Others

Does Plum follow GDPR?

Plum is GDPR compliant. At Xoxoday, we ensure that the data is gathered, stored, and handled with respect to individual rights. We have raised awareness among our employees and other stakeholders on how to handle the data appropriately. Our employees understand the importance of GDPR and information security.

Does Xoxoday have an information security policy and is it communicated and published to all employees, suppliers, and other relevant external parties?

Xoxoday has an information security policy that is published and communicated to all suppliers and employees (including contractors and other relevant external parties).

Xoxoday has ensured that the Information security policies have established the direction of the organization and align to best leading practices (e.g., ISO-27001, ISO-22307, CoBIT), regulatory, federal/state, and international laws where applicable.

Does Xoxoday have a formal established disciplinary or sanction policy for its employees who have violated security policies and controls?

Yes, at Xoxoday, we have a formal disciplinary or sanction policy established for employees who have violated security policies and controls. Employees are made aware of what action might be taken in the event of a violation and stated as such in the policies and controls. A detailed disciplinary process and policy are also in place.

Does Xoxoday ensure that all projects go through some form of information security assessment?

At Xoxoday, we use JIRA for Project Management, and abiding by the Information security policy is mandatory and has been followed in all the projects.

Every code change is reviewed by the tech lead or architect responsible for the project.

During the review process, the reviewer is responsible for identifying possible security issues.

Does Xoxoday have a mobile device policy?

Yes, Xoxoday has a Mobile device policy. At Xoxoday, the mobile device policy takes into account the risks of working with mobile devices in unprotected environments and the controls to be implemented for preventing data transmitted/stored in the mobile device, and much more.

Does Xoxoday have a policy governing information classification and is there a process by which all information can be appropriately classified?

Yes at Xoxoday, we do have an 'Information Security Policy' in place.

Information Classification is included in the organization's processes, and be consistent and coherent across the organization. Results of classification indicate the value of assets depending on their sensitivity and criticality to the organization, e.g. in terms of confidentiality, integrity, and availability. Results of classification are updated in accordance with changes in their value, sensitivity, and criticality through their life-cycle.

Formal procedures for the secure disposal of media are also established to minimize the risk of confidential information leakage to unauthorized persons. The procedures for the secure disposal of media containing confidential information are proportional to the sensitivity of that information.

Does Xoxoday have a formal procedure governing how removable media is disposed of?

Yes, we do have an 'Information Security Policy' in place and formal procedures for the secure disposal of media are established to minimize the risk of confidential information leakage to unauthorized persons. The procedures for the secure disposal of media containing confidential information are proportional to the sensitivity of that information.

Does Xoxoday have a process to access the information and application system functions restricted in line with the access control policy?

Our application has role-based access controls and the menu's screens are made accessible accordingly.

What kind of Encryption and Hashing is used at Xoxoday?

AES 256 bit encryption for PI data. SHA256 with unique salt for Hashing passwords.

Does Xoxoday have a documented and tested Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) available? If Yes, kindly mention the location where the data would be stored?

Yes, Xoxoday does have tested Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP), the data would be stored at AWS Singapore

Is there a process for reporting identified information security weaknesses at Xoxoday and Is this process widely communicated?

During security audit/VAPT review, these incidents are identified.

Yes, this process is widely communicated to all the employees and stakeholders.

Where systems or applications are developed, are they security tested as part of the development process?

Yes, on Xoxoday, we do conduct Quarterly VAPT.

Are there policies mandating the implementation and assessment of security controls at Xoxoday?

Yes, at Xoxoday, we perform quarterly VAPT and have static code analysis via SonarQube

Do contracts with external parties and agreements within the organization detail the requirements for securing business information in a transfer?

Policies, procedures, and standards have been established and maintained to protect information and physical media in transit, and are referenced in such transfer agreements.

Also, there is a clause on securing business information and protection of confidential information in the NDA's signed by the external parties.

Are IS Systems subject to audit at Xoxoday and does the audit process ensure business disruption is minimized?

As part of the ISO audit, IS Systems audit is also covered and yes the audit process ensures business disruption is minimized.

Is there a process to risk assess and react to any new vulnerabilities as they are discovered at Xoxoday?

We have a quarterly VAPT performed on the entire application by a third-party security auditor.

How secure is Plum?

At Xoxoday, we ensure that the data is gathered, stored, and handled with respect to individual rights. We have raised awareness among our employees and other stakeholders on how to handle the data appropriately. Our employees understand the importance of GDPR and information security. Our controls are placed based on the data protection impact assessment (DIPA). All the personal data is encrypted on Xoxoday.

We take data and security very seriously. We are ISO 27001, GDPR, and SOC compliant. More details about our security and privacy policy in the links aforementioned. You can also know more about our compliance here.

How does Plum use my information?

We may use the information we collect from you when you register, make a purchase, sign up for our newsletter, respond to a survey or marketing communication, surf the website, or use certain other site features in the following ways:

• To personalize your experience and to allow us to deliver the type of content and product offerings in which you are most interested.

• To improve our website in order to better serve you.

• To allow us to better service you in responding to your customer service requests.

• To ask for ratings and reviews of services or products.

• To follow up with them after correspondence (live chat, email, or phone inquiries).

Data security and ownership?

We take data and security very seriously. We are ISO 27001, GDPR and SOC compliant. More details about our security and privacy policy are here.

More info below:

Questions	Answers
Do you have procedures in place to ensure production data shall not be replicated or used in non-production environments?	We ensure that ensure production data shall not be replicated or used in non-production environments. Physical segregation is done for production and non-production environments.
A formal privacy management framework is in place	Yes. We are compliant with CPRA (California Privacy Rights Act), GDPR (General Data Protection Regulation) and HIPAA (Health Insurance Portability and Accountability Act)
Are there documented privacy policies and procedures that address choice and consent based on the statutory, regulatory, or contractual obligations to provide privacy protection for client-scoped privacy data?	Implemented the data security Policy and Data Subject Access Rights Procedure.
Does the Vendor allow Audits by the customer or any Third Paties appointed by the customer of the below given nature:	In accordance with Data Protection Laws, we make available to Controller on request in a timely manner such information as is necessary to demonstrate compliance by Processor with its obligations under Data Protection Laws. Upon Controller’s written request and subject to the confidentiality obligations set forth in the Agreement, we will make available to Controller a copy of Nreach the most recent third-party audits or certifications, as applicable.
Provide a copy of all privacy-related policies and procedures that may apply to the Supplier’s handling of Personal Data.	Privacy Policy - https://www.xoxoday.com/privacy-policy Attached the - Data Protection Policy, Data Security policy, Data Subject Access Rights Procedure, Data Breach Notification Procedure.
Are there documented privacy policies and procedures that address choice and consent based on the statutory, regulatory, or contractual obligations to provide privacy protection for client-scoped privacy data?	Attached the data security Policy and Data Subject Access Rights Procedure. Please visit here for Privacy policy - https://www.xoxoday.com/privacy-policy
Is your Privacy Notice/ Privacy Policy externally available? Please provide us with the URL.	Yes. Please visit - https://www.xoxoday.com/privacy-policy
Are duties separated, where appropriate, to reduce the opportunity for unauthorized modification, unintentional modification or misuse of the organization's IT assets? i.e. front desk duties separated from accounting. Data analysts access from IT support etc.	Yes, the policy, process, and procedure is implemented to ensure proper segregation of duties. our roles and job duties are segregated through role-based access to ensure maximum security of tenants' databases
A copy of your privacy policy and external privacy statement, if they are separate documents.	Attached the Xoxoday Privacy Policy. Please click here for the external privacy statement - https://www.xoxoday.com/privacy-policy.
Is Records of Processing or an inventory is maintained on what personal data is collected/stored/processed/managed on behalf of Infosys?	Yes. We do maintain the records as per the Data privacy compliance requirements.
Do you maintain a list of all individuals having access to Personal Data and do you regularly review (whether it is electronic data, hard copy data, etc.)	Yes. we maintain the list as per the Privacy laws and review it. We provide access only to authorised individual as per Role based access and access control policy.
Do you follow privacy guidance when collecting, storing, or processing Personal Data via electronic, audio, visual or print media?	Yes. we follow the privacy gidelines when collecting, storing, or processing Personal Data via electronic, audio, visual or print media. We are complied with this requirements.
Do you routinely access/review/monitor your organization's measures to meet the objectives of privacy commitment, when Personal Data of Infosys is collected/stored/processed as part of service engagement?	We have review and monitor machanism to make sure that only the authorised individual have an access and the objectives of the privacy commitments are met.
Are your employees and subcontractors given regular and formal privacy training? If Yes, what is the frequency of Training?	Yes. we provide them a Information security and Privacy training. The frequency of the training is once in a year or as soon as they onboarded.
Do you confirm compliance with applicable data privacy clauses in your contract executed with Infosys?	Yes. We have applicable data privacy clauses in the contracts.

Do you develop and maintain an agreed upon audit plan (e.g., scope, objective, frequency, resources, etc.) for reviewing the efficiency and effectiveness of implemented security controls?	We continuosly monitor the efficiency and effectiveness of implemented security controls frequently during the internal and external audits.
Does administrative and management access require multi-factor authentication?	Yes. We have enabled MFA for all our admins.
Do you use a synchronized time-service protocol (e.g., NTP) to ensure all systems have a common time reference?	All systems have a common time reference
Do you have anti-malware programs that support or connect to your cloud service offerings installed on your IT infrastructure network and systems components?	We use Bitdefender End point security software to prevent from malware and protect the data. In addition to that we also have AWS Guard Duty threat detection service that continuously monitors for malicious activity and unauthorized behaviour.
Are End User Devices (Servers, Desktops, Laptops, Tablets, Smartphones) used for transmitting, processing or storing Data has anti-malware, file integrity monitoring or application whitelisting deployed in the organisation?	We have installed Bidefender endpoint security and restricted the access of external hard drives, USB etc to have restriction on data transfer. we use file integrity and network intrusion detection (IDS) tools to help facilitate timely detection, investigation by root cause analysis, and response to incidents
Has the organisation experienced an information security breach in the past three to five years?	No Security breaches till date.
Is a separate log maintained to track / monitor the visit of other personnel in the customer processing facility? Are visitors accompanied by responsible personnel?	Yes. We maintain the records. We follow the visitors management best practices and escort all visitors and keep the records of all of them and all these records has been audited by the external auditors.
Describe the security controls in place to monitor physical entry & exit. (Manned reception desk, security guard patrols, closed-circuit TV cameras, etc)	We have a CCTV cameras, Security giurds, Bio metric machines to monitor the physical entry and exit.
What is the frequency that these logs and records are reviewed? (monitored 24/7, reviewed daily, weekly or monthly)	CCTV has been monitored 24/7 and visitors logs has been reviewed every week.
Is there an UPS mechanism / Power Generator in place at the Vendor site?	Yes. We have the UPS for backup.
Are there secured measures for controlling & monitoring environmental changes to the processing facility( for AC, humidity)?	Yes. We also get these checked by our vedors periodically.
Are the network and the power cable lines separated at the premises?	Yes. Its seperated.
Does the organization have procedures in place for the secure and safe disposal of media containing sensitive data?	Yes. We have the data retension and disposal policy. And also we have implemented Media Protection Procedure. Attached the same.
Does each laptop and workstation have a host based firewall?	Yes.
Describe the controls regarding the use of portable storage (CD, DVD, USB) devices? Please provide any information regarding supplemental controls regarding data being stored or accessed on portable devices.	We have blocked all the external drives and ports
Do you have a dedicated group/individual(s) that administer the firewall rules? If yes, identify the individual or group and how permissions are granted to access the firewall.	we have a dedicated IT Support team who administer the firewall rules.
Are there automated mechanisms such as password protected screensaver to protect unattended equipment? Do all the work stations enforce screen saver policy and get locked for use after being in-active for 15 Minutes?	All the computer machines will be automatically locked after being in-active for 15 mins and password protected screensavers are activated to protect the equipments.
the customer ASLC to be followed for any change management requests that fall under the criteria for a review. Guidelines from Informtion Security Team to be taken on the samae	We use the Software Development Life Cycle (SDLC) process. It is aligned with ISO 27001;2013 and SOC 2 frameworks.
the customer SVN to be used for software code versioning and storage (Not applicble for SaaS platforms unless agreed by partners)	Xoxoday application is SaaS product
Where are the support teams managing the servers located	The team is based out of India ( Bangalore location)
Adequate malware protection is in place.	We use Bitdefender End point security software to prevent from malware and protect the data. In addition to that we also have AWS Guard Duty threat detection service that continuously monitors for malicious activity and unauthorized behaviour. We use a cloud hosted VPN with strict access controls to allow our employees to access the official network. This VPN is managed by our IT team and is linked with the SSO/Active Directory. As part of Web Application Firewall (WAF), rate limiters are installed to block multiple requests from specific IPs in order to prevent DDOS-type attacks. These are powered by intelligent daemons that detect other identifiers like URLs accessed or other client properties to automatically blacklist possible threats either temporarily or permanently.
Are security related components reviewed by at least 2 persons?	Our security related components are reviewed by the devops and production departments regularly.
Information security performance monitoring and evaluation requirements shall be identified and documented.	We are compliant
Monitor, evaluate and report information security performance to relevant the customer stakeholders shall be done.	We inform on the Information security performances
How do you keep pace with evolving trends and requirements for security?	Security became an enterprise-wide issue that needs addressing, and managing risk, a business priority. We ensure that the security programme infrastructure currently in place continues to be extensive, agile, and thoughtful enough to enable growth and acceleration. We provide special attention towards identity and access management, endpoint and mobile management, IT Architecture, security operations and incident response and certainly security awareness and adequate preparation of staff and executive leadership.
Does the solution use open source database? If yes, does it use latest secured 3rd party libraries? Please describe the libraries and its	No. Our database is secure. Our data is stored in secured databases and there is no window to alter any data without it being logged into the system records.
Are the security issues reported and mitigated after production deployment?	No Security issues as such.