Q For data in transit, do you leverage encryption to protect data during transport across and between network instances including services like SSH, HTTPS, etc.?

Yes, we use AES 256-bit encryption. All the network communication for network communication is encrypted with the industry standards.

Q Do you encrypt data at rest?

All data volume is encrypted with AES 256-bit encryption to prevent any external snooping or unauthorized access in the multi-tenant environment.

Q Do you segregate multi-tenant data using encryption?

Yes, the data is segregated with a client-specific key for proper handling and representation.

Q Do you provide native encryption capability for sensitive data fields? If so, are there any limits on the number of fields?

Yes, there's a native encryption capability when it comes to sensitive data fields. As each field is equally intricate, there are no limits to such fields.

Q Do you have controls in place to ensure User IDs and passwords are transmitted in an encrypted format?

User IDs and passwords must transmit through stringent checks in an encrypted format that complies with the current Technical Security Baseline Standards.

Q Do you support secure deletion (e.g., degaussing/cryptographic wiping) of archived and backed-up data as determined by the tenant?

Yes, our policies and procedures are established as per implemented mechanisms for secure disposal and removal of data from every storage media. By this, it rests assured that the data can't be recovered by any computer forensic means. We assure secure data disposal when storage is decommissioned or when the contract comes to an end.

Q Are Industry standard technologies used to transfer personal data? (Other than e-mail)

Yes, personal data is to be transmitted using firmly approved encrypted systems and in no way is to be transmitted via email.

Q Are virtual images hardened by default to protect them from unauthorized access?

Yes, the hardened images are secure from any malicious leak or unauthorized access. These hardened images do not contain any authentication credentials.

Q Do you support end-to-end encryption of tenant's data in transit across all security zones?

Yes, our network communication is encrypted with highly restricted protocols to ensure maximum security.

Q Are policies and procedures established for labeling, handling, and the security of data and objects that contain data?

Yes, there are established policies and procedures for labeling, handling, storing, transmitting, retention/disposal, and security of client's data and objects which contain data, per the Xoxoday Information Classification Standard and Protection Measures.

Q Do you adhere to the tenant's retention policy?

Yes, we adhere to the retention policy that the tenant sends out for optimal collaboration and a smooth user experience with products and services.

Q Can you provide a published procedure for security mechanisms to prevent data leakage in transit and data at rest leakage upon request?

Your data is of the utmost importance. All the security mechanisms and policies are established and implemented in such ways that data leaks can be prevented, in transit as well as at rest.

Q Can you provide tenants, upon request, documentation on how you maintain segregation of duties within your cloud service offering?

Yes, the policy, process, and procedure is implemented to ensure proper segregation of duties. These can be asked for and delivered upon tenants' requests. In the event of a user-role conflict of interest, technical controls shall be implemented to mitigate risk (if any) from unauthorized/unintentional modification/misuse of organizations' information assets.

Q Do you use industry standards (Build Security in Maturity Model [BSIMM] benchmarks, Open Group ACS Trusted Technology Provider Framework, NIST, etc.) to build in security for your Systems/Software Development Lifecycle (SDLC)?

Yes, our products comply with all the industrial benchmarks and standards when it comes to the Software Development Lifecycle (SDLC). All software development procedures are supervised and monitored so that they include:

Q Do you use automated and manual source code analysis tools to detect security defects in code prior to production?

Yes, our code reviews and analysis run through stringent eyes of automated technologies as well as manual source code overview to cover any security loopholes prior to the production phase.

Q Do you review your applications for security vulnerabilities and address any issues prior to deployment to production?

Yes, an independent security review is conducted by certified professionals to look for any security vulnerabilities in order to solve them before deploying to production.

Q Do you verify that all of your software suppliers adhere to industry standards for Systems/Software Development Lifecycle (SDLC) security?

Yes, our products comply with all the industrial benchmarks and standards when it comes to the Software Development Lifecycle (SDLC) security standard.

Q Do you provide tenants with documentation that describes your production change management procedures and their roles/rights/responsibilities within it?

Yes, changes to the production environment are documented, tested, and approved prior to implementation. Production software and hardware changes may include applications, systems, databases, and network devices requiring patches, service packs, and other updates and modifications. Any change in roles, rights, or responsibilities shall be documented for a seamless experience.

Q Are any of your data centers located in places that have a high probability/occurrence of high-impact environmental risks (floods, tornadoes, earthquakes, hurricanes, etc.)?

We have a consistent and unified framework for business continuity planning, disaster recovery, plan development. All the appropriate communications shall be established, documented, and adopted to ensure consistency in business continuity. This includes protection against natural and man-made disasters (e.g., fire, flood, earthquake, war, volcanic activity, biological hazard, civil unrest, mudslide, tectonic activity, utility services outages, etc.).
​
​Q Do you provide tenants with geographically resilient hosting options?

Our hosting options are limited to jurisdiction and are backed by prominent business continuity plans. Hence, we don't find the need to provide geographically diverse hosting options.

Q Are business continuity and disaster recovery plans subject to test at least annually and upon significant organizational or environmental changes to ensure continuing effectiveness?

Business continuity plans shall be subject to test at least annually or upon significant organizational or environmental changes to ensure continuing effectiveness.

Q Do you allow tenants to view your SOC2/ISO 27001 or similar third-party audit or certification reports?

Along with an aligned enterprise-wide framework, we perform independent reviews through industry professionals along with formal risk assessments. These are done at least annually or at planned intervals to determine the likelihood and impact of all identified risks. With qualitative/quantitative methods ensuring our compliance with policies, procedures, and standards,

Q Do you conduct annual network penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance?

Yes, our stringent checks and tests are conducted annually to keep up the cloud service infrastructure hygiene as per the industrial standards.
​

Q Do you perform annual audits (internal and external) and are the results available to tenants upon request?
Annual audits are processed both internally and externally. The audit results can be sent over to tenants upon request.

Q Are the results of the penetration tests available to tenants at their request?
Yes, the tenants can request penetration testing results and get the reports from our end.
​
​Q Are you storing, transmitting, and/or processing payment card data on behalf of our organization?
No, we do not process your payment card data for any reason other than billing purposes.

Q Can you prove that you are compliant with Indian IT Act 2000?
Yes, we are compliant with the Indian IT Act of 2000.

Q Do you conduct information audits to determine what personal data is being stored/processed and where is it being stored?
We conduct regular audits to ensure the safety of data like employees' names, emails, employee numbers, etc. are used for verification and rewarding purposes.

Q Do you have a dedicated information/cybersecurity team responsible for information security governance across the organization?
Information and cyber-security team keeps a watchful eye on all potential sources of threats and areas of compromise when it comes to information security.

Q Have you defined the information security roles and responsibilities?
Roles are systematically defined for information security measures to tactfully align all operations, preventing any security breaches.

Q Do you have an acceptable usage policy that is signed/agreed by all employees on an annual basis?
Employees must agree with the acceptable usage policy of peripherals and devices to prevent malicious activities from the inside and out.

Q Is your environment SOC-2 Type-II attested or certified for the scope of the service being offered to tenants?
Our environment has all the capabilities to be SOC-2 Type-II compliant, but the certification is yet to come through. It shall be updated soon.

Q Is your environment CSA-certified for the scope of the service being offered to tenants?
Yes. Our environment is not CSA STAR Level 1 certified.

Q Are all relevant legislative, statutory, regulatory, and contractual security requirements identified, documented, and tracked?
We track all security requirements with respect to legislation, statutes, and contracts. They are documented in all steps.

Q Are appropriate procedures implemented to ensure compliance with legislative, regulatory, and contractual requirements related to intellectual property rights and the use of proprietary software products?
We have our own procedure for control of documents and records that ensures compliance related to intellectual property rights and the use of proprietary software.

Q Have you identified legislative, regulatory, contractual, and business requirements related to record management?
Our record management criteria check all boxes of legislative, regulatory, contractual, and business requirements.

Q Do you monitor the effectiveness of cybersecurity controls through regular metrics?
With different metrics tracking cyber-security measures, keeps the effectiveness in check with regular monitoring.

Q Do you have an approved HR Policy document?
Human Resource operation procedure takes all measures of employee confidentiality into consideration.

Q Are your employees screened before joining the organization? Are they bound to keep the security of information intact even after their employment contract has ended?
Yes, we perform a thorough background check on every employee before they get onboard. The Non-Disclosure Agreement ensures that the information is secure even after the contract is terminated.

Q Can you provide details of these third parties including the name of the third party and the services they will be performing on your behalf?
No, the third parties and vendors we deal with are confidential too. Hence, this list cannot be shared.

Q Do you regularly monitor the third party's compliance with security obligations?
Yes, our third-party security policy deems it clear to comply with security obligations and we monitor their compliance regularly.

Q Is there a process to address any risk that may occur due to the change of services being provided to the tenant?
Yes, we have a detailed risk management procedure in place to address situational issues like the change of services being provided to tenants.

Q Do you permit the use of contractors in roles supporting customer operations?
No, our customer requests are addressed by the customer support team for maximum efficiency.

Q Do you have a subscription to brand protection services?
Yes, Xoxoday's brand protection caters to any malicious interruptions and fallacies as they are addressed in prompt time.

Q Do you monitor media platforms as well for brand protection?
Yes, with media platforms being the biggest pedestal for information sharing, we keep an eye out for any brand protection issues.

Q Do you have the capability to detect/prevent unauthorized or anomalous behaviour based on network traffic and host activity?
Yes, in the event of a rapid spike/slump in network traffic or host activity, Xoxoday analyses the traffic to detect and prevent unauthorized or erratic behaviour.

Q Do you have mandatory and regular privacy training and awareness modules?
Yes, in order to ensure airtight security of data, we have a mandatory and sessional privacy training and awareness module.

Q What is CSA?
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.

Q What are the important features of CSA STAR LEVEL – 1?
Important features of CSA STAR LEVEL – 1 are listed below:

Q Are the applications and programming interfaces (APIs) designed, developed, deployed, and tested in accordance with leading industry standards (e.g., OWASP for web applications) and adhere to applicable legal, statutory, or regulatory compliance obligations?
Yes, we ensure the same as part of our code review, static code analysis, and Web Application Firewall.

Q Do you comply with the Physical security perimeters (e.g., fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks, and security patrols)?
Yes, we comply with these requirements. Our Cloud Security Platform (CSP), Amazon Web Services (AWS) provides these securities to our data centers.

Q Do you use Production data in a non-production environment?
Production data shall not be replicated or used in non-production environments. We do not use LIVE data in any other environment. We comply with the requirement.

Q Do you obtain prior to relocation or transfer of hardware, software, or data to an offsite premise?
We take prior authorization from the concerned authority as per the Media protection procedure before relocation or transfer of hardware, software, or data to an offsite premises.

Q. Do you have the ability to logically segment or encrypt customer data such that data may be produced for a single tenant only, without inadvertently accessing another tenant's data?

Yes, our network environment is designed and configured to restrict any communication and connection between the tenant's environment and our corporate network.

Q. Do you logically and/or physically separate tenant systems from corporate systems?

Yes, our logic to physically separate tenant systems is made possible by assigning each tenant's data a client-specific key that is uniquely encrypted for maximum security.

Q. Are information system documents (e.g., administrator and User guides, architecture diagrams, etc.) made available to authorized personnel to ensure configuration, installation, and operation of the information system?

Yes, all the resources that are needed for configuration, installation, and operation of information systems are made available to the authorized personnel for their perusal.

Q. Do you provide the logical segregation of tenant data and the application?

Yes, we logically segregate the tenant's data and the application.

Q. Do you logically and physically segregate production and non-production environments?

Yes, physical segregation is done for production and non-production environments.

Q. Are all personnel required to sign NDA or Confidentiality Agreements as a condition of employment to protect customer/tenant information?

Yes, our personnel - both full-time and on-contract are bound by an agreement of non-disclosure and a confidentiality agreement as a condition of employment to protect the customers and tenant's information.

Q. Do you specifically train your employees, contractors, third-party users regarding their specific role and the information security controls they must fulfil?

Yes, all the employees and personnel pass-through induction and job training, along with contractors and third-party users for their share of information security controls.

Q. Are personnel trained and provided with awareness programs at least once a year?

Yes, all personnel are well trained with awareness programs annually.