Cryptography and Encryption
For data in transit, do you leverage encryption to protect data during transport across and between networks instances including services like SSH, HTTPS, etc.?
"Yes, we use AES 256-bit encryption. All the network communication for network communication is encrypted with the industry standards. Note - Please provide supporting documentation defining encryption standards and technologies."
Do you encrypt data at rest?
All data volume is encrypted with AES 256-bit encryption to prevent any external snooping or unauthorized access in the multi-tenant environment.
Do you segregate multi-tenant data using encryption?
Yes, the data is segregated with a client-specific key for proper handling and representation.
Do you provide native encryption capability for sensitive data fields? If so, are there any limits on the number of fields?
Yes, there's a native encryption capability when it comes to sensitive data fields. As each field is equally intricate, there are no limits to such fields.
Do you have controls in place to ensure User IDs and passwords are transmitted in an encrypted format?
User IDs and passwords must transmit through stringent checks in an encrypted format that complies with the current Technical Security Baseline Standards.
Are passwords stored in an encrypted or a single, one-way hash?
The passwords are stored after encryption for maximum security of data.
Do you support secure deletion (e.g., degaussing/cryptographic wiping) of archived and backed-up data as determined by the tenant?
"Yes, our policies and procedures are established as per implemented mechanisms for secure disposal and removal of data from every storage media. By this, it rests assured that the data can't be recovered by any computer forensic means. We assure secure data disposal when storage is decommissioned or when the contract comes to an end."
Can you provide a published procedure for exiting the service arrangement, including assurance to sanitize all computing resources of tenant data once a customer has exited your environment or has vacated a resource?
"Please refer ""Do you support secure deletion of data?"" for an explanation. As for the procedure, here's the protocol that we follow:
-
Storage Period would be as per regulatory conditions.
-
Personal data can be deleted based on a formal written request, with justification.
-
Xoxoday would delete the data within 30 days of receiving the request.
Do you allow tenants to use their own certificates?
No, users must use certificates from Xoxoday. They are benchmarked as per the best industry standards to ensure complete encryption of data.
Do you utilize open encryption methodologies any time your infrastructure components need to communicate with each other via public networks (e.g., Internet-based replication of data from one environment to another)?
No, open encryption has proven to show cracks and bruises and that's why we only equip data traversing public networks with industrial standards to ensure protection from fraud, unauthorized disclosure, modification, or compromise of data.
Are TCCC-approved technologies used to transfer personal data? (Other than e-mail)
Yes, personal data is to be transmitted using firmly approved encrypted systems and in no way is it to be transmitted via email.
Are virtual images hardened by default to protect them from unauthorized access?
Yes, the hardened images are secure from any malicious leak or unauthorized access. These hardened images do not contain any authentication credentials.
Do you support end-to-end encryption of tenants' data in transit across all security zones?
Yes, our network communication is encrypted with highly restricted protocols to ensure maximum security.
Do you allow your tenant to manage all cryptographic keys (e.g., data encryption, SSL certificates) for sensitive data?
No, the cryptographic keys, including data encryption and SSL certificates are managed by Xoxoday for optimal security of sensitive data.
Do you support end-to-end encryption of tenants' data in transit across all security zones?
Yes, our network communication is encrypted with highly restricted protocols to ensure maximum security.
Do you allow your tenant to manage all cryptographic keys (e.g., data encryption, SSL certificates) for sensitive data?
No, the cryptographic keys, including data encryption and SSL certificates are managed by Xoxoday for optimal security of sensitive data.
More info below:
| Questions | Answers |
|---|---|
| Do you provide standardized (e.g. ISO/IEC) non-proprietary encryption algorithms (3DES, AES, etc.) to customers in order for them to protect their data if it is required to move through public networks (e.g., the Internet)? | We have encrypted the data while in transit and at rest. We use TLS1.2 encryption for Data at transit and AES256 Data at rest for maximum security |
| Are policies and procedures established for data labeling and handling in order to ensure the security of data and objects that contain data? | Yes. We have implemented the Information Classification Policy |
| Do you have key management policies binding keys to identifiable owners? | We use a split key mechanism to ensure that every client's key is unique. • We perform annual key rotation. • Keys are generated using KMS service whenever needed. • We store keys in KMS. Attached the Encryption policy Name of the folder - EN01 Encryption policy |
| Do you have a capability to allow creation of unique encryption keys per customer? | Every client's key is unique. |
| Do you have documented ownership for each stage of the lifecycle of encryption keys? | Yes. Our tech team manages this. |
| Do you leverage encryption to protect data and virtual machine images during transport across and between networks and hypervisor instances? | We have encrypted the data while in transit and at rest.We use TLS1.2 encryption for Data at transit and AES256 Data at rest. |
| Do you store encryption keys in the cloud? | We store keys in KMS. |
| Does the organisation encrypt its backups? | Yes. Backup data is also encrypted. |
| Is the customer data always encrypted in transit? | The data in transit will be always be encrypted. |
| Are attachments sent being encrypted or password protected before sending? If yes, describe the encryption method | Yes. We use google workspace and all the conversations are TLS encrypted. |
| Are the user access passwords displayed / stored / transmitted in clear text over the network? | Passwords are encrypted all the time. |
| -Is the connectivity between the vendor and the customer with strong encryption? -What is the organizations minimum standard for the protection of sensitive information? (DES, 3DES, AES-128, AES-256, etc) | We use logical data isolation with the help of company specific encryption keys. We generate separate test data Data at transit - TLS1.2 encryption, Data at rest - AES256. |
| Is the back up media password protected or encrypted as per requirement of vendor policy or as per the customer requirement? | Backup, passwords are protected. We use encryption. |
| If the customer data is stored in shared environment, what are the security controls in place to segregate the the customer data from other tenants’ data? | We have the ability to logically segment or encrypt customer data such that data may be produced for a single tenant only, without inadvertently accessing another tenant's data. our network environment is designed and configured to restrict any communication and connection between the tenant's environment. |
| If the customer data is stored in shared environment, what are the security controls in place to segregate the the customer data from other tenants’ data? | We have the ability to logically segment or encrypt customer data such that data may be produced for a single tenant only, without inadvertently accessing another tenant's data. our network environment is designed and configured to restrict any communication and connection between the tenant's environment. |
| What control measures are in place at CSP end to prevent, detect and react to breaches including data leakage and how CSP will demonstrate the same? | We have a multi-layered network architecture with role-based access control. All the confidential/PI data are encrypted at rest and in transit with a split key mechanism to ensure that every client's key is unique. We use TLS1.2 encryption for Data in transit and AES256 for Data at rest. Additionally, we have an intrusion detection/monitoring application that alerts on unauthorized access. |
| Are the the customer’s data encrypted while stored and transmitted? And what encryption protocol or keys are currently being used ? | We use TLS1.2 encryption for Data in transit and AES256 for Data at rest. |
| Have you deployed any encryption mechanism (data in transit) to secure data in motion on communication links ? | We use TLS1.3 encryption for Data at transit |
| Are Systems handling BSLI data on a separate Nework segment segregated from other clients ? | We logically segregate the tenant's data, and it is segregated with a client-specific key for proper handling and security reasons. We use TLS1.3 encryption while data in transit and AES256 while data at rest |
| How does the Vendor ensure compartmentalization of the customer data to prevent unauthorized access to the customer data from other customers / employees of Vendor. | Yes, our logic to physically separate tenant systems is made possible by assigning each tenant's data a client-specific key that is uniquely encrypted for maximum security. We use TLS1.3 encryption while data in transit and AES256 while data at rest |
| For all critical applications, application should have TLS implemented for protection of Data in transit. Guidelines from Informtion Security Team to be taken on approved Cryptographic solutions and algorithms in force | We use logical data isolation with the help of company specific encryption keys. All data volume is encrypted with AES 256-bit encryption to prevent any external snooping or unauthorized access in the multi-tenant environment. We use TLS1.2 encryption for Data at transit and AES256 Data at rest for maximum security. |
| PII or Sensitive information should be visible only to authorized users and only to the extent needed to perform activities | By default the users will not have access to our customer information or PII. These PII or Sensitive information will be visible only to authorized users and only to the extent needed to perform activities. We do not share or transfer any of the customer data with any other parties. We do not provide access to the PII/SPII to any personnel who do not need the access and implemented the role based access control mechanism. |
| Does Supplier you have the ability to encrypt or pseudonymize Personal Data? Please explain. | We use TLS1.2 encryption for Data at transit and AES256 Data at rest for maximum security. |
| What type of encryption do you propose (algorithms, protocols, key lengths) for data in transit and data at rest | We have encrypted the data while in transit and at rest. We use TLS1.2 encryption for Data at transit and AES256 Data at rest for maximum security. |
| Describe how you manage unique encryption keys (process, storage, usage, RACI, SOD) for your own use and for each of your tenants | All the confidential/PI data are encrypted at rest and in transit with a split key mechanism to ensure that every client's key is unique. We use TLS1.2 encryption for Data in transit and AES256 for Data at rest |
| Does the organisation encrypt its backups? | Backup data is also encrypted. |
| Are the backup tested for restoration? | Data backups are done on daily basis and in a secured way on AWS. This has been tested on regular basis. |
| If so, does the application always require encryption? If response is "YES", please submit the type of encryption protocol and algorithm. | We use TLS1.2 encryption for Data in transit and AES256 for Data at rest. |
| Is the data at rest encrypted in the cloud ? Share evidence of the encryption mechanism configuration. | Yes. The data at rest encrypted in the cloud. We use AES256 while data at rest. Attached the evidence. |
| What protocols or technologies are used for applying encryption on data at rest and data in transit (on cloud and on premises)? | We use TLS1.3 encryption while data in transit and AES256 while data at rest |
| How are the encryption keys used secured and protected from unauthorized access ? | Each tenant data is uniquely encrypted using client specific key. We use AES 256 bit encryption for data at rest to ensure maximum security measures. our network communication is encrypted with highly restricted protocols to ensure maximum security. the cryptographic keys, including data encryption and SSL certificates are managed by Xoxoday for optimal security of sensitive data. The passwords are also stored after encryption for maximum security of data |
| Is the communication within the cloud and external to the cloud happens on end to end encryption? Explain | Yes. All the data at rest is encrypted using AES-256-bit standards and all the data in transit encryption is HTTPS with TLS 1.2 |
| How data is stored and handling at Vendor location(whether the the customer data is encrypted, kept in logical segregation location etc). | we logically segregate the tenant's data and the application.Each tenant data is uniquely encrypted using client specific key. We use TLS1.2 encryption for Data at transit and AES256 Data at rest for maximum security. |
| What are the regulations around indemnity / liability for data privacy breaches? | We are compliant with EU GDPR and CPRA (California Privacy Rights Act) |
| Will (company name here) provide assurance that the solution will protect Htec data from malware and commodity cyber-attack whilst at rest and in transit | We have encrypted the data while in transit and at rest. We use TLS1.2 encryption for Data at transit and AES256 Data at rest for maximum security As part of Web Application Firewall (WAF), rate limiters are installed to block multiple requests from specific IPs in order to prevent DDOS-type attacks. In addition to that we also have AWS Guard Duty threat detection service that continuously monitors for malicious activity and unauthorized behavior. |
| How do you separate one customer's data from other customers' data? | Our network environment is designed and configured to restrict any communication and connection between the tenant's environment and our corporate network. We use logical data isolation with the help of company-specific encryption keys. We use TLS1.2 encryption for Data at transit and AES256 Data at rest for maximum security. |
| The PII protection standards met by the cloud service provider. | We are EU GDPR Compliant and CPRA Certified. |
| How do you prevent other clients from accessing our data? | The data isolated between customers. We use logical data isolation with the help of company specific encryption keys. We generate separate test data Data at transit - TLS1.2 encryption, Data at rest - AES256 |
| How and where are user IDs and Passwords stored? How are they secured? | The data is stored on AWS and The IDs and passwords are stored after encryption for maximum security of data |
| Do you employ any mechanisms that facilitate secure data exchange? | We also conduct Network layer vulnerability and applicatioin layer vulnerability scan. We generate separate test data Data at transit - TLS1.2 encryption, Data at rest - AES256 |
| Is our company's data stored on the Vendor platform encrypted? | Yes. Data is encrypted. |
| If the answer for #2 and #3 is TRUE, what is the key management technique? | ach tenant data is uniquely encrypted using client specific key |
| Does the data transmitted by our company to Vendor involve user privacy? | Yes. We provide importance to user’s privacy. We use AES 256-bit encryption. |
| According to the Cloud computing mode adopted, NSE shall ensure that the either the Cloud Service Provider or NSE itself, shall implement encryption for data in transit and for data at rest for all NSE’s sensitive data & information as per the Cryptography Policy of NSE. | We have a multi-layered network architecture with role-based access control. All the confidential/PI data are encrypted at rest and in transit with a split key mechanism to ensure that every client's key is unique. We use TLS1.2 encryption for Data in transit and AES256 for Data at rest. Additionally, we have an intrusion detection/monitoring application that alerts on unauthorized access. |
| The Cloud Service Provider shall enable NSE to back up its data and information as per the Backup Policy of NSE. | Since we are SAAS product, we maintain backup and restore all the customer data by ourselves. We use AES 256 encryption for data at rest. We have a multi AZ deployment with periodic backup for our DR. |
| How would you ensure that UP data was isolated and safeguarded from other customers? | We use logical data isolation with the help of company specific encryption keys. Data in non production environment is not updated with the production data. We generate separate test data Data at transit - TLS1.2 encryption, Data at rest - AES256 |
| Will UP data be encrypted by the Supplier when In transit? | Yes, our network communication is encrypted with highly restricted protocols to ensure maximum security. |
| Will UP data be encrypted by the Supplier when At Rest? | We use AES 256 bit encryption for data at rest to ensure maximum security measures. |
| - If so, how is data anonymization implemented? | Yes. The data anonymization implemented. We have enabled security settings with strong encryption for authentication and transmission. We use TLS1.2 encryption for Data in transit and AES256 for Data at rest |
| - If data anonymization is implemented, how is the anonymized data used within your organization? | Our employees only have access to the data that is necessary for the completion of the business activity which they are involved in. We have role based access system to make sure that only the authorised individual have an access to the required information. |
| Please describe your general rules management in relation to role provisioning, deprovisioning, and recertification. | We review the role provisioning, deprovisioning, and recertification on a periodical basis and also audited by the external auditor. Our IT Team Review an access controls and approve as per the procedure. Any changes in the access levels of the users will be as per the role based logical access. |
| Describe your secrets management strategy:(auth tokens, passwords, API credentials, certificates) | We encrypt our secretes and store them in a private respository and servers. |
| Please describe, how the customer data will be kept logically and/or physically separated from other users’ data? | All the network communication for network communication is encrypted to industry standards. We use logical data isolation with the help of company specific encryption keys. Data in non-production environment is not updated with the production data. We generate separate test data at transit - TLS1.2 encryption, Data at rest - AES256 |
| Will any, or all the customer data be encrypted at rest within the system? If so to what standard its encrypted to? | Yes |
| Software packages from vendors and third parties should not be modified. However, if modification is necessary, it shall be limited to necessary changes and all changes shall be strictly controlled and documented. | We do very limited modification or changes wherever necessary. |
| A Cryptographic Key Management programme shall be established for Key Management through their whole lifecycle, including generating, storing, archiving, retrieving, distributing, retiring and destroying keys. | We have implemented the Encryption policy. We have defined generation, storage, archival, retrieval, distribution, retirement and destruction of keys. Attached the Encryption policy. |
| All documentation and materials related to cryptography shall be classified by default as Sensitive and inherits the information asset’s classification if it is a higher classification, protected accordingly and be made available only on a need-to-know basis. | All information are classified as Restricted and encrypted. |
| Cryptographic keys shall be protected against tampering and destruction, and private keys must be protected from unauthorised disclosure, both in storage and transfer. | The data is segregated with a client-specific key for proper handling and representation. |
| Account credentials, sensitive information on databases and backups that require confidentiality and/or integrity shall be encrypted using strong encryption algorithms. | All the data including the account credentials, Backup data are encrypted in transit and at rest. |
| Enable the use of encryption for administration of network devices within the customer environment. | All the the customer data stored on our application also be encrypted for maximum security. |
| Proper security controls (e.g. hashing, digital signatures and cryptography) shall be adopted to ensure authenticity and/or integrity of messages during their transmission. Implement alternative controls where an asset cannot support transmission authenticity and/or integrity and document the controls and justification for those alternative countermeasures. | We have implemented the security controls. We use TLS1.3 encryption for Data at transit and AES256 Data at rest for maximum security.We store password hashed. We have SHA512 hash with unique salt for every password |
| Multiple layer strategy involving two, or more, different overlapping security mechanisms, a technique known as defence-in-depth shall be followed so that the impact of a failure in any one mechanism is minimised. | We make sure that we follow the Industry best practices and security standard to make sure that we secure the information asset. |
| Backups shall be encrypted and securely (physically and logically) retained at a centralised location in addition to two site local copies. | Backup is encrypted and stored on cloud. |
| The customer data or systems shall be segregated securely from other customers on infrastructure (network devices, server or database, etc.). | We use logical data isolation with the help of company specific encryption keys |
| Can evidence be provided of the processes that are implemented to guarantee the confidentiality of information, including a description of how our data is separated from other customer's data, and what controls are in place to prevent other customers from viewing our data? | We use logical data isolation with the help of company specific encryption keys. We generate separate test data Data at transit - TLS1.2 encryption, Data at rest - AES256. We have the ability to logically segment or encrypt customer data such that data may be produced for a single tenant only, without inadvertently accessing another tenant's data. our network environment is designed and configured to restrict any communication and connection between the tenant's environment. |
| Does a process exist to identify new laws and regulations with IT security implications?(e.g., new state breach notification requirements)? i.e. Monitoring newsletters, Webinars, security or regulatory forums etc | Yes. We comply with all the applicable new laws and regulations. We also have a service provider who helps us with regards to Information security, compliance and certifications etc.. We have identified the upcoming CPRA and implemented the controls and achieved the CPRA Attestation with the help of the external auditor. Attached the CPRA Attestation report. |
| Is there multiple choices of secure communications protocols/methods supported by the solution (front & back office data communication)? List them, (for both proprietary and/or if third party software needed). | Yes. The communications are secure. We use TLS1.2 encryption for Data in transit and AES256 for Data at rest. Additionally, we have an intrusion detection/monitoring application that alerts on unauthorized access. |
| Please specify other Encryption/Decryption Algorithms? | We use TLS1.2 encryption for Data in transit and AES256 for Data at rest. We store password hashed. We have HA512 hash with unique salt for every password |
| Does solution provide/support data transformation (between different data formats)? | Yes. We use encrypted channel |
| Does your solution provide the Triple DES algorithms (provided by security module)? | Yes |
| Does your solution provide the RC4 algorithms (provided by security module)? | We use TLS1.2 encryption for Data in transit and AES256 for Data at rest. We store password hashed. We have HA512 hash with unique salt for every password |
| Is the data hosted in a multi-tenanted environment? Can corporate data be accessed by other clients of the service provider? How is our data segregated from other tenants’ data? | Each tenant data is uniquely encrypted using a client specific key. All data volume is encrypted with AES 256-bit encryption to prevent any external snooping or unauthorized access in the multi-tenant environment Corporate data cannot be accessed by other clients of the service provider |
| Is our data encrypted during transmission, at rest (database and storage), and at backup or off-line storage? | Data is encrypted during transmission, at rest (database and storage), and at backup We use TLS1.2 encryption for Data in transit and AES256 for Data at rest. |
| Is customer information on desktop/ laptop/ servers encrypted? What Encryption standard is used? If yes please explain and share evidence? | We use TLS1.2 encryption for Data in transit and AES256 for Data at rest. Additionally, we have an intrusion detection/monitoring application that alerts on unauthorized access. Attached the Encryption Policy. |
| Do you have the ability to logically segment or encrypt customer data such that, in the event of subpoena, data may be produced for a single tenant only, without inadvertently accessing another tenant's data? | We have the ability to logically segment or encrypt customer data. our network environment is designed and configured to restrict any communication and connection between the tenant's environment and our corporate network.our logic to physically separate tenant systems is made possible by assigning each tenant's data a client-specific key that is uniquely encrypted for maximum security. |
| Type of encryption (field-level, disk-level, etc.) | We do field level encryption for PII and user generated content. This encryption has a unique encryption key for each client. In addition we also do disk level encryption for the entire stored data. |
| The information system protects the confidentiality and integrity of the information at rest in accordance with PSJH's policies and information classification and protection requirements. The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of information at rest on information system components of PSJH. Public access to online storage is not permitted, exceptions must be reviewed by EIS Security Architecture & IRCA teams. Implement controls to protect temporary or cached data and remove it after use. | We have implements cryptographic mechanisms to prevent unauthorized disclosure and modification of information at rest. We use AES 256 bit encryption for data at rest to ensure maximum security measures. Attached the encryption policy. |
| Prevent applications from storing sensitive data in log files. | Sensitive data is encrypted and not stored in logs. Compliant. |
| Cryptographic keys in memory must be protected by best possible options available in the development framework. eg., use Trusted Platform Module, ProtectedMemory options | Cryptographic keys are protected. Compliant. |
| Cryptographic keys must be managed by Providence & stored in a centralized location (eg., Azure Key Vault managed by Providence). | The cryptographic keys, including data encryption and SSL certificates, are managed by Xoxoday for optimal security of sensitive data. Each tenant's data is uniquely encrypted using client specific key. |
| Leverage Tokenization: A special form of data masking where the algorithm used to mask the data is maintained so the information can be later restored to its original value. For instance, information stored that must later be recovered for disaster recovery purposes or when information must pass through untrusted domains between business operations. | NA. We do not store any other Sensitive personal information. The PII(name, email ID, phone#) are encrypted. We use TLS1.2 encryption for Data at transit and AES256 Data at rest for maximum security. |
| System backups are to be encrypted. | The application and system backup data is encrypted |
| Message encryption and digital signing must be configured to ensure the message confidentiality and integrity are maintained during transit. | We have encrypted the data while in transit and at rest. We use TLS1.2 encryption for Data at transit and AES256 Data at rest for maximum security. |
| All default test, sample or backup files including scripts, configuration files and web pages, etc. must be removed from the production server. Prior opening up the production application for consumption. | The back up data is encrypted and only authorised individuals will have access. Test data and backup data is seperated from the production servers. |
| Detail out the application workflow describing the communication happening between all the components including the protocols involved w.r.t. the services being provided to Infosys | There is no integration with Infosys services/systems. The network Architecture diagram has been shared to show the TLS communication. |
| How is cryptographic key management performed within the organization. Please elaborate the security controls implemented around this process. | "Yes, we use AES 256-bit encryption. All the network communication for network communication is encrypted with the industry standards All data volume is encrypted with AES 256-bit encryption to prevent any external snooping or unauthorized access in the multi-tenant environment |
| Is database encrypted as per the encryption policy? | We have encrypted the data while in transit and at rest. We use TLS1.2 encryption for Data at transit and AES256 Data at rest for maximum security. |
| Is sensitive data masked where required? | All the PII Are encrypted. |
Updated about 1 year ago