Information Security

The trust placed in Xakia by our customers to protect their data is not something we take lightly. We combine enterprise-class security features with comprehensive audits of our applications, systems, and networks to ensure customer and business data is always protected.

Data Protection

BackupAll data is stored on Microsoft Azure which has a 99.9% up-time SLA. Data is transactionally backed up every 5 minutes and each backup is stored for 35 days. This includes access logs.

Encryption Xakia supports and implements encryption at rest of customer data using 256- bit AES encryption.

All communications between Xakia services are encrypted using industry standard HTTPS. This ensures that all traffic between you and Xakia, including email notifications, is secure during transit. Data in transit is encrypted using TLS 1.2.

Processing Data is stored with our cloud provider, Microsoft Azure. It is only processed for the purpose of providing the service. No other information, personal or otherwise, is processed by a third-party.

AuthenticationXakia follows secure credential storage best practices and has government level password requirements for users.

Xakia can be configured to only allow access from specific IP address ranges you define.

Xakia supports Single Sign On using OpenID Connect (OIDC).

Xakia supports Multifactor authentication.

Ownership Data remains the property of our customers at all times.

Application Security

Realtime Monitoring and AlertsAzure monitors major application data flow ingress and egress points with Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS). The systems are configured to generate alerts when incidents and values exceed predetermined thresholds and uses regularly updated signatures based on new threats.

Application Vulnerability Scanning Xakia uses a combination of Azure monitor and Azure Security Center for managing our security.

Audits

Penetration TestingIn addition to our extensive internal scanning and testing program, and external on-going scanning, Xakia employs third-party security experts to perform a broad penetration test across the Xakia application on a semi- annual basis.

Third-party penetration is conducted following the CREST standard for information security testers. The Organisation and its employees are approved and certified by CREST.

ISO 27001: Information Security Management System AuditsWe conduct periodic internal audits of our infrastructure and procedures in order to ensure we remain compliant with our internal policies and ISO 27001 requirements.

Additionally, we have an annual audit from a third party to ensure the same, and validate our ISO 27001 certification and associated Information Security Management System.

Secure Development

Training and ProcessTesting and staging environments are separated physically and logically from the production environment. No customer data is used in the development or test environments.

At least annually, engineers participate in secure code training. This training covers OWASP Top 10 security flaws, common attack vectors, and Xakia security controls.

We utilize framework security controls to limit exposure to OWASP Top 10 security flaws. These include inherent controls that reduce our exposure to Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and SQL Injection (SQLi), mong others.

Environments Testing and staging environments are separated physically and logically from the production environment. No customer data is used in the development or test environments.

Automation Testing Xakia has implemented automation testing in the development pipeline, prior to production deployment.

Source Code and Version Control Access control to program source code is provided by Azure devops. Developers are granted access to repositories required to perform their specific responsibilities, in accordance with our access policy.

Human Resource Security

Access In accordance with our Asset Classification Policy, any changes or additions to access permissions are approved by the asset owner on a need-to-access basis. A record of asset access covering all employees is kept. Access levels are only granted if it is necessary to perform on-going employment responsibilities.

Xakia uses a range of stringent enforced password policies, multifactor authentication, and SSO for any employee access to confidential information.

Background ChecksXakia performs background checks on all new employees in accordance with local laws. The background check includes Criminal, Education, and Employment verification.

Confidentiality All new hires are screened through the hiring process and required to sign Non-Disclosure and Confidentiality clauses as part of their employment agreements.

Security Awareness All new employees attend Security Awareness Training, and the Security Team provides security awareness updates via email, blog posts, and in presentations during internal events. All Xakia employees complete quarterly information security training reviews; or sooner if major changes to our ISMS requires employee education.

Quarterly internal audits and annual external (third-party) audits are conducted to ensure policies and procedures for information security are being followed by all employees.