Q Do you enforce two-factor authentication for privileged account management/authentication while accessing tenant data/systems?
Yes, our policies and procedures are established and implemented to enforce two-factor authentication for privileged account management/authentication while accessing tenant data/systems.
Q Do you retain logs for all login attempts for a given time period or as required by the tenant?
Yes, systems must be configured to log all successful and unsuccessful login attempts by accounts with privileged access. These authentication logs must be retained for a minimum of 180 days and in accordance with the Company’s records retention guidelines.
Q Do you have controls in place to restrict any information beyond notification of an unsuccessful login attempt prior to successful login?
Yes, there is a protocol in place to ensure that no information beyond an unsuccessful login attempt goes through prior to a successful login.
Q Do you support use of, or integration with, existing customer-based Single Sign On (SSO) solutions to your service?
Yes, our partnerships with a wide array of integration partners ensure existing customer-based Single Sign On (SSO) capability for all users to seamlessly use Xoxoday's products. With an easy DIY setup, your SSO solution would be plugged in and ready to go.
Q Do you support identity federation standards (SAML 2.0, SPML, WS-Federation, etc.) as a means of authenticating/authorizing users?
Yes, our identity federation standards include SAML 2.0.
Q What levels of isolation are used for virtual machines, physical machines, network, storage (e.g., storage area networks), management networks and management support systems, etc.?
We isolate our machines, network, and storage with respect to the AWS Standards in order to keep it safe and secure.
Q Do you allow tenants to use third-party identity assurance services?
No, tenants are only allowed to use our secure protocols and procedures to prevent cracks and folds in data handling.
Q Do you support the tenant's access review policy?
Yes, we do support our clients' and tenants' access review policies.
Q Do you support password (minimum length, age, history, complexity, and expiration) and account lockout (lockout threshold, lockout duration) policy enforcement?
Our password setting requirements comply with all factors to ensure that strong passwords are created. Passwords should be of a minimum length and contain special characters, capitalized letters, and alpha-numeric combinations.
Q Do you have mechanisms in place for unlocking accounts that have been locked out (e.g., self-service via email, defined challenge questions, manual unlock)?
No. As Xoxoday's products use single sign-on (SSO), the users can login via their suite email and credentials.
Q Are audit logs reviewed on a regular basis for security events (e.g., with automated tools)?
Yes, audit logs are reviewed and recorded on a regular basis automatically. These logs are integrated with security operations/SIEM solutions.
Q Is the option of physical and logical user audit log access restricted to authorized personnel only?
Yes, to ensure the maximum safety and authority of data in the right hands, the physical and logical audit log access of users can only be accessed by authorized personnel.
Q Do you support integration of audit logs with tenant Security Operations/SIEM (Security Information and Event Management) solution?
No, logs are automatically audited, but are not integrated with tenant's security ops. In case the tenant requests logs, they can be shared when asked for.
Q Are audit logs centrally stored and retained?
Yes, regular audit logs are stored and retained for future references.
Q Describe how event logs are protected from alteration including how access to these logs is controlled?
The event logs are stored in a bucket wherein nobody can access them without approval from the high authorities, i.e., the Chief Technical Officer.
Q Are file integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation by root cause analysis, and response to incidents?
Yes, all the mechanisms related to security and policies are implemented to facilitate timely decision and investigation by root-cause analysis. These incidents are analyzed with network intrusion detection (IDS) tools.
Q Do your logging and monitoring framework allow isolation of an incident to specific tenants?
Yes, in case specific incidents arise for particular tenants, our logging and monitoring framework allows isolation of incidents.
Q Are policies and procedures established and measures implemented to strictly limit access to your sensitive data and tenant data from portable and mobile devices (e.g., laptops, cell phones, and personal digital assistants (PDAs)), which are generally higher risk than non-portable devices (e.g., desktop computers at the provider organization’s facilities)?
Yes, there are measures to limit the access of tenant's data from non-authorized devices. Please refer to "Access Control Procedures".
Q Is there an approval process for access requests to systems handling personal data?
Yes, with access control limit, General Admins and Managers can give out access to authorized individuals as per requests raised by them in order to handle their platform as well as the personal data accordingly.
Q Is access to systems containing personal data granted using a role-based criteria?
Yes, the role of "admin" holds the high regards, and these roles can process the personal data of users as per their choice with the access control limit capability.
Q Is all Personal Data registered in a standard repository?
Yes, personal data is stored in registered databases that comply with all necessary inputs of a standard inventory repository.
Q Are credentials stored in a centralized system that is as per the Industry standard?
Yes, all the given credentials are safely stored in a secure storage such as Secret Manager as per the Industry standard.
Q Do you design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privileged access for all personnel within your supply chain?
Yes, our roles and job duties are segregated through role-based access to ensure maximum security of tenants' databases.
Q Will you share user entitlement remediation and certification reports with your tenants, if inappropriate access may have been allowed to tenant data?
Yes, in case an incident occurs with respect to inappropriate access of data, we shall share the reports.
Q Do you support tenant's multifactor authentication (e.g., RSA Secure ID, PKI Certificates, out of band pin comprised of at least 6 digits, etc.)?
Yes, we do support measures to enforce strong multi-factor authentication when it comes to accessing highly restricted data.
Q Do you support access to tenant sensitive data by only tenant's managed devices?
No, the data can be accessed by authorized personnel to serve you better with maximum security.