We take security very seriously

Backup

All data is stored on Microsoft Azure which has a 99.9% up-time SLA. Data is transactionally backed up every 5 minutes and each backup is stored for 35 days. This includes access logs.

Encryption

Xakia supports and implements encryption at rest of customer data using 256- bit AES encryption.

All communications between Xakia services are encrypted using industry standard HTTPS. This ensures that all traffic between you and Xakia, including email notifications, is secure during transit. Data in transit is encrypted using TLS 1.2.

Processing

Data is stored with our cloud provider, Microsoft Azure. It is only processed for the purpose of providing the service. No other information, personal or otherwise, is processed by a third-party.

Realtime monitoring and alerts

Azure monitors major application data flow ingress and egress points with Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS). The systems are configured to generate alerts when incidents and values exceed predetermined thresholds and uses regularly updated signatures based on new threats.

Application vulnerability scanning

Xakia uses a combination of Azure monitor and Azure Security Center for managing our security.

Penetration testing

In addition to our extensive internal scanning and testing program, and external on-going scanning, Xakia employs third-party security experts to perform a broad penetration test across the Xakia application on a semi-annual basis.

Third-party penetration is conducted following the CREST standard for information security testers. The Organisation and its employees are approved and certified by CREST.

ISO 27001: Information security management system audits

We conduct periodic internal audits of our infrastructure and procedures ensure we remain compliant with our internal policies and ISO 27001 requirements.

Additionally, we have an annual audit from a third party to ensure the same and validate our ISO 27001 certification and associated Information Security Management System.

Training and process

Testing and staging environments are separated physically and logically from the production environment. No client data is used in the development or test environments.

At least annually, engineers participate in secure code training. This training covers OWASP Top 10 security flaws, common attack vectors, and Xakia security controls.

We utilize framework security controls to limit exposure to OWASP Top 10 security flaws. These include inherent controls that reduce our exposure to Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and SQL Injection (SQLi), among others.

Environments

Testing and staging environments are separated physically and logically from the production environment. No client data is used in the development or test environments.

Access

In accordance with our Asset Classification Policy, any changes or additions to access permissions are approved by the asset owner on a need-to-access basis. A record of asset access covering all employees is kept. Access levels are only granted if it is necessary to perform on-going employment responsibilities.

Xakia uses a range of stringent enforced password policies, multifactor authentication, and SSO for any employee access to confidential information.

Background checks

Xakia performs background checks on all new employees in accordance with local laws. The background check includes Criminal, Education, and Employment verification.