Governance, Risk, & Data Compliance

Are policies and procedures established for labelling, handling and the security of data and objects that contain data?

Yes, there are established policies and procedures for labelling, handling, storing, transmitting, retention/disposal, and security of TCCC data and objects which contain data, per the TCCC Information Classification Standard and Protection Measures.

Are mechanisms for label inheritance implemented for objects that act as aggregate containers for data?

Yes, there are established policies and procedures for label inheritance of TCCC data and objects which contain data, per the TCCC Information Classification Standard and Protection Measures. Mechanisms for label inheritance shall be implemented for objects that act as aggregate containers for data.

Do you adhere to tenant's retention policy?

Yes, we adhere to the retention policy that the tenant sends out for optimal collaboration and smooth user experience with Xoxoday's products and services.

Can you provide a published procedure for security mechanisms to prevent data leakage in transit and data at rest leakage upon request?

Your data is of the utmost importance. All the security mechanisms and policies are established and implemented in such ways that data leak can be prevented, in transit as well as at rest.

Can you provide tenants, upon request, documentation on how you maintain segregation of duties within your cloud service offering?

Yes, the policy, process, and procedure is implemented to ensure proper segregation of duties. These can be asked for and delivered upon tenants' requests. In the event of user-role conflict of interest, technical controls shall be implemented to mitigate risk (if any) from unauthorized/unintentional modification/misuse of organizations' information assets.

Do you use industry standards (Build Security in Maturity Model [BSIMM] benchmarks, Open Group ACS Trusted Technology Provider Framework, NIST, etc.) to build in security for your Systems/Software Development Lifecycle (SDLC)?

Yes, our products comply with all the industrial benchmarks and standards when it comes to the Software Development Life-cycle (SDLC). All software development procedures are supervised and monitored by Xoxoday so that they include:

security requirements
independent security review of the environment by a certified individual
code reviews
Quality monitoring, evaluation, and acceptance criteria for information systems, upgrades, and new versions shall be established and documented for the clients' reference.

Do you use automated and manual source code analysis tools to detect security defects in code prior to production?

Yes, our code reviews and analysis run through stringent eyes of automated technologies as well as manual source code overview to cover any security loopholes prior to the production phase.

Do you review your applications for security vulnerabilities and address any issues prior to deployment to production?

Yes, an independent security review is conducted by certified professionals to look for any security vulnerabilities in order to solve them before deploying to production.

Do you verify that all of your software suppliers adhere to industry standards for Systems/Software Development Lifecycle (SDLC) security?

Yes, our products comply with all the industrial benchmarks and standards when it comes to the Software Development Life-cycle (SDLC) security standard.

Do you provide tenants with documentation that describes your production change management procedures and their roles/rights/responsibilities within it?

Yes, changes to the production environment are documented, tested, and approved prior to implementation. Production software and hardware changes may include applications, systems, databases, and network devices requiring patches, service packs, and other updates and modifications. Any change in roles, rights, or responsibilities shall be documented for a seamless experience.

Are any of your data centers located in places that have a high probability/occurrence of high-impact environmental risks (floods, tornadoes, earthquakes, hurricanes, etc.)?

We have a consistent and unified framework for business continuity planning, disaster recovery, plan development. All the appropriate communications shall be established, documented, and adopted to ensure consistency in business continuity. This includes protection against natural and man-made disasters (e.g. fire, flood, earthquake, war, volcanic activity, biological hazard, civil unrest, mudslide, tectonic activity, utility services outages, etc.).

Do you provide tenants with geographically resilient hosting options?

Our hosting options are limited to Xoxoday's jurisdiction and are backed by prominent business continuity plans. Hence, we don't find the need to provide geographically diverse hosting options.

Do you provide tenants with infrastructure service failover capability to other providers?

The capability to transfer infrastructure service failover to other providers is not provided to the clients.

Are business continuity and disaster recovery plans subject to test at least annually and upon significant organizational or environmental changes to ensure continuing effectiveness?

Business continuity plans shall be subject to test at least annually or upon significant organizational or environmental changes to ensure continuing effectiveness.

Do you allow tenants to view your SOC2/ISO 27001 or similar third-party audit or certification reports?

Along with an aligned enterprise-wide framework, we perform independent reviews through industry professionals along with formal risk assessments. These are done at least annually or at planned intervals to determine the likelihood and impact of all identified risks. With qualitative/quantitative methods ensuring our compliances with policies, procedures, and standards, we stick to the best standards.

Do you conduct annual network penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance?

Yes, our stringent checks and tests are conducted annually to keep up the cloud service infrastructure hygiene as per the industrial standards.

Do you perform annual audits (internal and external) and are the results available to tenants upon request?

Annual audits are processed both internally and externally. The audit results can be sent over to tenants upon request.

Are the results of the penetration tests available to tenants at their request?

Yes, the tenants can request for penetration results and get the reports from our end.

Are you storing, transmitting, and/or processing payment card data on behalf of our organization?

No, we do not process your payment card data for any reason other than billing purposes.

Can you prove that you are compliant for: Indian IT Act 2000?

Yes, we are compliant with the Indian IT Act of 2000.

Is there a formal process that details the transition of data from unsupported systems and applications to supported systems and applications?

There is no such process available from our end.

What will you deliver back to us on the end of service?

We will terminate the contract as per rules and statutes. Meanwhile your data will be stored with us and won't be given back to you. However, if the tenant wants the data to be erased, it can be done so upon request.

Do you conduct information audits to determine what personal data is being stored/processed and where is it being stored?

Yes, we store data that's required for seamless rewarding and recognition. We conduct regular audits to ensure safety of data like employees' names, emails, employee numbers, etc. are used for verification and rewarding purposes.

Do you have a dedicated information/cyber security team responsible for information security governance across the organization?

Xoxoday's information and cyber-security team keeps a watchful eye on all potential sources of threats and areas of compromise when it comes to information security.

Have you defined the information security roles and responsibilities?

Roles are systematically defined for information security measures to tactfully align all operations, preventing any security breaches.

Do you have an acceptable usage policy which is signed/agreed by all employees on annual basis?

Employees must agree with the acceptable usage policy of peripherals and devices to prevent malicious activities from the inside and out.

Is your environment SOC-2 Type-II attested or certified for the scope of the service being offered to tenant?

Our environment has all the capabilities to be SOC-2 Type-II compliant but the certification is yet to come through. It shall be updated soon.

Is your environment CSA-certified for the scope of the service being offered to tenant?

No, our environment is not CSA-certified.

Are all relevant legislative, statutory, regulatory and contractual security requirements identified, documented and tracked?

Xoxoday keeps track of all security requirements with respect to legislations, statutes, and contracts. They are documented in all steps.

Are appropriate procedures implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products?

We have our own procedure for control of documents and records that ensures compliance related to intellectual property rights and use of proprietary software.

Our record management criteria checks all boxes of legislative, regulatory, contractual and business requirements.

Do you monitor effectiveness of cyber security controls through regular metrics?

With different metrics tracking cyber-security measures, Xoxoday keeps the effectiveness in check with regular monitoring.

Do you have an approved HR Policy document?

Xoxoday's Human Resource operation procedure takes all measures of employee confidentiality into consideration.

Are your employees screened before joining the organization? Are they bound to keep security of information intact even after their employment contract has ended?

Yes, Xoxoday performs a thorough background check on every employee before they get onboard. The Non Disclosure Agreement ensures that the information is secure even after the contract is terminated.

Do you take services from any third party which directly or indirectly impacts services given to tenant or Client of tenant?

Yes, our Xoxoday Store vouchers are procured from third-party vendors. These vouchers are shared with the tenants in order to be showcased to users of Xoxoday platform.

Can you provide details of these third parties including the name of the third party and the services they will be performing on your behalf?

No, the third parties and vendors we deal with our confidential to Xoxoday. Hence, this list cannot be shared.

Do you have a Third Party Security Policy?

Yes, there's a third-party security policy present to safeguard the interests of Xoxoday's tenants as well as the end users.

Do you regularly monitor the third party's compliance with security obligations?

Yes, our third party security policy deems it clear to comply with security obligations and we monitor their compliance regularly.

Is there a process to address any risk that may occur due to change of services being provided to the tenant?

Yes, we have a detailed risk management procedure in place to address situational issues like change of services being provided to tenants.

Do you permit the use of contractors in roles supporting customer operations?

No, our customer requests are addressed by the Xoxoday customer support team for maximum efficiency.

Do you have subscription to brand protection services?

Yes, Xoxoday's brand protection caters to any malicious interruptions and fallacies as they are addressed in prompt time.

Do you monitor media platforms as well for brand protection?

Yes, with media platforms being the biggest pedestal for information sharing, we keep an eye out for any brand protection issues.

Do you have the capability to detect/prevent unauthorized or anomalous behavior based on network traffic and host activity?

Yes, in the event of a rapid spike/slump in network traffic or host activity, Xoxoday analyzes the traffic to detect and prevent unauthorized or erratic behavior.

Do you have mandatory and regular privacy training and awareness module?

Yes, in order to ensure airtight security of data, we have a mandatory and sessional privacy training and awareness module.

What is CSA ?

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.

Did you list your organization for CSA STAR LEVL – 1 self-assessment?

Yes, Please visit the link to view the registry - https://cloudsecurityalliance.org/star/registry/nreach-online-services-pvt-ltd-xoxoday

What are the important features of CSA STAR LEVEL – 1?

Important features of CSA STAR LEVL – 1 are listed below

Operating in a low-risk environment
Wanting to offer increased transparency around the security controls they have in place.
Looking for a cost-effective way to improve trust and transparency.

Are the applications and programming interfaces (APIs) designed, developed, deployed, and tested in accordance with leading industry standards (e.g., OWASP for web applications) and adhere to applicable legal, statutory, or regulatory compliance obligations?

Yes, we ensure the same as part of our code review, static code analysis, and Web Application Firewall.

Do you comply with the Physical security perimeters (e.g., fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks, and security patrols)?

Yes, We comply with these requirements. Our Cloud Security Platform, (CSP) Amazon Web Services (AWS) provides these securities to our data centers.

Do you use Production data in a non-production environment?

Production data shall not be replicated or used in non-production environments. We do not use LIVE data in any other environment. We comply with the requirement.

Do you obtain prior to relocation or transfer of hardware, software, or data to an offsite premise?

We take prior authorization from the concerned authority as per the Media protection procedure before relocation or transfer of hardware, software, or data to an offsite premises

Do you have a documented application validation process to test for mobile device, operating system, and application compatibility issues?

As per Mobile Security Compatibility compliance requirements we have a documented application validation process to test for mobile device, operating system, and application compatibility issues.

What is the California Privacy Rights Act (CPRA)?

The California Privacy Rights Act (CPRA) is a state-wide data privacy bill that amends and expands the existing California Consumer Privacy Act (CCPA). The CPRA works as an addendum to the CCPA, strengthening data privacy rights for California residents, tightening business regulations, and establishing the California Privacy Protection Agency (CPPA) as lead enforcer and supervisor.

Is Xoxoday compliant with California Privacy Rights Act (CPRA)?

Yes. We are compliant with CPRA, and Our solution will continue to offer full compliance with the new and updated data privacy regime.

Do you provide rights to the consumers with regards to the data processing as per California Privacy Rights Act (CPRA)?

Yes. We support our consumers to exercise their rights as per the CPRA.

Did you implement all the CPRA Privacy controls as per the compliance requirements?

Yes. We have implemented all the privacy controls and audited the same with the help of external Auditors.

Do you make the CPRA Attestation report available for the customers?

Yes. Please reach out to our sales representative/Xoxoday POC to have access to the CPRA report.

Do you collect any data from California citizens who are not 18 years old?

No. We do not collect any data from any users across the globe who are not 18 years old.

Can the data subject authorize an agent (an “Authorized Agent”) to exercise their rights?

Yes. The data subject can authorize an agent (an “Authorized Agent”) to exercise their rights. To do this, the data subject must provide your Authorized Agent with written permission to do, and we may request a copy of this written permission from your Authorized Agent when they make a request to exercise the rights.

How can we submit our request to exercise our Rights Under the CCPA/CPRA?

You may submit a Valid Request by emailing cs@xoxoday.com.

No. We will not sell, rent, or share Personal Data with third parties outside of our company. But Personal Data may be provided where we are required to do so by any privacy laws.

What is SOC 2 compliance?

SOC 2 compliance is part of the AICPA Service Organization Control reporting platform. The goal of SOC 2 is to evaluate organization security and internal controls around security, availability, processing integrity, confidentiality, and privacy.

What are SOC 2 requirements?

SOC 2 Compliances are developed by the American Institute of CPAs (AICPA), it defines criteria for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality, and privacy.

Is Xoxoday SOC 2 certified?

Yes. Xoxoday is SOC 2 certified organization. We have implemented all the required SOC 2 controls and got them Audited with the help of Certified Public Accountants (CPA)

Is your cloud computing platform (AWS) SOC 2 Compliant?

Amazon Web Services (AWS) has achieved SOC 1, SOC 2, and SOC 3 reports. These reports detail the AWS controls environment and implemented controls for AICPA Trust Services Criteria (TSC) and can be leveraged as part of a cloud customer security program. AWS SOC-covered cloud services are audited periodically against the SOC reporting framework.

How do I request Xoxoday for SOC 2 report ?

You may reach out to our sales representative/Xoxoday POC to have access to the SOC 2 report

Who performs the independent third-party audit of Xoxoday for the SOC Report?

Laika Compliance LLC performs the SOC 2 audit for Xoxoday.

How long is a SOC 2 report valid?

The SOC 2 Type I report is valid for one year following the date the report was issued.

Is SOC 2 an international standard?

Yes. SOC 2 is an internationally recognized standard. The SOC 2 report and certification involve an independent audit by a third party.

Do you conduct a SOC 2 audit every year?

Yes. We do conduct the SOC 2 Audit on an annual basis.

Did all applicable compliances and controls are audited during the SOC 2 attestation process?

The Auditor has validated and tested all the applicable SOC 2 controls as per the compliance requirements.

Do you process Protected Health Information (PHI)?

We do not process (Collect/Store) Protected Health Information (PHI)

Is Xoxoday compliant with the Health Insurance Portability and Accountability Act (HIPAA)?

Yes. Xoxoday is compliant with Health Insurance Portability and Accountability Act (HIPAA)

Do you make the HIPAA Audit report available for the customers?

Yes. Please reach out to our sales representative/Xoxoday POC to have access to the HIPAA Audit report.

Yes. We have implemented the Data Subject Access Rights Procedure to make sure that all the data subjects will have the opportunities to exercise their rights as per the privacy laws.

What method do you use when deleting customer data if requested to do so?

The secure deletion standard like DoD 5220.22-M ECE is being followed and we provide a certificate that the data was properly sanitized from all computing resources and portable storage media.

Do you have procedures in place for responding to a data subject request that involves a customer’s Personal Data?

Yes. Xoxoday is GDPR Compliant. We have implemented the Data Subject Access Rights Procedure as per the GDPR and made all the data subject rights available as per the data protection laws. This procedure sets out the key features regarding handling or responding to requests for access to personal data made by data subjects, their representatives or other interested parties.

Do you perform audits on its Sub-processors to demonstrate their compliance?

Yes. We validate the compliance requirements of the Sub-processor and obtain the Compliance certificates and audit reports such as – ISO 27001:2013, SOC 2 Type II, ISO 27017, ISO 27701, ISO 27018, Cloud Security Alliance Controls, etc.

More info below:

Questions

Answers

PreviousEmail Whitelisting NextApplication,Dev & Security

Last updated 2 years ago