Security Operations & Technical Capabilities and Support

Does your incident response plan comply with industry standards for legally admissible chain-of-custody management processes and controls?

Yes, we have proper forensic procedures in place that includes chain-of-custody management processes and controls.

What controls are used to mitigate DDoS (distributed denial–of-service) attacks?

As part of Web Application Firewall (WAF), rate limiters are installed to block multiple requests from specific IPs in order to prevent DDOS-type attacks. These are powered by intelligent daemons that detect other identifiers like URLs accessed or other client properties to automatically blacklist possible threats either temporarily or permanently.

Is there a cloud audit program to address the client's audit and assessment requirements?

Yes, in our cloud audit program, we analyze and address all the requirements put forth by the tenant to ensure maximum satisfaction.

Does your incident response capability include the use of legally admissible forensic data collection and analysis techniques?

Yes, we have proper forensic procedures for data collection and analysis for incident responses.

Are you capable of supporting litigation holds (freeze of data from a specific point in time) for a specific tenant without freezing other tenant data?

Yes, we can freeze data from a specific time without freezing other data if need be.

Do you enforce and attest to tenant data separation when producing data in response to legal subpoenas?

Yes. Tenant data is enforced and attested in case it comes to light in legal subpoenas.

Give details of platform on which the application is developed.

The Xoxoday Platform is developed on microservices architecture because the independent applications and deployed on the AWS virtual platform cloud.

Does your product provide/support mobility through native mobile apps etc.?

No, our product is supported by a comprehensive web application that can be accessed via desktop and mobile browsers on all compatible devices.

Do you offer configurability in your SaaS solution? Give the options if available

Our platform can be white-listed to match the look and feel of the tenant's platform. The emails are also customizable for a personal touch.

What customization options are available to cater to tenant's requirements? E.g. Customized reports etc.

Reports with respect to rewarding and beyond can be accessed through the platform.

If customization is possible, what are the development tools and APIs available?

The customization is done on the platform level, manually by the super admin.

Do you support out-of-the-box integration with on premise applications such as SAP, Active Directory etc.?

Yes, Xoxoday Plum comes with a full set of integration with various platforms for enriched utility and maximum output from the platform.

Do you support movement of applications and data from one cloud service provider to another cloud service provider or back to in-house data center whenever required?

Yes, Xoxoday Plum comes with a full set of integration with various platforms for enriched utility and maximum output from the platform.

No, we keep it with one data center for maximum safety, privacy, and security of database of our tenants.

What are the available management reporting capabilities?

Reports and analysis can be extracted from the platform. These reports give detailed insights with respect to what's being the reward and recognition input and output throughout the concerned period.

Can the reports be customizable based on the tenant's needs?

In case reports are needed apart from the predefined ones, they can be shared with the tenants in a spreadsheet.

What types of Advisory and technical support are provided?

Xoxoday's customer support team is available at all times to address any queries and support with respect to advisory and technical operations.

How does the Cloud Service Provider protect keys, and what security controls are in place to effect that?

Each tenant data is uniquely encrypted using client specific key. We use AES 256 bit encryption for data at rest to ensure maximum security measures.

Are hardware security modules used to protect such keys? Who has access to such keys?

Yes, hardware security modules are used to protect these keys, and the key access lies with the Chief Technical Office.

What procedures are in place to manage and recover from the compromise of keys?

We use the Key Management Service by AWS to manage all the keys. In the event that keys get compromised, they can be recovered through the Key Management Service.

If an advanced warning is given for service interruption will it count as downtime?

Yes, in the event of service interruption, the prior notification will count for the downtime.

What is the SLA (Time) for different levels of support different incidents and change requests? Standard example: Critical - 2 hrs. or less, Moderate - 4 hrs. or less, Minimum - 8 hrs. or less

The time of support ranges between six to forty-eight hours. This depends on the level of service and the gravity of incidents.

Do you have penalty clauses in the event of performance failure ?

No, there is no penalty clause attached in the event of a performance failure.

What are the inbuilt APIs for third party tools available? Can you integrate with SailPoint, ForgeRock, Splunk, OneCert, EDM?

We are a SAAS company hence we do not have in built APIs, we maintain quarterly/yearly audit logs. No we do not integrate with the above third party tools

How is the overall Application logging operation managed? - Does the solution support monitoring for security events and can event notifications/incident response be integrated with bank system?

We maintain the logging of applications and alerts by ourselves. We cannot be integrated with the bank system, According to our company policy we do not share the logs with any third party.

Does the application have robust authentication methods (e.g. SSO, multi-factor authentication, One-time password, secure token, etc.) for administrative access to this service?

Yes the application have robust authentication methods. We are integrated SAML 2.0 with SAP SuccessFactors, we also support OAuth 2.0 for seamless authentication.

Do you report PEN test, SOC findings?

Yes we do report pen test and SOC findings

How is the compatibility of the application with Desktop(Mac/OS); Tablet; Mobile (Android/iPhone)?'- Any additional components required to download in user's computer in order to access the application?

Our applications are compatible with desktops, tablets and Mobiles, No additional components are required.

Does the application have a robust Backup and Restore procedures? Is the duration configurable? Can you share your DR strategy and tests results? Is it Active-active?

Since we are SAAS product, we maintain backup and restore all the customer data by ourselves. We use AES 256 encryption for data at rest. We have a multi AZ deployment with periodic backup for our DR. DR is active-active.

How is data isolated between customers? Is the data in non-prod instance refreshed with Prod data and masked? If data masking is performed, then how configurable are the masking scripts? What protection is used for Prod data at rest and at transit?

We use logical data isolation with the help of company specific encryption keys. Data in non production environment is not updated with the production data. We generate separate test data Data at transit - TLS1.2 encryption, Data at rest - AES256

How many instances to be provided and supported? How seamless is the Product upgrade release? What is the hosting model - public, private, hybrid, etc.

We are a SAAS solution, and hosting is handled by us. No instances needed from the client. We use Public cloud for hosting (AWS Singapore)

What is the RTO and RPO? Can you share the latest DR strategy test results?

6 Hours RTO and 6 Hours RPO, Yes upon request we can share latest DR strategy test results.

Are there any FLASH component installed in your web app. If yes, can it be disabled without any detrimental impact to the application itself?

No there aren't any FLASH component installed in our web app.

How mature is the technical capabilities of the product to be able to integrate seamlessly and securely with the Bank's tools and applications?

This solution doesn't require any such API integration. The solution is seamlessly integrated with the SAP SuccessFactors solution already.

Does the Vendor and/or Business User have controls on elevated/privileged or operational access? Does this mean SCB admin staff will have the control and will be able to perform any administrative or operational activities? How are the roles ""Admin"" and ""Super Admin"" defined?"

We only have 2 roles. Super admin and user. Super admin have complete control of the platform and can configure everything. SCB Admin staff will become the super admins.

How is the overall Application logging operation managed? - Does the solution support monitoring for security events and can event notifications/incident response be integrated with bank system?

Xoxoday will not be sharing logs with SCB as we have multi tenant information in the logs. If there is a significant downtime or disruption of service, we will provide an alert notification to SCB

What are WCAG Guidelines?

Web Content Accessibility Guidelines (WCAG) defines how to make Web content more accessible to people with disabilities. Accessibility involves a wide range of disabilities, including visual, auditory, physical, speech, cognitive, language, learning, and neurological disabilities

Do you comply with WCAG Guidelines?

Yes. We always give our best to make sure that our applications are developed as per WCAG guidelines and helping differently-abled people across the globe.

Can people with disabilities use your website and application without barriers?

Yes. We ensure that people with disabilities can use our websites and applications without any difficulties. Our website and products are having very simple options with very good visibility of the content.

Do you consider WCAG guidelines during product development?

Yes. We always consider the WCAG guidelines for helping differently-abled people.

Do you conduct any periodical review and improve the website or applications?

Yes. We periodically review and do all the necessary changes to our website and applications as per the guidelines.

Contents
Does your incident response plan comply with industry standards for legally admissible chain-of-custody management processes and controls?
What controls are used to mitigate DDoS (distributed denial–of-service) attacks?
Is there a cloud audit program to address the client's audit and assessment requirements?
Does your incident response capability include the use of legally admissible forensic data collection and analysis techniques?
Are you capable of supporting litigation holds (freeze of data from a specific point in time) for a specific tenant without freezing other tenant data?
Do you enforce and attest to tenant data separation when producing data in response to legal subpoenas?
Give details of platform on which the application is developed.
Does your product provide/support mobility through native mobile apps etc.?
Do you offer configurability in your SaaS solution? Give the options if available
What customization options are available to cater to tenant's requirements? E.g. Customized reports etc.
If customization is possible, what are the development tools and APIs available?
Do you support out-of-the-box integration with on premise applications such as SAP, Active Directory etc.?
Do you support movement of applications and data from one cloud service provider to another cloud service provider or back to in-house data center whenever required?
What are the available management reporting capabilities?
Can the reports be customizable based on the tenant's needs?
What types of Advisory and technical support are provided?
How does the Cloud Service Provider protect keys, and what security controls are in place to effect that?
Are hardware security modules used to protect such keys? Who has access to such keys?
What procedures are in place to manage and recover from the compromise of keys?
If an advanced warning is given for service interruption will it count as downtime?
What is the SLA (Time) for different levels of support different incidents and change requests? Standard example: Critical - 2 hrs. or less, Moderate - 4 hrs. or less, Minimum - 8 hrs. or less
Do you have penalty clauses in the event of performance failure ?
What are the inbuilt APIs for third party tools available? Can you integrate with SailPoint, ForgeRock, Splunk, OneCert, EDM?
How is the overall Application logging operation managed? - Does the solution support monitoring for security events and can event notifications/incident response be integrated with bank system?
Does the application have robust authentication methods (e.g. SSO, multi-factor authentication, One-time password, secure token, etc.) for administrative access to this service?
Do you report PEN test, SOC findings?
How is the compatibility of the application with Desktop(Mac/OS); Tablet; Mobile (Android/iPhone)?'- Any additional components required to download in user's computer in order to access the application?
Does the application have a robust Backup and Restore procedures? Is the duration configurable? Can you share your DR strategy and tests results? Is it Active-active?
How is data isolated between customers? Is the data in non-prod instance refreshed with Prod data and masked? If data masking is performed, then how configurable are the masking scripts? What protection is used for Prod data at rest and at transit?
How many instances to be provided and supported? How seamless is the Product upgrade release? What is the hosting model - public, private, hybrid, etc.
What is the RTO and RPO? Can you share the latest DR strategy test results?
Are there any FLASH component installed in your web app. If yes, can it be disabled without any detrimental impact to the application itself?
How mature is the technical capabilities of the product to be able to integrate seamlessly and securely with the Bank's tools and applications?
Does the Vendor and/or Business User have controls on elevated/privileged or operational access? Does this mean SCB admin staff will have the control and will be able to perform any administrative or operational activities? How are the roles ""Admin"" and ""Super Admin"" defined?"
How is the overall Application logging operation managed? - Does the solution support monitoring for security events and can event notifications/incident response be integrated with bank system?
What are WCAG Guidelines?
Do you comply with WCAG Guidelines?
Can people with disabilities use your website and application without barriers?
Do you consider WCAG guidelines during product development?
Do you conduct any periodical review and improve the website or applications?