure specific to each site/asset. • Anti-malicious code definition updates for OT environment shall be qualified by the vendors, wherever possible. • Anti-malicious code technical solutions shall be installed in OT systems computers, where applicable and subject to vendor’s confirmation of proven performance and shall be security risk based. • OT systems computers where installation of anti-malicious code is not technically feasible shall have other appropriate protective and detective compensating controls.

We have installed end point security softwares to safeguard from attack scripts, viruses, worms, Trojan horses, backdoors and malicious active content. We also conduct periodical scanning in order to make sure that all the information assets are safe. These are centrally managed and have control on all the end points.

All documentation related to Technical Vulnerability Management shall be classified as “Sensitive”, protected accordingly and shall be made available only on a need-to-know basis.

It is available on need to know basis

All new system/asset shall not be considered in production until a vulnerability assessment has been conducted and vulnerabilities addressed.

We make sure the Vulnerability assessment has been conducted for our products as per the compliance requirements.

In the absence of an approved entity-specific retention schedule, data backup shall be retained as per defined logging standard, after which tapes or another storage backup media may be overwritten.

We are compliant.

Periodically verification if the customer sensitive information is exposed to the general public and/or exposed to internal network shall be conducted.

the customer Sensitive information will not be exposed to the general public.

Information regarding potential security issues shall be collected, analysed and reported in a timely manner.

We document and maintain all the security issues.

Time distribution/clock synchronization shall be implemented in all environments from a secure and accurate source that uses an accepted secure standard protocol (e.g. IEEE 1588-2008/IEC 61588:2009).

We are complaint.

Requirements for monitoring shall be identified: • Types of systems and assets. • Outline which aspects must be monitored. • How monitoring is to be performed. • Account for instances where automated monitoring is not technically feasible. Logs and realtime traffic shall be monitored and analysed.

We are compliant. We have clasified, labeled our assets and periodically monitored. All the logs and realtime trafic is monitored.

A Security Incident and Event Management (SIEM) solution, or equivalent, shall be implemented.

Implemented. We are compliant.

Does the CSP agreement include security requirements that address the following security controls? 1. Data ownership 2. Data protection and storage 3. Information security incidents handling 4. Change, Recovery and Restoration 5. Data handling and storing location 6. Portability and continuity 7. Compliance and monitoring rights and methods

These are all part of CSP agreement.

Supporting Utilities :- · Short-term UPS to facilitate an orderly shutdown of critical in the event of primary power source loss. · Long-term alternate power supply capable of maintaining minimum operational capability in case of long term power loss. · Primary and alternate telecommunications equipment to support reliable operations.

We have these controls in place as a part of our Business continuity plan.

Cabling Security :- · Power, system and communication cables shall be secured. · Based on information security risk, communication cables might need to be monitored against network tap attempts and network tampering, specifically when protective technical controls are not technically feasible.

We have these controls in place as a part of our Business continuity plan. It has been tested periodically and part of our internal and external Audit.

Risk Assessment shall be conducted to identify potential risks to the customer Information assets as a result of third party access or engagement with the customer. The analysis of risks related to external party access must consider: • The classification of the information assets. • Possible impacts to the controls of the information assets and processing facilities involved. • Processes for identifying, authorising, authenticating and reviewing access rights of the external party. • Security controls to be used by the external party when storing, processing, communicating, sharing or exchanging the customer information.

We have conducted the risk assessment as per the industrial standard.

Third party compliance to the customer security policies and procedures shall be ensured and addressed by formal contract and signed Non-Disclosure Agreement (NDA) between the customer and the third party

Agreed. We will sign the NDA

Service Level Agreements shall be documented and agreed upon by all parties to ensure there is no possibility for misunderstanding between the customer and the third party regarding each party’s obligations to fulfil relevant information security requirements set forth by the customer security policies and procedures.

SLA can be documented and agreed by the both the party.

Prior to authorizing access of third parties to information resources, Head of Department working with third party, Information Owners and Information Custodians must confirm that: • The terms and conditions of access are documented (e.g. Service Level Agreement (SLA), Contracts, Non-Disclosure Agreements, Memoranda of Understanding, etc.). • Responsibilities for managing and monitoring the external party access have been assigned and documented. • Security Controls have been implemented and tested against identified risks.

Only authorised individual have an acces to the approved information assets.

External Parties shall be responsible for ensuring its personnel uphold and upkeep the customer Security Policies. All software/hardware used by the External Parties personnel inside/outside the customer premises for accessing the customer information shall be declared and may be subjected to an audit. The External Parties shall co-operate with the customer and its entities in ensuring the same.

We allow our customer to audit but atlease 30 days prior notice with the scope of the audit needs to be communicated

Any exceptions to the entity defined Supplier Service Delivery requirements shall be recorded. Risks due to exceptions shall be managed to acceptable levels through application of compensating controls.

Its documented as per the Risk management procedure.

Service agreements shall include a methodology for communicating change management issues between the customer and the external/third party.

We have all the details in SLA

the customer shall conduct audits of external/third parties in conjunction with review of independent auditor’s reports, if available, and follow-up on issues identified.

We can make our audit reports available

Entities shall maintain appropriate reports and records, to monitor and measure the compliance with the security requirements as documented in the agreements with the third-parties.

We maintain appropriate reports and records, to monitor and measure the compliance with the security requirements.

Changes to the provision of services provided by third parties shall be managed through risk assessment taking into consideration the criticality of business process, systems and security requirements. The following aspects should be taken into considerations: • Changes to third-party agreements; • Changes to the third parity organisational structure; • Sub-contracting; • Modifications or updates of the third party’s policies and procedures; • Changes to the third-party risk profile.

We make sure that we follow the risk management procedure and take these factors into consideration.

Disaster Recovery plans and procedures shall be in place to prevent and recover from any major breakdown or disaster.

We have these in place and tested annually.

Disaster recovery plans and procedures shall take into account information security requirements applicable to adverse situations.

We have these in place and tested annually.

Disaster recovery plan shall include a full recovery and reconstitution of the customer assets.

Our BCP/DR plan supports this.

Recovery procedures shall be reviewed on a yearly basis.

We review these on annual basis

Disaster recovery plan and procedures shall be communicated to all stakeholders internal and external to the organisation (employees, third parties).

We have cmmunicated to all the internal and external parties.

Contingency roles, responsibilities shall be documented with contact information, and activities associated with restoring the system after a disruption or failure, in the disaster recovery plans.

It’s a part of Business continuity documents and attached the same for your reference.

Continuity plans shall be tested periodically, and the lessons learned documented.

The BCP Test and lessons learned has been documented.

When changes occur, disaster recovery plans shall be reviewed and updated, such as: • Acquisition of new equipment or upgrading of systems, assets or components; • Personnel; • Addresses or telephone numbers; • Business strategy; • Location, facilities and resources; • Legislation; • Contractors, suppliers and key customers; • Processes, or new or withdrawn ones; • Risk (HSE, operational and financial, etc.).

It’s a part of BCP documents and we review and update when changes takes place.

Technical compliance validation shall be performed by an authorised subject matter expert to determine whether security controls have been properly implemented within the the customer environment.

These are part of internal and external audits

Following corrective action shall be taken when non-compliance is identified: • Identify the immediate and underlying causes of the non-compliance. • Assess and document the risks introduced by non-compliance. • Evaluate actions to be taken to attain compliance. • Implement the proper corrective action.

We have implemented the Corrective Action Procedure.

Review whether the corrective action taken is effective shall be conducted: • Document results generated from reviews and corrective actions. • Observe those results over time in order to identify trends and implement further corrective action.

We have implemented the Corrective Action Procedure. We review rhe corrective action taken.

Security assessments shall be conducted only by resources identified by the relevant the customer department/role and shall be carefully planned and agreed upon when performed against operational environment.

We conduc the security assessments by the Internal and external auditors

Necessary data or equipment can be shared with the members of internal or external assessment team subject to management approval.

We share the data with our Internal and external auditors

Measures taken to ensure assessment activities minimise the risk of disruptions to the environment and business processes shall be documented and communicated. In particular, assessment activities shall not include network scanning or penetration testing on OT systems, as it may degrade the performance and impact the plant operations.

We make sure the Assessments and Audits will be conducted and reported independently.

Sensitive information shall be verified or assessed in-site and shall not be handed out or distributed.

All the Sensitive information shall be handled as per Policies and procedures implemented.

An action plan that describes how the identified non-conformities will be addressed shall be developed and maintained on regular basis.

We have defined it in our compliance policy and Corrective Action Procedure

the customer shall plan and conduct assessments of the information security controls in place through an established assurance process which will be continuously identifying technical and non-technical gaps.

We allow our customer to audit or assess but atlease 30 days prior notice with the scope of the audit needs to be communicated

Performance improvement plans shall consider and develop strategies to identify the suitability, adequacy and effectiveness of information security controls in place.

We continuously monitor and improve Information security framework to make sure that we safegurd the Information and all the controls are in place.

Performance improvement plan shall leverage and document security metrics and measurements from incident reports, and audits for future improvement.

We make sure that we brings these improvements to Information security systems from the incidents reported and audit observations etc

The implementation of performance improvement plan shall be monitored on a regular basis: · Document and maintain corrective and/or continuous improvement actions taken. · Review and report the effectiveness of corrective and/or continuous improvement actions.

We have implemented the corrective action plan procedure and review the policies and procedures on annual basis.

Service shall have acceptable clause regarding data ownership and intellectual property rights as per UAE regulations and the customer policies

It can be included in the agreement and our legal team will review and confirm

Contract / statement of work / order form clearly details the services to be provided.

Statement of work will have a details of product/service to be provided

Contract includes service levels or a separate SLA has been signed (with uptime and support response at the minimum) and consequences if service levels are not met (e.g. rebates; liquidated damages).

We can include the service levels in the agreement. We are not currently having an options for service credits/liquidated damages, if SLA are not met.

Service provider shall have clear and secure controls associated with approving access to the customer data or systems by service provider staff for support and/or troubleshooting purposes.

We make sure that we have all the controls in place.

Service provider should have cyber insurance covering security breaches.

We will do this as part of the agreement

Detailed access and audit logs shall be available for the customer to obtain via an API or other means, which should align with the customer security monitoring requirements

We are a multi tenant SAAS system and all our logs will contain data of all customers. We will have our own log monitoring and security analysis.

Service Provider shall have solid DR and Business continuity plan in line with the customer requirements

Attached the BCP/DR documents

Service Provider shall have solid endpoint security controls such as AV, EDR, exploitation protection, HIPS, App whitelisting IDS, DDOS, malware sandboxing, etc.

We end point security in place

Service Provider should allow the customer to preform technical and compliance audits on provider infrastructure that host the customer systems

We allow our customer to audit, but atlease 30 days prior notice with the scope of the audit needs to be communicated

Describe your security model, including network, data, and application security; data center security; application and system support; upgrades and maintenance; and personnel access rights.

We have deployed our application on Amazon web services (AWS) Virtual platform cloud. AWS provides data center security to our application. AWS is ISO 27001;2013, ISO 27017, ISO 27018, SOC 2 certified organization. Xoxoday is also ISO 27001:2013 and GDPR compliant organization. Only the authorised individual have an access as per Access control policy. We use TLS1.2 encryption for Data in transit and AES256 for Data at rest. As part of Web Application Firewall (WAF), rate limiters are installed to block multiple requests from specific IPs in order to prevent DDOS-type attacks. Additionally, we have an intrusion detection/monitoring application that alerts on unauthorized access. Xoxoday's architecture goes through constant upliftment and experiences no downtime during upgrades and maintenance windows.

How often is the platform scheduled for software patches and updates?

Since our services are delivered via. Web, the upgrades and updates to the services are seamless and usually do not involve any actions from the end-users. We try to release our product hotfixes once every week & major features once every month.

Does the vendor allow security audits by the customer or by agents of the customer (e.g. an appointed Audit firm)?

Yes. Annually once.

Is there security accreditation in place such as SAS70/SSAE 16 Type II, ISO 27002 etc?

Yes. We are ISO 27001:2013 and GDPR Compliant. We are also compliant with SOC 2 type 1 and on the last phase of Audit. We will share the report once we have it from the Auditor. Attached the ISO 27001 certificate and engagement letter that we have for SOC 2 Audit.

What processes does the vendor have to detect and prevent viruses and other malicious software from damaging the service and the customer's data?

We use Bitdefender End point security software to prevent from malware and protect the data. In addition to that we also have AWS Guard Duty threat detection service that continuously monitors for malicious activity and unauthorized behaviour. We use a cloud hosted VPN with strict access controls to allow our employees to access the official network. This VPN is managed by our IT team and it's linked with the SSO/Active Directory

What are the security and malpractice escalation processes?

All the employees initially inform the IT Support team through ticketing systemb the Infosec manager and Final level will be DPO and the management.

What are the controls over interruption to the service? (SLA). What is the RPO (recovery point objective) and RTO (recovery time objective) for the service?

The time of support ranges depends on the level of service. RTO and RPO is - 6 mins

What security standards are used for application development?

our products comply with all the industrial benchmarks and standards when it comes to the Software Development Life-cycle (SDLC). All software development procedures are supervised and monitored by Xoxoday so that they include: • security requirements • independent security review of the environment by a certified individual • code reviews Quality monitoring, evaluation, and acceptance criteria for information systems, upgrades, and new versions shall be established and documented for the clients' reference.

Describe the network topology.

The data centers are hosted completely in isolation so that the access is limited and controlled. Load balancer allows shifting incremental load and can auto scale based on data load experienced by application. Each instance (EC2 Instance) under fortified VPC network is further conglomeration of Docker Container Web Services and APIs and application layer running on top of it. This helps in managing various aspects and features of application without affecting the functioning of each other and achieving a modular architecture to work as plug and play model. Amazon Cloud Watch is implemented to enable monitoring of the functioning of the application. The data is encrypted using 256-encryption based SSL certificate. To manage security of data Xoxoday plans a quarterly VAPT based security audit of application.

Describe your approach to ensuring data security in the SaaS environment.

We have implemented policies and procedures as per ISMS and GDPR requirements. We also conduct periodical Internal and external Audit by the third party Auditor. We have deployed our application on Cloud Virtual platform for maximum security. We use Bitdefender End point security software to prevent from malware and protect the data. In addition to that we also have AWS Guard Duty threat detection service that continuously monitors for malicious activity and unauthorized behaviour. We conduct periodical Vulnerability assessment and Penetration Testing from the Inductry approved authorized vendor to make sure that all the vulnerabilities are closed and having secured applications. We use logical data isolation with the help of company specific encryption keys. Data in non production environment is not updated with the production data. We generate separate test data Data at transit - TLS1.2 encryption, Data at rest - AES256 As per the Information security policy and Data protection policy only the authorised individual have an access to the data through internal approving and ticketing system.

TSL IT Security Compliance?

We comply with Information security compliance - ISO 27001;2013, SOC 2 and GDPR

Data Governance & Management features?

Our product is ISO 27001 and GDPR compliant and have the features.

Intelligence to predict failures and auto-corrections? Failures can be Infrastructure / Process transaction with validations as per TSL business rules

We have health checks along with Self healing mechanisms in place

What is the percentage that the SLA guarantees (in case the platform provides the services in a Saas Model)?

99.99%

Is there security accreditation in place such as SAS70/SSAE 16 Type II, ISO 27002 etc?

Yes. We are ISO 27001:2013 and GDPR Compliant. We are also compliant with SOC 2 type 1 and on the last phase of Audit. We will share the report once we have it from the Auditor. Attached the ISO 27001 certificate and engagement letter that we have for SOC 2 Audit.

Can evidence be provided of the processes that are implemented to guarantee the confidentiality of information, including a description of how our data is separated from other customer's data, and what controls are in place to prevent other customers from viewing our data?

We use logical data isolation with the help of company specific encryption keys. We generate separate test data Data at transit - TLS1.2 encryption, Data at rest - AES256. We have the ability to logically segment or encrypt customer data such that data may be produced for a single tenant only, without inadvertently accessing another tenant's data. our network environment is designed and configured to restrict any communication and connection between the tenant's environment.

What are the security and malpractice escalation processes?

All the employees initially inform the IT Support team through ticketing systembe the Infosec manager and Final level will be DPO and the management.

What are the controls over interruption to the service? (SLA). What is the RPO (recovery point objective) and RTO (recovery time objective) for the service?

The time of support ranges depends on the level of service. RTO and RPO is - 6 mins

Are there controls in place to prevent administrators and other staff from the Vendor's organisation from downloading customer data to removable storage (USB memory sticks, CD ROM etc)?

Yes. We have the controls in place. We have blocked connecting Hard disk, USB, CD ROM etc to computers and all the devices are centrally managed.

Which databases are used in the backend? Which database optimization approaches are taken?

The data is only stored on our application and its deployed on AWS Cloud. Our data is stored in secured databases and there is no window to alter any data without it being logged into the system records

Describe the hosting infrastructure.

We are a SAAS solution. We are cloud hosted.

How is system usage and performance monitored?

We use a variety of tools and plugins integrated with Prometheus & Cloudwatch along with health checks for facilitating our uptime/service availability

Can customers control the timing of software upgrades? What support do you provide during the upgrade process?

Xoxoday's architecture goes through constant upliftment and experiences no downtime during upgrades and maintenance windows.

Is your DR plan based on active- active or active-passive?

active-passive

Does the application provides users a notification and choice to accept or deny cookies?

Yes. we have implemented the cookies policy

Does the application or solution have Access Control Mechanism to ensure restricted/controlled access to PII (as per business requirement) ?

Yes, we have the access controls

Are logs being maintained for processing activities performed on PII ?

Yes

Is there an Access Control Mechanism to ensure restricted/controlled Third Party access to the application?

Yes, we have the access controls

Does the application allow PII to be updated in case there is a requirement for the same?

Yes. Users can updated their information

What is the services you are going to provide to Darwinbox

Xoxoday - application platform has been integrated with Darwinbox with the objective of creating a reward system for employees. Organizations that are using DarwinBox will not only be able to automate their HR processes but can also reward employees to keep them motivated and engaged. Xoxoday application offers a unified rewarding platform that helps organizations build a winning organizational culture through reward and recognition programs that have a global catalog consisting of products and experiences from more than 700+ brands. Please click here to know more - https://xoxoday.gitbook.io/application/developer-resources/integrations/darwinbox-+-application

Has your organization formally appointed a central point of contact for security coordination?If so, whom, and what is their position within the organization? Are responsibilities clearly documented? i.e. job descriptions, information security policy

Yes. Xoxoday’s primary security focus is to safeguard our customers or users' data. This is the reason that Xoxoday has invested in the appropriate resources and controls to protect and service our customers. We have an Infosec Manager who is responsible for Information security and reports to the Board of Directors of the company. All the job descriptions, role and responsibilities has been documented as per the compliance requirements.

Have your employees been provided formal information security training? Have policies been communicated to your employees? Are periodic security reminders provided?i.e. New employee orientation, annual training, posters in public areas, email reminders, etc.

Xoxoday has developed a comprehensive set of security policies covering a range of topics. These policies are shared with and made available to all employees and contractors with access to Xoxoday information assets. Each employee, when inducted, signs a confidentiality agreement and acceptable use policy, after which they undergo training in information security, privacy, and compliance. Furthermore, we evaluate their understanding through tests and quizzes to determine which topics they need further training in. We provide training on specific aspects of security that they may require based on their roles. We spread awareness about the Information security among the employees through posters in public areas, emails, training and orientations etc..

Are your employees required to sign a non-disclosure agreement? If so, are employees required to sign the non-disclosure agreement annually? Non-disclosure and/or confidentiality form at initial employment

Yes. All new hires are required to sign Non-Disclosure and Confidentiality agreements. The Employee expressly agrees that he/she shall not use Confidential Information provided by the Company in the development or delivery or for personal gain from providing any products or services for his/her own account or for the account of any third party. The NDA signed will be valid till the termination from an employement.

Do you have a formal process to manage the termination and or transfer of employees? i.e. All equipment is returned, user ID's disabled in systems, Windows, badges and/or keys returned. On Transfer is existing access reviewed for relevance?

Yes, We have implemented the process for termination from an employement. Once the employee is terminated all the access will be revoked, IDs are disabled, assets are returned and recorded as a part of the exit clearance. We have implemented the access control procedure and all the access will be revoked upon termination or transfer of an emplyees as per the compliance requirements.

Has antivirus software been deployed and installed on your computers and supporting systems (e.g., desktops, servers and gateways)? 1) Product installed? Centrally managed? Updated daily? Reviewed for being current?

Anti-Virus is deployed in all systems and servers for protection against virus and malware. We use Bitdefender end point security for protecting the systems from virus and this has been updated on daily basis and centrally managed.

Whom do we contact if we identify a security issue or breach involving or impacting your product? Please provide an email address and/or full contact information b) What is their expected SLA to respond to initial contact? c) What is the definition of issue priority (ex: minor vs. major, 0-4 scale)? d) What is their expected SLA to implement changes needed to fix issues according to priority?

1. Reach out to us at cs@xoxoday.com to raise a ticket, if you happen to notice any potential security issue whilst meeting all the required criteria in our policy. 2. The validation of the reported issue in terms of severity & authenticity will be done by our security team in around 90 days. 3. Post validation, steps will be taken to fix the security issues in accordance with our security policies. 4. The owner of the ticket will be informed once the issue is resolved. Security Severity has been categorized as High, Medium and Low. Once the reported vulnerability is closed we will conform the same.

Which all processes Vendor is handling currently and how the customer is sharing the data with them ?

the customer will be using the application product and all the information will be entered only through our application.

How data sharing between vendor and the customer will take place ?

The data sharing between vendor and the customer will take place only through application product. There will be no manual data sharing or transfer.

If vendor shares reports/data with the customer over emails, is that email ID blocked for sharing any data over other public domains? Please confirm the same by sending a test email to -Information.Security@the customerinsurance.com Please share the screenshot of the blocked email for confirmation.

Reports can be generated by the admins through the application. If there are any additional support needed, our customer support team would be able to help and guide on generating report.

Which all in-house or third party applications Vendor will use for the customer operations?

We do not use any in-house devoloped applications. We have deployed our application on AWS cloud virtual platform. And AWS is SOC 2, ISO 27001, ISO 27017 and ISO 27701 certified organization. Shared the certificates.

Does the application support any APIs? And how are they consumed internally and externally?What controls are implemented for sharing such APIs externally?

How the security of the exposed APIs is managed?

We have implemented the Web application firewall, IDs/IPs and amazon guard duty etc for maximum security. OAuth2 is used to authorize all API requests. We also conduct code review to make sure that the APIs are secure.

Are hardening standards defined and followed for all infrastructure components (OS, Network Devices, Servers, Firewalls, DBs etc.)

Yes

What policies are configured for restricting PII leakage from the system ?

We collect only 3 types of the personal Information such as Name, email ID, phone#. , personal data is to be transmitted using firmly approved encrypted systems. We have implemented the role based acccess control to make sure that the acccess has been granted to only authorised individual.

Do you have change and incient management process in place to record, response and resolve an incident within SLA and to control the changes in the system / application? If yes, please share.

Yes. Attached Incident management policy and SLA

ISO 27001:2013 or any equivalent Information Secuirty Management System

Yes, We are ISO 27001:2013 certified. Attached the certificate.

Service Organization Control SOC type 2 or any equivalent compliance report

We are SOC 2 Type 1 compliant. The audit has been completed and auditor is working on the Draft audit report. We will be able to share once the report is finalized.

ISO 27018:2018 Code of Practice for Protection of PII in Public Cloud, if PII data is stored on the cloud.

NA. But AWS Virtual platform cloud is ISO 27017 and 27018 certified and attached the report.

Are your admins are cloud certified?

Yes. Our employees are having required education and certifications to perform the job.

Do you have a setup of processes for regular internal audit for data protection compliance?

We do conduct Internal and external Audit very year

Have you conducted training and awareness program related to data breach for your employees?

Yes, It’s a part og our ISMS training. Attached the training calender as an advace.

A copy of the third-party information security program validation performed on the product/ environment, such as: SOC 2 Type II report and/or ISO 27001 certificate.

Xoxoday is compliant with - ISO 27001:2013, CPRA (California Privacy Rights Act), SOC 2 Type I, CSA STAR Level 1 and GDPR(General Data Protection Regulation). Attached the below mentioned documents. 1. Xoxoday ISOIEC 270012013 Certificate 2. Xoxoday SOC 2 Type 1 Report 2021 3. Xoxoday VAPT Certificate (Conducted by 3rd party vendor) 4. Xoxoday application VAPT Report (Conducted by 3rd party vendor) 5. Xoxoday CPRA Attestation Report 6. CSA STAR LEVEL 1 Compliant - https://cloudsecurityalliance.org/star/registry/nreach-online-services-pvt-ltd-xoxoday

A copy of audit reports from the data center where the production instance of your product is hosted (SOC1, SOC2, bridge Letters, ISO27001, other security certifications, etc.).

We have deployed our application on AWS Virtual platform cloud. The AWS Compliance Program helps to understand the robust controls in place at AWS to maintain security and compliance in the cloud. Attached the below compliance certificates and Audit reports – 1. Amazon Web Services ISO 27001 Certificate 2. AWS ISO 27017_certification 3. AWS ISO 27018_certification 4. AWS SOC 2 Report 5. AWS SOC 2 Type I Privacy Report 6. AWS CSA STAR Certificate

Do you follow any particular internationally accepted best practices or standards?

Yes. We follow ISO 27001:2013, SOC-2 and GDPR We are ISO 27001:2013 certified and GDPR Compliant.

Does the system have an international certification/award in System Security?

Yes. We are ISO 27001:2013 certified and GDPR Compliant. We are also complied with Cloud Security Alliance (CSA) STAR level 1.

Can a user login be prevented during non-office hours (e.g., off-shift, on leaves )?

Its SAAS Solution and available 24*7

Does solution provide/support remote procedure calls?

It’s a web application. And it can be presented over the calls like MS Teams, Zoom, Google meet etc.

Does solution provide/support message- oriented middleware?

Yes. We have an integration with other applications and provide secure communications.

Does solution use SSL (If use web service)?

Yes

Does solution support SFTP (both sending and receiving file)?

Yes. Files will be transferred securely.

Does solution support Data encryption/decryption?

Yes.

Can the security module be integrated with Middleware to provide the security services? If yes, describe the mechanism?

The solutions integrated with other solutions like Zoho CRM, HubSpot, Darwin box, SurveyMonkey, Freshdesk etc

Does your solution provide the CheckSum as data validation module?

NA. It’s a SAAS Solution and does not require.

CLIENT must have the ability to govern the data stored in cloud.

The data will be in our control. And AWS Cloud provide service for deploying our application. AWS is also ISO 27001 and SOC 2 certified organization and adhered to the data governance.

Related division must do risk assessment to uphold Cloud Infrastructure Administration including CIA (Confidentiality, Integrity and Availability) for any system and/or data that want to be put in cloud.

It’s a part of our Risk assessment and we validate the compliance requirements of AWS cloud virtual platform annually.

CLOUD SERVICE PROVIDER (CSP) must have security policy, standard and procedure/guideline, which at least on the same level as CLIENT ISMS and must be uphold to protect CLIENT data from any security threats.

We have implemented all the required Infosec Policies and procedures as per ISO 27001:2013, GDPR and SOC-2

Are independent IT security testing programs, assurance, audit and/or assessments performed? How frequently? Are results communicated to clients? How often?

We perform Internal Audit and external Audits annually. We also conduct Security assessments and testing like Vulnerability assessment and Penetration testing every six months. Yes. We communicate these assessment results to clients on a yearly basis.

What arrangements are in place for return of data to customer upon contract conclusion or termination?

We have the arrangements in place. Storage Period would be as per regulatory conditions. Personal data can be deleted based on a formal written request. Xoxoday would delete the data within 30 days of receiving the request. We will delete the data of the customers upon the termination of the contract and Our data cleansing process goes through an organized purge. Once the data is purged, it's purged from all places

Are independent IT security testing programs, assurance, audit and/or assessments performed? How frequently? Are results communicated to clients? How often?

We perform Internal Audit and external Audits annually. We also conduct Security assessments and testing like Vulnerability assessment and Penetration testing every six months. Yes. We communicate these assessment results to clients on a yearly basis.

Can the service provider provide the latest copy of SOC 2 Type II report or equivalent?

We have implemented all the SOC controls and in the last phase of Audit. We would be able to provide SOC 2 Type I report in next 2-3 weeks

Provide information on your solutions/services BCP/DR.

We have BCP/DR Policy as per the Infosec compliance requirements and we conduct the BCP test annually. See Business Continuity Management Procedure attached.

Please provide a copy of the incident management standard and procedures?

See attached Incident Management Procedure attached

Has an independent security third party audit been completed on you? (If so, please name the auditing firm and last audit date in the comment box)

Yes. An independent security third party audit been completed by "TUV NORD". The last last day of Audit was 29th June 2021

Does the organization is having an Information security organization is in place? If yes please explain and share evidence?

We have establised the Information security management systemIt specifies the scope and the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving the information security management system (ISMS) at Xoxoday. Xoxoday is committed to ensure Integrity, Confidentiality, Availability and Security of its Physical and Information Assets and also maintaining privacy for serving the needs of the customers and organization while meeting appropriate legal, statutory and regulatory requirements. Attached the Information Security Management System Manual.

What are your process and procedures for maintaining client data security? please explain and share evidence?

We have the Data security Controls in place. We have implemented IDS/IPS, Firewall and our security information and event management (SIEM) system merge data sources (app logs, firewall logs, IDS logs, physical access logs, etc.) for granular analysis and alerting. We have Cloudflare web application firewall for maximum security of data. We have implemented the role based access control system to make sure that the data os available only to an authorised individual. Nreach Online Services Pvt ltd, respects the individual right to their personal information and is committed to use minimum personal data with transparency, accuracy & protection of confidentiality, integrity, availability, privacy, authenticity & trustworthiness, nonrepudiation, accountability and auditability of the data received, stored, processed and destroyed for business purposes. Atatched the Xoxoday GDPR Data Security Policy

Do you take special measures to make sure the customer data is secure during the collection process? If so, describe the measures briefly.

We are compliant. We collect the data only throigh our application. We have role based access system to make sure that only the authorised individual have an access to the required information All the devices and emails are having adequate security controls. We use a cloud hosted VPN with strict access controls to allow our employees to access the official network. We have installed the firewalls to monitor and control the incoming and outgoing network traffic based on predetermined security rules. It helps us to establishes a barrier between a trusted network and an untrusted network. We use a cloud hosted VPN with strict access controls to allow our employees to access the official network. This VPN is managed by our IT team and is linked with the SSO/Active Directory for more security. We use TLS1.2 encryption for Data in transit and AES256 for Data at rest. Additionally, we have an intrusion detection/monitoring application that alerts on unauthorized access.We have SDLC Policy as per ISMS requirements and we follow General Coding Practice. For example - We Conduct data validation on a trusted system, All cryptographic functions used to protect secrets from the application user.We also have Implemented least privilege; restrict users to only the functionality, data and system information that is required to perform their tasks.

Have we implemented Email Gateway solution to block the SPAM emails? Have we implemented SPF/ DKIM/ DMARC effectively?

Yes. We have Implemented the SPF/ DKIM/ DMARC effectively.

What is the password standard for the applications users, administrators, network users, etc. please describe in details. How are initial passwords communicated to users? Are all new users issued random initial passwords? Are users forced to change their password upon first logon? How is user’s identity verified prior to resetting a password? What is the minimum password length? After how many days does a password expire? How many passwords are stored in the password history? What is the number of invalid password attempts prior to lockout? Can PINs or secret questions be used as a stand-alone method of authentication?

We are compliant. We have implemented the Password Management Policy We store password hashed. We have SHA512 hash with unique salt for every password. The password needs to be minimum 8 characters long and should contain at least one capital letter, special characters among '# $ % * &' and 1 digit. Maximum Password Age is 45 days. User IDs and passwords transmit through stringent checks in an encrypted format that complies with the current Technical Security Baseline Standards. All the user can set their own password from the very first login attempt. Passwords once used cannot be reused with the password history technique in order to disallow the reuse of old passwords.

CSP ISO/IEC 27001/27002:2013 independent attestation, CSP ISO/IEC 27018:2014 independent attestation, CSP SOC 2 Type 2 independent attestation

Will you notify FINCARE in case of any request to provide information, in the form of a subpoena, a warrant, or court order in which access to the FINCARE data is requested?

We inform Fincare if these regulatory authories agreed to inform.

Do you include right to audit by consumer to your environment?

Yes. 30 days prior notice and scope of the Audit needs to communicated.

Will you make necessary audit logs and activity monitoring available when requested?

We are a multi tenant SAAS system and all our logs will contain data of all customers. We will have our own log monitoring and security analysis.

Do you encrypt sensitive data in PaaS applications and storage and sensitive volumes in IaaS

Its a SAAS product and we use We use TLS1.2 encryption for Data in transit and AES256 for Data at rest.

Do you have controls in place to prevent data leakage or intentional/accidental compromise between tenants in a multitenant environment?

Yes

Does your data management policies and procedures address tenant and service level conflicts of interests?

Yes

Can you demonstrate the data sovereignty and residency issues and provide details of jurisdiction of data storage and the local laws applicable?

Are these datacenters are owned by you? If not, provide the details of the datacenter service provider

We do not own the data centers. We deploy our application on AWS cloud virtual platform.

Datacenter security standard and procedure

Third party assessment reports and attestations - ISO 27001, PCI DSS, etc

Attached the ISO27001:2013 certificate. We do not collect and store any Payment card details. PCI DSS is not applicable for us.

Any change to the design that impacts security posture of the system must be reviewed and approved by EIS Architecture Team, before a new component (e.g., custom built modules, 3rd party components, vendor supplied components) is released.

We inform the client if there is any changes of the design that impacts security posture of the system.

Minimum security standards and latest vendor security updates must be applied to all components. Wherever it is not supported or cannnot be applied, compensating controls must be evaluated with ISRA and implemented to reduce the risk.

We take steps to securely develop and test against security threats to ensure the safety of our customer data. We maintain a Secure development Lifecycle, in which training our developers and performing design and code reviews takes a primary role. In addition, Xoxoday employs third-party security experts to perform detailed penetration tests on different applications. application is ISO 27001, GDPR, CPRA/CCPA, CSA STAR certified.

Project teams must maintain : Accurate (Create/Update/Delete) inventories of project components that are required for application to be up & running (including Production & Non-Production).

Our technical team maintains these records.

Implement version control practices (for Source code, binaries, container images) to govern development and provide auditing. Ensure versions are stored in a centralized repository, the change can be reversed/ rolled back during a security incident.

We consuct the code review as per the compliance requirements and maintain the code repository. Attached the SDLC Proedures.

Applications should be architected with a minimum of three separate tiers: web, application, and storage/database.

Compliant.

All remote system administrative functionality and remote access to an operating system (e.g., RDP, SSH, etc.) must be disabled and not directly accessible from the Internet, and only PSJH Information Security-approved remote access technologies are allowed.

Since application is a SaaS Platform this would be not applicable.

All public IP addresses must be removed from the subscription, except those that were coordinated with and approved by PSJH Cloud Engineering and Information Security Architecture.

Since application is a SaaS Platform this would be not applicable.

Access to the PaaS must be provisioned using PSJH IAM team, privileged access should be determined by business justification, and granted by IAM.

Since application is a SaaS Platform this would be not applicable.

Ensure that all encryption and hashing methods comply with policies and organizational requirements for protection of information.

We are compliant with the requiremenrts.

If Cryptographic keys have to be tranferred manually, then encrypted channels to be used Eg., use Secure Email of O365, ProofPoint Secure Email.

We do not transfer manually. NA And we use Google workspace for emailing solution.

Ensure that the integrity of cryptographic key is protected while they are stored. Eg., use Hashing SHA256, Digital Signatures

cryptographic keys are protected. Compliant.

PHI, PII, and regulated or confidential data must use a minimum protocol of TLS 1.2, and an encryption algorithm and strength of AES-256 while in transit.

We do not store any PHI. The PII(name, email ID, phone#) are encrypted. We use TLS1.2 encryption for Data at transit and AES256 Data at rest for maximum security.

Application that handles PHI, PCI, PII (and other regulated data) must comply with applicable federal laws, Executive Orders, directives, policies, regulations.

We store only the PII(name, email ID, phone#) and does not store/process PHI & PCI. We are compliant with ISO 27001, CCPA/CPRA, EU GDPR, CSA etc. Attached these compliance certificates/audit reports.

File-integrity monitoring tools should be in place to monitor modifications to critical system files, configuration files, and content files (leverage Crowdstrike as applicable).

Yes, all the mechanisms related to security and policies are implemented to facilitate timely decision and investigation by root-cause analysis. These incidences are analyzed with network intrusion detection (IDS) tools.

Application must ensure that the information used for authentication must be securely stored and transmitted in an encrypted form using algorithms in accordance to the Providence's information security policy.

The information used for authentication is securely stored and transmitted. We store password hashed. We have SHA512 hash with unique salt for every password

The application must be partitioned into public and restricted areas using separate folders for authenticated and non-authenticated users.

Not applicable since application is a SaaS platform.

Mobile applications that are homegrown/ procured shall be released to caregivers via MDM & MAM solutions (such as Microsoft InTune).

At Xoxoday we use Google workspace and activated the MDM features. application also has iOS and Androind mobile applications.

The mobile application must time out after 15 or fewer minutes of inactivity, requiring a user to re-enter a password, PIN, or re-initiate a biometric authentication mechanism before application content can be viewed again.

This feature can be configured with the help of the MDM Solution that the customer use.

Code obfuscation is applied to native apps

At Xoxoday we use Google workspace and activated the MDM features.

Roles must be assigned to manage updates on the server, resources, and/or other supporting assets.

Compliant. We have segreated the roles and assign the responsibilities to our employees.

PSJH-managed EDR (running real-time scanning on a continuous basis) on the solution’s servers, workstations, and/or other applicable devices is required.

Since its a Cloud hosted SaaS platform deploying of the application on cloud and server scannings are under the scope of Xoxoday.

PSJH-managed host-based firewall client is required on the solution’s servers, workstations, and/or other applicable devices.

We use Web application firewall (WAF) and pfSense firewall for security reasons. 1. The Cloudflare Web Application Firewall (Cloudflare WAF) checks incoming web requests and filters undesired traffic based on the set of rules. 2. pfSense helps to monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.

Ensure the user session is invalidated on the server-side when the user logs out.

At xoxoday we monitor and maintain the logs. The Infrastructure logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our Elastic Search server and retained in the long term cloud storage.

Implement REST and web services using session based authentication.

At Xoxoday we have implemented the Active directory and the system will get locked if its inactive for more than 15 mins and re-autentication would require.

Require a standardized approach to structured exception and error handling across all layers.

We have the process in place for standardized approach to structured exception and error handling across all layers.

All input validation failures must result in input rejection and must be logged.

At Xoxoday the validation has been done during the development and testing and we are compliant with the requirements.

Product Owners must integrate compliance of security requirements in corresponding criteria in Definition of Done (DoD). Any requirement & recommendations provided by EIS that are not met by the application will need to have a security exception through ISRA

At Xoxoday Security and compliance requirements are considered during the development stage and we are ISO 27001, CPRA, CSA STAR level 1, GDPR compliant.

Implement generic error or notification messages in applications to limit information useful for attacks.

We have implemented the controls to monitor the application and safegurd from the attacks. We use Amazon CloudWatch and Grafana polemique which allows us to monitor instances and alerts us through emails.

Manual input of file names and file paths must be avoided where possible.

Since application is SaaS Platform it would be not applicable.

Vulnerabilities are to be identified, reported, and remediated through the software-development life cycle. Effective utilization of enterprise SAST, DAST, OSA, IaC Security, Penetration Testing etc., to be adopted throughout the lifecycle of system development (and periodically).

We have implemented the Software Development Life Cycle (SDLC) procedure and attached the same for your reference. Vulnerability scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems. In addition to our extensive internal scanning and testing program, Xoxoday employs third-party security experts to perform a vulnerability assessment and penetration testing. We remidiate or fixes the issues identified during the VA/PT assessment and make sure that the application is free from the vulnerabilities.

How do you handle data from Russia and China?

Since it's a SaaS platform and deployed on AWS cloud virtual platform Singapore region. All the data will be stored on AWS VPC.

Description of your general Security concept including on how you handle Confidentiality, Integrity and Availability.

Xoxoday is ISO 27001:2013 certified. An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes with the aim of keeping information secure. With ISO’s robust information security management system (ISMS) in place, you gain the additional reassurance that a full spectrum of security best practices is implemented across the organization Our Goal is to protect three aspects of information - • Confidentiality: only the authorized persons have the right to access information. • Integrity: only the authorized persons can change the information. • Availability: the information must be accessible to authorized persons whenever it is needed.

What are the security controls and restrictions implemented to control the upload, download, viewing and modification of Infosys data (including structured and unstructured data e.g. emails, databases etc.) by users within your organization , including admin users?

We have implemented the Access control policy to control the upload, download, viewing and modification

Specify the frequency of AV scans and list down the events/scenarios that triggers the scans

AV Scans takes place every week and users also can scan it whenever they can scan the machine. We have prescheduled the scanning once in a week.

In a multi tenant model, please explain what controls are present to prevent infections spreading across to Infosys specific applications/infra from other tenants/customers sharing the same infrastructure?

We are using linux operating system which is inherently secure along with security practices like web application firewall etc We make sure that the customer data is well segregated and compartmantalized

Have there been any information security breaches within the organization in the last 1 year (even if they did not impact Infosys) ? If yes, please detail out the corrective and preventive actions taken by the organization to strengthen the information security program.

No Breaches taken place.

Provide details about the Information security framework and controls that are deployed within your organization to safeguard Infosys data and ensure compliance to applicable industry standards

We are having Robust Information security compliance framework and we are ISO 27001:2013 and GDPR complied. We follow all the applicable infosec compliance requirements to comply with the regulations

Is cyber security compliance review of application and risk assesement conducted atleast annually?

We conduct the Risk assessment and compliance review on annual basis as per the compliance requirements.

Are cyber security compliance review findings mitigated? Please highlight any open points.

Yes. All the compliance and audit findings has been mitigated.

Are detected vulnerabilities patched timely?

All the vulnerabilities identified during the assessment has been fixed.

Is anti-malware and anti-virus installed on servers and development machines?

We use Bitdefender end point security and installed on servers and development machines.

Is anti-malware and anti-virus updated regularly?

Its updated on regular basis.

Are the duties for application access and environment segregated and supported with a documented authorization matrix?

Our roles and job duties are segregated through role-based access to ensure maximum security. Access to data and systems are based on the principles of least privilege for access. A strong identification and authentication system and logging systems are deployed and provides a centralized control to administer, monitor and review all critical access events.

Is the code restricted from publicly available?

Its restricted and not available to the public.

Is the application server are hardened for security and maintained?

We follow the best practices ans servers are hardened for security reasons.

Is the database server comply with identity and access control policy?

We have implemented the Identity access management (IAM) and follow the Access control policy.

Is the database server comply with password policy?

At Xoxoday we follow the password policy.

Is the database server have latest operating system, licensed and supported?

We have deployed our application on AWS Virtual platform cloud - Singapore region.

Is application server configuration is backed-up and can be restored within RPO and RTO?

RTO and RPO is 60 Minutes.

Is incidents are logged, investigated and reported timely?

We have implemented the Incident Management Procedure and attached the same for your reference.

Explain the limitations to how the customer can use the service as outlined in the provider’s acceptable usage policies, licensing rights or other providers usage restrictions.

Since application is a SaaS product and the customer can use the product and services as soon as subscribed for application product usage. the customer will have the legal rights to use the Product.

What advance notice will be provided by the provider for any change of terms?

We do not change the terms frequently. We will provide 30 days’ notice period for any changes of terms.

Does the contract/terms of service outline meaningful liability for the provider in the event that the the customer environment/data is breached?

We notify Client in case of any unauthorized disclosure of or breach of any confidentiality obligation of Xoxoday with respect to Confidential Information, data or information of Client and Xoxoday shall take all necessary and required steps and measures to mitigate such unauthorized disclosure or breach and shall co-operate with Client , at Xoxoday 's cost, to mitigate or control the loss or liability arising out of such disclosure or breach and to retrieve such data or information.

Does the provider have an active SLA in place that identifies minimum performance (e.g., uptime, etc.)?

Yes. have an active SLA in place that identifies minimum performance of the Product.

Describe the SLA

We have the SLA in place. application endeavours to provide 99.9% Uptime each month 24 hours a day 7 days a week. Uptime is measured based on the monthly average of availability.

Does the provider provide regular service management reports (e.g., SLA performance)? If so, state the frequency of such reporting.

We would be able to provide a report on need basis.

Describe penalties associated with SLA non-compliance.

No penalties are associated with SLA.

Does the provider monitor service continuity with upstream providers in the event of provider failure?

We monitor the service continuously and make sure that the product and service is available to use all the time. We have a documented Business Continuity and Disaster Recovery Plan defined and implemented to enable people and process support during any crisis or business interruptions.

Do we have the planed downtime scheduled (e.g., service, upgrade, patch, etc.)?

Since our services are delivered via. Web, the upgrades and updates to the services are seamless and usually do not involve any actions from the end-users.

Are the same security controls implemented at the failover site as that of primary site?

Yes.

Are the provider’s routine maintenance windows manageable for the customer?

Our architecture goes through constant upliftment and experiences no downtime during upgrades and maintenance windows. If there is any major activity and the service will be unavailable, the Maintenance hours were communicated well in advance at least 3-4 day by application.

Describe the process to terminate the service

Termination clause will be the part of Master Service agreement and both the parties can review and agree during entering into an agreement.

Can the customer data and the service be moved/transferred to another provider at any time?

Since it’s a SaaS product, this is not applicable.

Does the customer have the right to terminate if the provider introduces material modifications to service terms?

Termination clause will be the part of Master Service agreement and both the parties can review and agree before entering into an agreement.

What standards does the provider follow for application development? Do these include rigorous testing and acceptance protocols?

Yes. changes to the production environment or development are documented, tested, and approved prior to implementation or any new releases. We conduct internal reviews and audited by the external auditors for our security standard certification. We conduct periodical Vulnerability assessment and Penetration Testing from the Industry approved authorized vendor to make sure that all the vulnerabilities are closed and having secured applications.

Where and how will the customer data be stored? Are there impacts on security in light of the differences in legal/regulatory compliance requirements depending on storage location?

the customer data will stored on AWS virtual platform cloud Singapore. There is no impact on security.

Does the provider have a cyber plan in place? If so, please provide details.

At Xoxoday we have implemented the Cyber Crisis Management Plan to provide and support capability for reporting and responding to cyber security incidents, to eliminate or minimize impacts of such incidents

Have there been any major security incident(s) reported with the provider in the last two years? If so, detail the incident(s) and resolution(s)

No.

What activities are logged by the provider? Consider: Network traffic, file and server access, Security systems

We monitor the logs on regular basis with regards to network, file and server, and security system. To provide more information, the infrastructure logs are collected using AWS Audit Trail and Application related logs are collected in our Elastic Search server and retained in long term cloud storage.

Does the provider’s logging and monitoring framework allow isolation of an incident to specific tenants?

No. Since we are a multi-tenant system, our logs contain information of all the tenants. We cannot isolate a single customer's information from our logs.

Who can set up activities to be logged?

At Xoxoday the Audit logs reviewed on a regular basis for security events. audit logs are set up, reviewed by our Technical team and logs are recorded on a regular basis automatically. These logs are integrated with security operations/SIEM solutions.

What is the provider’s incident response procedure for handling a security or data breach?

We are GDPR Compliant. Our information security team and Customer support team will inform the POC of Client via email communication with Preliminary Incident Synopsis and Root Cause Analysis report (RCA) including the details of Business Impact, Issue Description, Root Cause, and Corrective Actions.

Does the provider’s incident response plan comply with industry standards for legally

Yes. We have implemented the incident response plan and it complies with industry standards ISO 27001:2013, SOC-2, GDPR.

When are audits conducted (i.e., frequency)? What standard/certification is used to conduct audits (e.g., ISO 27001, SSAE 16 SOC 2, etc.)? Will the customer receive a copy of the audit report when finalized? Is this requirement outlined in the contract with the service provider?

We are ISO 27001:2013 certified and attached the certificate.

Last updated