Cryptography & Encryption

For data in transit, do you leverage encryption to protect data during transport across and between networks instances including services like SSH, HTTPS, etc.?

"Yes, we use AES 256-bit encryption. All the network communication for network communication is encrypted with the industry standards. Note - Please provide supporting documentation defining encryption standards and technologies."

Do you encrypt data at rest?

All data volume is encrypted with AES 256-bit encryption to prevent any external snooping or unauthorized access in the multi-tenant environment.

Do you segregate multi-tenant data using encryption?

Yes, the data is segregated with a client-specific key for proper handling and representation.

Do you provide native encryption capability for sensitive data fields? If so, are there any limits on the number of fields?

Yes, there's a native encryption capability when it comes to sensitive data fields. As each field is equally intricate, there are no limits to such fields.

Do you have controls in place to ensure User IDs and passwords are transmitted in an encrypted format?

User IDs and passwords must transmit through stringent checks in an encrypted format that complies with the current Technical Security Baseline Standards.

Are passwords stored in an encrypted or a single, one-way hash?

The passwords are stored after encryption for maximum security of data.

Do you support secure deletion (e.g., degaussing/cryptographic wiping) of archived and backed-up data as determined by the tenant?

"Yes, our policies and procedures are established as per implemented mechanisms for secure disposal and removal of data from every storage media. By this, it rests assured that the data can't be recovered by any computer forensic means. We assure secure data disposal when storage is decommissioned or when the contract comes to an end."

Can you provide a published procedure for exiting the service arrangement, including assurance to sanitize all computing resources of tenant data once a customer has exited your environment or has vacated a resource?

"Please refer ""Do you support secure deletion of data?"" for an explanation. As for the procedure, here's the protocol that we follow:
  • Storage Period would be as per regulatory conditions.
  • Personal data can be deleted based on a formal written request, with justification.
  • Xoxoday would delete the data within 30 days of receiving the request"

Do you allow tenants to use their own certificates?

No, users must use certificates from Xoxoday. They are benchmarked as per the best industrial standards to ensure complete encryption of data.

Do you utilize open encryption methodologies any time your infrastructure components need to communicate with each other via public networks (e.g., Internet-based replication of data from one environment to another)?

No, open encryption has proven to show cracks and bruises and that's why we only equip data traversing public networks with industrial standards to ensure protection from fraud, unauthorized disclosure, modification, or compromise of data.

Are TCCC approved technologies used to transfer personal data? (Other than e-mail)

Yes, personal data is to be transmitted using firmly approved encrypted systems and in no way is to be transmitted via email.

Are virtual images hardened by default to protect from unauthorized access?

Yes, the hardened images are secure from any malicious leak or unauthorized access. These hardened images do not contain any authentication credentials.

Do you support end-to-end encryption of tenant's data in transit across all security zones?

Yes, our network communication is encrypted with highly restricted protocols to ensure maximum security.

Do you allow your tenant to manage all cryptographic keys (e.g., data encryption, SSL certificates) for sensitive data?

No, the cryptographic keys, including data encryption and SSL certificates are managed by Xoxoday for optimal security of sensitive data.

Do you support end-to-end encryption of tenant's data in transit across all security zones?

Yes, our network communication is encrypted with highly restricted protocols to ensure maximum security.

Do you allow your tenant to manage all cryptographic keys (e.g., data encryption, SSL certificates) for sensitive data?

No, the cryptographic keys, including data encryption and SSL certificates are managed by Xoxoday for optimal security of sensitive data.

More info below:

Questions
Answers
Do you provide standardized (e.g. ISO/IEC) non-proprietary encryption algorithms (3DES, AES, etc.) to customers in order for them to protect their data if it is required to move through public networks (e.g., the Internet)?
We have encrypted the data while in transit and at rest. We use TLS1.2 encryption for Data at transit and AES256 Data at rest for maximum security.
Are policies and procedures established for data labeling and handling in order to ensure the security of data and objects that contain data?
Yes. We have implemented the Information Classification Policy
Do you have key management policies binding keys to identifiable owners?
We use a split key mechanism to ensure that every client's key is unique. • We perform annual key rotation. • Keys are generated using KMS service whenever needed. • We store keys in KMS. Attached the Encryption policy Name of the folder - EN01 Encryption policy
Do you have a capability to allow creation of unique encryption keys per customer?
Every client's key is unique.
Do you have documented ownership for each stage of the lifecycle of encryption keys?
Yes. Our tech team manages this.
Do you leverage encryption to protect data and virtual machine images during transport across and between networks and hypervisor instances?
We have encrypted the data while in transit and at rest.We use TLS1.2 encryption for Data at transit and AES256 Data at rest.
Do you store encryption keys in the cloud?
We store keys in KMS.
Does the organisation encrypt its backups?
Yes. Backup data is also encrypted.
Is the customer data always encrypted in transit?
The data in transit will be always be encrypted.
Are attachments sent being encrypted or password protected before sending? If yes, describe the encryption method
Yes. We use google workspace and all the conversations are TLS encrypted.
Are the user access passwords displayed / stored / transmitted in clear text over the network?
Passwords are encrypted all the time.
-Is the connectivity between the vendor and the customer with strong encryption? -What is the organizations minimum standard for the protection of sensitive information? (DES, 3DES, AES-128, AES-256, etc)
We use logical data isolation with the help of company specific encryption keys. We generate separate test data Data at transit - TLS1.2 encryption, Data at rest - AES256.
Is the back up media password protected or encrypted as per requirement of vendor policy or as per the customer requirement?
Backup, passwords are protected. We use encryption.
If the customer data is stored in shared environment, what are the security controls in place to segregate the the customer data from other tenants’ data?
We have the ability to logically segment or encrypt customer data such that data may be produced for a single tenant only, without inadvertently accessing another tenant's data. our network environment is designed and configured to restrict any communication and connection between the tenant's environment.
What control measures are in place at CSP end to prevent, detect and react to breaches including data leakage and how CSP will demonstrate the same?
We have a multi-layered network architecture with role-based access control. All the confidential/PI data are encrypted at rest and in transit with a split key mechanism to ensure that every client's key is unique. We use TLS1.2 encryption for Data in transit and AES256 for Data at rest. Additionally, we have an intrusion detection/monitoring application that alerts on unauthorized access.
Are the the customer’s data encrypted while stored and transmitted? And what encryption protocol or keys are currently being used ?
We use TLS1.2 encryption for Data in transit and AES256 for Data at rest.
Have you deployed any encryption mechanism (data in transit) to secure data in motion on communication links ?
We use TLS1.3 encryption for Data at transit
Are Systems handling BSLI data on a separate Nework segment segregated from other clients ?
We logically segregate the tenant's data, and it is segregated with a client-specific key for proper handling and security reasons. We use TLS1.3 encryption while data in transit and AES256 while data at rest
How does the Vendor ensure compartmentalization of the customer data to prevent unauthorized access to the customer data from other customers / employees of Vendor.
Yes, our logic to physically separate tenant systems is made possible by assigning each tenant's data a client-specific key that is uniquely encrypted for maximum security. We use TLS1.3 encryption while data in transit and AES256 while data at rest
Copy link
Contents
For data in transit, do you leverage encryption to protect data during transport across and between networks instances including services like SSH, HTTPS, etc.?
Do you encrypt data at rest?
Do you segregate multi-tenant data using encryption?
Do you provide native encryption capability for sensitive data fields? If so, are there any limits on the number of fields?
Do you have controls in place to ensure User IDs and passwords are transmitted in an encrypted format?
Are passwords stored in an encrypted or a single, one-way hash?
Do you support secure deletion (e.g., degaussing/cryptographic wiping) of archived and backed-up data as determined by the tenant?
Can you provide a published procedure for exiting the service arrangement, including assurance to sanitize all computing resources of tenant data once a customer has exited your environment or has vacated a resource?
Do you allow tenants to use their own certificates?
Do you utilize open encryption methodologies any time your infrastructure components need to communicate with each other via public networks (e.g., Internet-based replication of data from one environment to another)?
Are TCCC approved technologies used to transfer personal data? (Other than e-mail)
Are virtual images hardened by default to protect from unauthorized access?
Do you support end-to-end encryption of tenant's data in transit across all security zones?
Do you allow your tenant to manage all cryptographic keys (e.g., data encryption, SSL certificates) for sensitive data?
Do you support end-to-end encryption of tenant's data in transit across all security zones?
Do you allow your tenant to manage all cryptographic keys (e.g., data encryption, SSL certificates) for sensitive data?
More info below: