Xoxoday
  • πŸ““User Resources
    • πŸ‘¨β€πŸ’ΌFor Admins
      • πŸ“ŒGetting Started
        • βš™οΈSettings
          • Manage Super Admin/Admins
            • Hierarchy vs Non-Hierarchy
            • Threshold
            • Delete an Admin
            • Redemption APIs
              • Generic Redemption APIs
              • Oauth 2.0 Implementation for Stores Redemption
          • Platform Preferences
          • Account Verification
        • Types of Companies
      • πŸš€Plum Launch Communication Kit
        • πŸŒ‰Pre-Launch Templates
        • 🀝Introduction to Plum Templates
        • πŸ“ΊHow to Sign up on Plum’s reward storefront Template
        • πŸ“‘How to Bookmark Plum’s reward storefront for easy access Template
        • πŸŽ‰How to Redeem the Rewards on Plum’s Reward Storefront?
      • Xoxo Points
        • πŸ“ŒGetting Started
        • 🚚Distribution of Xoxo-points
        • πŸ“©Email/SMS Customization
        • FAQs
      • Xoxo Codes
        • πŸ“ŒGetting Started
        • 🚚Distribution of Xoxo-codes
        • πŸ“©Email, SMS, and Xoxo Code Campaign Customization
        • FAQs
      • Points vs Codes
      • Xoxo Links
        • πŸ“ŒGetting Started
        • 🚚Distribution of Xoxo-links
        • FAQs
      • Domain Authentication Guide
        • Troubleshooting Domain Authentication
      • πŸ’°Add Funds
        • Base Currency
      • Campaigns
        • Getting Started
        • Editing a campaign?
        • Delete/disabling a Xoxo Campaign?
      • 🏬Reports
      • πŸ’³Prepaid Card User Guide
        • Virtual Paypal International
          • πŸ“ŒGetting Started
          • πŸ“­How to Redeem?
        • Virtual Visa Card
          • πŸ“ŒGetting Started
          • πŸ’³How to Redeem?
      • πŸ”Security and Compliance
        • Cryptography & Encryption
        • Email Whitelisting
        • Governance, Risk, & Data Compliance
        • Application,Dev & Security
        • Cloud Security
        • HR Compliance
        • Identity & Access Management
        • Solution Development
        • Security Operations
        • Training and Awareness
        • Vulnerability and Threat Management
        • Security Operations & Technical Capabilities and Support
        • Data Management
        • Policies & Procedures
        • Tax Compliance
        • Privacy Compliance
        • Cloud Security Alliance
        • Others
        • Documents
          • Data Security
          • Information Security
          • Admin/Business
          • Others
          • Finance Compliance
    • πŸ§‘β€πŸ€β€πŸ§‘For End-Users
      • πŸ“ŒGetting Started
      • πŸ§‘β€πŸ’»Signing up/Logging in
      • πŸͺ™How to redeem?
      • πŸ’³Gift Vouchers
      • 🎁Gift Box Queries
      • 🚚Delivery Related Issues
      • πŸ›‘Cancelation/Refunds
    • πŸ”—Pre-Built Integrations
      • Qualtrics Integration Guide
        • Using Qualtrics Workflow Extension to Send Rewards
        • Public Survey Rewarding
        • Anonymous Survey Rewarding
      • HubSpot + Plum
        • 1-1 Reward Widget in HubSpot
        • Workflow Based Reward Automation
        • 1-Many Link for Xoxolink’s Reward Automation
        • Email based Reward Automation
      • Darwinbox + Plum
      • SurveyMonkey + Plum
        • Public Survey Automation
        • Anonymous Survey Automation
      • Zapier + Plum
      • ActiveCampaign + Plum
        • Creating Automation
      • Salesforce + Plum
        • Getting Started with Xoxoday Plum
        • Getting Started and Setting up Salesforce Integration
        • Sending 1-1 Reward
        • Steps to create a Flow and add a Trigger
        • Redemption Journey for your Recipients
      • Typeform + Plum by Xoxoday
      • Zoho People + Plum
      • SAP Successfactors + Plum
        • SAP Client Registration with Xoxoday for Stores Redemption
      • Decipher - Forsta Integration
      • Zoho CRM
        • Send 1-1 rewards
        • Automation : Workflow Rules
      • Connect Plum to thousands of apps using Zapier
      • Other Integrations
    • πŸ›£οΈProduct Roadmap
      • 2022
      • 2021
  • πŸ‘¨β€πŸ’»Developer Resources
    • Rewards API
      • Getting started
      • API Endpoints
        • Authentication
          • Client ID, Secret ID, and Token Creation
          • Token Management
        • Catalog
          • GetVouchers API
          • GetFilters API
        • Orders
          • PlaceOrder API
          • GetOrderDetails API
          • GetOrderHistory API
        • Account Balance
          • GetBalance API
        • Postman Collection URL
      • Concepts
        • Staging Environment
        • Catalog
        • Error Handling
          • Standard HTTP status code summary
          • Errors related to API
        • Exchange Rates
      • Guides
        • Funding the Account
        • Reporting and Analytics
      • Webhooks
        • Test Webhooks
        • How to implement webhooks?
        • How to secure your webhooks?
      • Forex
      • Best Practices
      • Frequently Asked Questions
    • StoreFront Integration
      • Getting started
      • API Endpoints
        • Authorization
        • Token Creation & Token Management
        • SSO Redirection
        • End Points
      • Concepts
        • Points
      • Guides
        • Funding Account
        • Reports and Analytics
    • Xoxo Link API
    • Roadmap for 2021
  • πŸ“…Release Notes
    • Release April 2023
    • Release March 2023
    • Release February 2023
    • Release December 2022
    • Release October 2022
    • Release September 2022
    • Release July 2022
    • Release May 2022
    • Release March 2022
    • Release February 2022
    • Release December 2021
    • Release November 2021
    • Release October 2021
    • Release September 2021
    • Release July 2021
    • Release May 2021
    • Release March 2021
    • Release December 2020
    • Release October 2020
    • Release September 2020
    • Release August 2020
    • Release June 2020
    • Release May 2020
    • Release April 2020
    • Release March 2020
Powered by GitBook
On this page
  • Does your incident response plan comply with industry standards for legally admissible chain-of-custody management processes and controls?
  • What controls are used to mitigate DDoS (distributed denial–of-service) attacks?
  • Is there a cloud audit program to address the client's audit and assessment requirements?
  • Does your incident response capability include the use of legally admissible forensic data collection and analysis techniques?
  • Are you capable of supporting litigation holds (freeze of data from a specific point in time) for a specific tenant without freezing other tenant data?
  • Do you enforce and attest to tenant data separation when producing data in response to legal subpoenas?
  • Give details of platform on which the application is developed.
  • Does your product provide/support mobility through native mobile apps etc.?
  • Do you offer configurability in your SaaS solution? Give the options if available
  • What customization options are available to cater to tenant's requirements? E.g. Customized reports etc.
  • If customization is possible, what are the development tools and APIs available?
  • Do you support out-of-the-box integration with on premise applications such as SAP, Active Directory etc.?
  • Do you support movement of applications and data from one cloud service provider to another cloud service provider or back to in-house data center whenever required?
  • What are the available management reporting capabilities?
  • Can the reports be customizable based on the tenant's needs?
  • What types of Advisory and technical support are provided?
  • How does the Cloud Service Provider protect keys, and what security controls are in place to effect that?
  • Are hardware security modules used to protect such keys? Who has access to such keys?
  • What procedures are in place to manage and recover from the compromise of keys?
  • If an advanced warning is given for service interruption will it count as downtime?
  • What is the SLA (Time) for different levels of support different incidents and change requests? Standard example: Critical - 2 hrs. or less, Moderate - 4 hrs. or less, Minimum - 8 hrs. or less
  • Do you have penalty clauses in the event of performance failure ?
  • What are the inbuilt APIs for third party tools available? Can you integrate with SailPoint, ForgeRock, Splunk, OneCert, EDM?
  • How is the overall Application logging operation managed? - Does the solution support monitoring for security events and can event notifications/incident response be integrated with bank system?
  • Does the application have robust authentication methods (e.g. SSO, multi-factor authentication, One-time password, secure token, etc.) for administrative access to this service?
  • Do you report PEN test, SOC findings?
  • How is the compatibility of the application with Desktop(Mac/OS); Tablet; Mobile (Android/iPhone)?'- Any additional components required to download in user's computer in order to access the application?
  • Does the application have a robust Backup and Restore procedures? Is the duration configurable? Can you share your DR strategy and tests results? Is it Active-active?
  • How is data isolated between customers? Is the data in non-prod instance refreshed with Prod data and masked? If data masking is performed, then how configurable are the masking scripts? What protection is used for Prod data at rest and at transit?
  • How many instances to be provided and supported? How seamless is the Product upgrade release? What is the hosting model - public, private, hybrid, etc.
  • What is the RTO and RPO? Can you share the latest DR strategy test results?
  • Are there any FLASH component installed in your web app. If yes, can it be disabled without any detrimental impact to the application itself?
  • How mature is the technical capabilities of the product to be able to integrate seamlessly and securely with the Bank's tools and applications?
  • Does the Vendor and/or Business User have controls on elevated/privileged or operational access? Does this mean SCB admin staff will have the control and will be able to perform any administrative or operational activities? How are the roles ""Admin"" and ""Super Admin"" defined?"
  • How is the overall Application logging operation managed? - Does the solution support monitoring for security events and can event notifications/incident response be integrated with bank system?
  • What are WCAG Guidelines?
  • Do you comply with WCAG Guidelines?
  • Can people with disabilities use your website and application without barriers?
  • Do you consider WCAG guidelines during product development?
  • Do you conduct any periodical review and improve the website or applications?

Was this helpful?

  1. User Resources
  2. For Admins
  3. Security and Compliance

Security Operations & Technical Capabilities and Support

Does your incident response plan comply with industry standards for legally admissible chain-of-custody management processes and controls?

Yes, we have proper forensic procedures in place that includes chain-of-custody management processes and controls.

What controls are used to mitigate DDoS (distributed denial–of-service) attacks?

As part of Web Application Firewall (WAF), rate limiters are installed to block multiple requests from specific IPs in order to prevent DDOS-type attacks. These are powered by intelligent daemons that detect other identifiers like URLs accessed or other client properties to automatically blacklist possible threats either temporarily or permanently.

Is there a cloud audit program to address the client's audit and assessment requirements?

Yes, in our cloud audit program, we analyze and address all the requirements put forth by the tenant to ensure maximum satisfaction.

Does your incident response capability include the use of legally admissible forensic data collection and analysis techniques?

Yes, we have proper forensic procedures for data collection and analysis for incident responses.

Are you capable of supporting litigation holds (freeze of data from a specific point in time) for a specific tenant without freezing other tenant data?

Yes, we can freeze data from a specific time without freezing other data if need be.

Do you enforce and attest to tenant data separation when producing data in response to legal subpoenas?

Yes. Tenant data is enforced and attested in case it comes to light in legal subpoenas.

Give details of platform on which the application is developed.

The Xoxoday Platform is developed on microservices architecture because the independent applications and deployed on the AWS virtual platform cloud.

Does your product provide/support mobility through native mobile apps etc.?

No, our product is supported by a comprehensive web application that can be accessed via desktop and mobile browsers on all compatible devices.

Do you offer configurability in your SaaS solution? Give the options if available

Our platform can be white-listed to match the look and feel of the tenant's platform. The emails are also customizable for a personal touch.

What customization options are available to cater to tenant's requirements? E.g. Customized reports etc.

Reports with respect to rewarding and beyond can be accessed through the platform.

If customization is possible, what are the development tools and APIs available?

The customization is done on the platform level, manually by the super admin.

Do you support out-of-the-box integration with on premise applications such as SAP, Active Directory etc.?

Yes, Xoxoday Plum comes with a full set of integration with various platforms for enriched utility and maximum output from the platform.

Do you support movement of applications and data from one cloud service provider to another cloud service provider or back to in-house data center whenever required?

Yes, Xoxoday Plum comes with a full set of integration with various platforms for enriched utility and maximum output from the platform.

No, we keep it with one data center for maximum safety, privacy, and security of database of our tenants.

What are the available management reporting capabilities?

Reports and analysis can be extracted from the platform. These reports give detailed insights with respect to what's being the reward and recognition input and output throughout the concerned period.

Can the reports be customizable based on the tenant's needs?

In case reports are needed apart from the predefined ones, they can be shared with the tenants in a spreadsheet.

What types of Advisory and technical support are provided?

Xoxoday's customer support team is available at all times to address any queries and support with respect to advisory and technical operations.

How does the Cloud Service Provider protect keys, and what security controls are in place to effect that?

Each tenant data is uniquely encrypted using client specific key. We use AES 256 bit encryption for data at rest to ensure maximum security measures.

Are hardware security modules used to protect such keys? Who has access to such keys?

Yes, hardware security modules are used to protect these keys, and the key access lies with the Chief Technical Office.

What procedures are in place to manage and recover from the compromise of keys?

We use the Key Management Service by AWS to manage all the keys. In the event that keys get compromised, they can be recovered through the Key Management Service.

If an advanced warning is given for service interruption will it count as downtime?

Yes, in the event of service interruption, the prior notification will count for the downtime.

What is the SLA (Time) for different levels of support different incidents and change requests? Standard example: Critical - 2 hrs. or less, Moderate - 4 hrs. or less, Minimum - 8 hrs. or less

The time of support ranges between six to forty-eight hours. This depends on the level of service and the gravity of incidents.

Do you have penalty clauses in the event of performance failure ?

No, there is no penalty clause attached in the event of a performance failure.

What are the inbuilt APIs for third party tools available? Can you integrate with SailPoint, ForgeRock, Splunk, OneCert, EDM?

We are a SAAS company hence we do not have in built APIs, we maintain quarterly/yearly audit logs. No we do not integrate with the above third party tools

How is the overall Application logging operation managed? - Does the solution support monitoring for security events and can event notifications/incident response be integrated with bank system?

We maintain the logging of applications and alerts by ourselves. We cannot be integrated with the bank system, According to our company policy we do not share the logs with any third party.

Does the application have robust authentication methods (e.g. SSO, multi-factor authentication, One-time password, secure token, etc.) for administrative access to this service?

Yes the application have robust authentication methods. We are integrated SAML 2.0 with SAP SuccessFactors, we also support OAuth 2.0 for seamless authentication.

Do you report PEN test, SOC findings?

Yes we do report pen test and SOC findings

How is the compatibility of the application with Desktop(Mac/OS); Tablet; Mobile (Android/iPhone)?'- Any additional components required to download in user's computer in order to access the application?

Our applications are compatible with desktops, tablets and Mobiles, No additional components are required.

Does the application have a robust Backup and Restore procedures? Is the duration configurable? Can you share your DR strategy and tests results? Is it Active-active?

Since we are SAAS product, we maintain backup and restore all the customer data by ourselves. We use AES 256 encryption for data at rest. We have a multi AZ deployment with periodic backup for our DR. DR is active-active.

How is data isolated between customers? Is the data in non-prod instance refreshed with Prod data and masked? If data masking is performed, then how configurable are the masking scripts? What protection is used for Prod data at rest and at transit?

We use logical data isolation with the help of company specific encryption keys. Data in non production environment is not updated with the production data. We generate separate test data Data at transit - TLS1.2 encryption, Data at rest - AES256

How many instances to be provided and supported? How seamless is the Product upgrade release? What is the hosting model - public, private, hybrid, etc.

We are a SAAS solution, and hosting is handled by us. No instances needed from the client. We use Public cloud for hosting (AWS Singapore)

What is the RTO and RPO? Can you share the latest DR strategy test results?

6 Hours RTO and 6 Hours RPO, Yes upon request we can share latest DR strategy test results.

Are there any FLASH component installed in your web app. If yes, can it be disabled without any detrimental impact to the application itself?

No there aren't any FLASH component installed in our web app.

How mature is the technical capabilities of the product to be able to integrate seamlessly and securely with the Bank's tools and applications?

This solution doesn't require any such API integration. The solution is seamlessly integrated with the SAP SuccessFactors solution already.

Does the Vendor and/or Business User have controls on elevated/privileged or operational access? Does this mean SCB admin staff will have the control and will be able to perform any administrative or operational activities? How are the roles ""Admin"" and ""Super Admin"" defined?"

We only have 2 roles. Super admin and user. Super admin have complete control of the platform and can configure everything. SCB Admin staff will become the super admins.

How is the overall Application logging operation managed? - Does the solution support monitoring for security events and can event notifications/incident response be integrated with bank system?

Xoxoday will not be sharing logs with SCB as we have multi tenant information in the logs. If there is a significant downtime or disruption of service, we will provide an alert notification to SCB

What are WCAG Guidelines?

Web Content Accessibility Guidelines (WCAG) defines how to make Web content more accessible to people with disabilities. Accessibility involves a wide range of disabilities, including visual, auditory, physical, speech, cognitive, language, learning, and neurological disabilities

Do you comply with WCAG Guidelines?

Yes. We always give our best to make sure that our applications are developed as per WCAG guidelines and helping differently-abled people across the globe.

Can people with disabilities use your website and application without barriers?

Yes. We ensure that people with disabilities can use our websites and applications without any difficulties. Our website and products are having very simple options with very good visibility of the content.

Do you consider WCAG guidelines during product development?

Yes. We always consider the WCAG guidelines for helping differently-abled people.

Do you conduct any periodical review and improve the website or applications?

Yes. We periodically review and do all the necessary changes to our website and applications as per the guidelines.

PreviousVulnerability and Threat ManagementNextData Management

Last updated 3 years ago

Was this helpful?

πŸ““
πŸ‘¨β€πŸ’Ό
πŸ”