Confidentiality & Integrity
Q. Can usage of the platform be restricted to a specific IP range?
While the application itself is publicly accessible on the internet, IP restrictions can be enforced through the client’s SSO or identity provider. By configuring IP-based access rules within their SSO system, clients can block access from outside approved IP ranges, thereby effectively controlling and securing usage.
Q: How is functional security defined and maintained in Xoxoday?
Xoxoday ensures functional security through a Role-Based Access Control (RBAC) system. Every element — menus, pages, buttons, and features — is secured to control access. Clients can define rules based on roles and responsibilities, so users, managers, and admins only see and interact with features relevant to them.
Q: Is the platform deployed on a shared or dedicated environment?
The platform operates in a secure, multi-tenant environment hosted on Amazon Web Services (AWS), Azure, Oracle, and other cloud platforms. Each client’s data is logically isolated and encrypted using unique keys, ensuring data confidentiality and integrity. The SaaS-based deployment model ensures scalability and operational efficiency, while also supporting compliance with enterprise-grade security and data protection standards. We also provide dedicated environments if clients have specific requirements.
Q: Is there a clause that protects confidential data for employees and the community?
Yes, there are clauses in the contract that would ensure the confidentiality of data, which is categorized as Personally Identifiable Information (PII), ensuring that the data is not misused and accessed by unauthorized parties.
We fully understand our clients obligation to share certain data with certain authorities, and we as a company strive to comply with local laws and regulations in which our clients conduct their business.
Development Lifecycle Security
Q: What is the security within your development lifecycle - are DAST or SAST tools implemented?
Xoxoday incorporates security at every stage of the development lifecycle, ensuring that applications are built and maintained with robust security controls. The platform adheres to Secure Software Development Lifecycle (SSDLC) best practices, integrating Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools to proactively detect and remediate vulnerabilities.
SAST Implementation: Xoxoday utilizes SAST tools during the development phase to scan source code for security flaws, misconfigurations, and vulnerabilities before deployment. This ensures that issues such as SQL injection, insecure authentication, and access control weaknesses are addressed early.
DAST Implementation: Regular DAST scans are conducted on deployed applications to identify runtime security vulnerabilities, such as cross-site scripting (XSS) and API security weaknesses, by simulating real-world attacks.
Automated Security Testing: CI/CD pipelines include automated security testing to catch vulnerabilities before the code moves to production.
Manual Code Reviews & Secure Coding Standards: Security teams conduct periodic manual code reviews to complement automated testing and enforce secure coding best practices.
Threat Modeling & Risk Assessment: The development team performs threat modeling exercises to anticipate and mitigate potential attack vectors before implementation.
Regular Penetration Testing: Beyond SAST and DAST, annual penetration tests validate the security posture of the application and infrastructure.
By integrating SAST and DAST tools, automated security scans, and manual code reviews, Xoxoday ensures that security is embedded throughout the development lifecycle, reducing risk and enhancing overall application security.