Does Plum follow GDPR?

Plum is GDPR compliant. At Xoxoday, we ensure that the data is gathered, stored, and handled with respect to individual rights. We have raised awareness among our employees and other stakeholders on how to handle the data appropriately. Our employees understand the importance of GDPR and information security.

Does Xoxoday have an information security policy and is it communicated and published to all employees, suppliers, and other relevant external parties?

Xoxoday has an information security policy that is published and communicated to all suppliers and employees (including contractors and other relevant external parties).

Xoxoday has ensured that the Information security policies have established the direction of the organization and align to best leading practices (e.g., ISO-27001, ISO-22307, CoBIT), regulatory, federal/state, and international laws where applicable.

Does Xoxoday have a formal established disciplinary or sanction policy for its employees who have violated security policies and controls?

Yes, at Xoxoday, we have a formal disciplinary or sanction policy established for employees who have violated security policies and controls. Employees are made aware of what action might be taken in the event of a violation and stated as such in the policies and controls. A detailed disciplinary process and policy are also in place.

Does Xoxoday ensure that all projects go through some form of information security assessment?

At Xoxoday, we use JIRA for Project Management, and abiding by the Information security policy is mandatory and has been followed in all the projects.

Every code change is reviewed by the tech lead or architect responsible for the project.

During the review process, the reviewer is responsible for identifying possible security issues.

Does Xoxoday have a mobile device policy?

Yes, Xoxoday has a Mobile device policy. At Xoxoday, the mobile device policy takes into account the risks of working with mobile devices in unprotected environments and the controls to be implemented for preventing data transmitted/stored in the mobile device, and much more.

Does Xoxoday have a policy governing information classification and is there a process by which all information can be appropriately classified?

Yes at Xoxoday, we do have an 'Information Security Policy' in place.

Information Classification is included in the organization's processes, and be consistent and coherent across the organization. Results of classification indicate the value of assets depending on their sensitivity and criticality to the organization, e.g. in terms of confidentiality, integrity, and availability. Results of classification are updated in accordance with changes in their value, sensitivity, and criticality through their life-cycle.

Formal procedures for the secure disposal of media are also established to minimize the risk of confidential information leakage to unauthorized persons. The procedures for the secure disposal of media containing confidential information are proportional to the sensitivity of that information.

Does Xoxoday have a formal procedure governing how removable media is disposed of?

Yes, we do have an 'Information Security Policy' in place and formal procedures for the secure disposal of media are established to minimize the risk of confidential information leakage to unauthorized persons. The procedures for the secure disposal of media containing confidential information are proportional to the sensitivity of that information.

Does Xoxoday have a process to access the information and application system functions restricted in line with the access control policy?

Our application has role-based access controls and the menu's screens are made accessible accordingly.

What kind of Encryption and Hashing is used at Xoxoday?

AES 256 bit encryption for PI data. SHA256 with unique salt for Hashing passwords.

Does Xoxoday have a documented and tested Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) available? If Yes, kindly mention the location where the data would be stored?

Yes, Xoxoday does have tested Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP), the data would be stored at AWS Singapore.

Is there a process for reporting identified information security weaknesses at Xoxoday and Is this process widely communicated?

During security audit/VAPT review, these incidents are identified.

Yes, this process is widely communicated to all the employees and stakeholders.

Where systems or applications are developed, are they security tested as part of the development process?

Yes, on Xoxoday, we do conduct Quarterly VAPT.

Are there policies mandating the implementation and assessment of security controls at Xoxoday?

Yes, at Xoxoday, we perform quarterly VAPT and have static code analysis via SonarQube

Do contracts with external parties and agreements within the organization detail the requirements for securing business information in a transfer?

Policies, procedures, and standards have been established and maintained to protect information and physical media in transit, and are referenced in such transfer agreements.

Also, there is a clause on securing business information and protection of confidential information in the NDA's signed by the external parties.

Are IS Systems subject to audit at Xoxoday and does the audit process ensure business disruption is minimized?

As part of the ISO audit, IS Systems audit is also covered and yes the audit process ensures business disruption is minimized.

Is there a process to risk assess and react to any new vulnerabilities as they are discovered at Xoxoday?

We have a quarterly VAPT performed on the entire application by a third-party security auditor.

How secure is Plum?

At Xoxoday, we ensure that the data is gathered, stored, and handled with respect to individual rights. We have raised awareness among our employees and other stakeholders on how to handle the data appropriately. Our employees understand the importance of GDPR and information security. Our controls are placed based on the data protection impact assessment (DIPA). All personal data is encrypted on Xoxoday.

We take data and security very seriously. We are ISO 27001, GDPR, and SOC compliant. More details about our security and privacy policy in the links aforementioned. You can also know more about our compliance here.

How does Plum use my information?

We may use the information we collect from you when you register, make a purchase, sign up for our newsletter, respond to a survey or marketing communication, surf the website, or use certain other site features in the following ways:

  • To personalize your experience and to allow us to deliver the type of content and product offerings in which you are most interested.

  • To improve our website in order to better serve you.

  • To allow us to better service you in responding to your customer service requests.

  • To ask for ratings and reviews of services or products.

  • To follow up with them after correspondence (live chat, email, or phone inquiries).

Data security and ownership?

We take data and security very seriously. We are ISO 27001, GDPR and SOC compliant. More details about our security and privacy policy are here.

More info below:

QuestionsAnswers
Do you have procedures in place to ensure production data shall not be replicated or used in non-production environments?We ensure that ensure production data shall not be replicated or used in non-production environments. Physical segregation is done for production and non-production environments.
A formal privacy management framework is in placeYes. We are compliant with CPRA (California Privacy Rights Act), GDPR (General Data Protection Regulation) and HIPAA (Health Insurance Portability and Accountability Act)
Are there documented privacy policies and procedures that address choice and consent based on the statutory, regulatory, or contractual obligations to provide privacy protection for client-scoped privacy data?Implemented the data security Policy and Data Subject Access Rights Procedure.
Does the Vendor allow Audits by the customer or any Third Paties appointed by the customer of the below given nature:In accordance with Data Protection Laws, we make available to Controller on request in a timely manner such information as is necessary to demonstrate compliance by Processor with its obligations under Data Protection Laws. Upon Controller’s written request and subject to the confidentiality obligations set forth in the Agreement, we will make available to Controller a copy of Nreach the most recent third-party audits or certifications, as applicable.
Provide a copy of all privacy-related policies and procedures that may apply to the Supplier’s handling of Personal Data.Privacy Policy - https://www.xoxoday.com/privacy-policy Attached the - Data Protection Policy, Data Security policy, Data Subject Access Rights Procedure, Data Breach Notification Procedure.
Are there documented privacy policies and procedures that address choice and consent based on the statutory, regulatory, or contractual obligations to provide privacy protection for client-scoped privacy data?Attached the data security Policy and Data Subject Access Rights Procedure. Please visit here for Privacy policy - https://www.xoxoday.com/privacy-policy
Is your Privacy Notice/ Privacy Policy externally available? Please provide us with the URL.Yes. Please visit - https://www.xoxoday.com/privacy-policy
Are duties separated, where appropriate, to reduce the opportunity for unauthorized modification, unintentional modification or misuse of the organization's IT assets? i.e. front desk duties separated from accounting. Data analysts access from IT support etc.Yes, the policy, process, and procedure is implemented to ensure proper segregation of duties. our roles and job duties are segregated through role-based access to ensure maximum security of tenants' databases
A copy of your privacy policy and external privacy statement, if they are separate documents.Attached the Xoxoday Privacy Policy. Please click here for the external privacy statement - https://www.xoxoday.com/privacy-policy.
Is Records of Processing or an inventory is maintained on what personal data is collected/stored/processed/managed on behalf of Infosys?Yes. We do maintain the records as per the Data privacy compliance requirements.
Do you maintain a list of all individuals having access to Personal Data and do you regularly review (whether it is electronic data, hard copy data, etc.)Yes. we maintain the list as per the Privacy laws and review it. We provide access only to authorised individual as per Role based access and access control policy.
Do you follow privacy guidance when collecting, storing, or processing Personal Data via electronic, audio, visual or print media?Yes. we follow the privacy gidelines when collecting, storing, or processing Personal Data via electronic, audio, visual or print media. We are complied with this requirements.
Do you routinely access/review/monitor your organization's measures to meet the objectives of privacy commitment, when Personal Data of Infosys is collected/stored/processed as part of service engagement?We have review and monitor machanism to make sure that only the authorised individual have an access and the objectives of the privacy commitments are met.
Are your employees and subcontractors given regular and formal privacy training? If Yes, what is the frequency of Training?Yes. we provide them a Information security and Privacy training. The frequency of the training is once in a year or as soon as they onboarded.
Do you confirm compliance with applicable data privacy clauses in your contract executed with Infosys?Yes. We have applicable data privacy clauses in the contracts.
Do you develop and maintain an agreed upon audit plan (e.g., scope, objective, frequency, resources, etc.) for reviewing the efficiency and effectiveness of implemented security controls?We continuosly monitor the efficiency and effectiveness of implemented security controls frequently during the internal and external audits.