Security

Protecting your data and our services is our top priority. The availability, confidentiality, and integrity of your data is of utmost importance to your business, and to Xirocco. We use multiple safeguards to protect this information and are constantly monitoring and improving our products and services.

Our datacentre

Xirocco hosts our applications and your data with Amazon Web Services (AWS) , an industry leader providing highly scalable, secure cloud platform computing platform. Here are some resources from AWS with additional context:

Physical security

AWS has state of the art datacentres where physical access is strictly controlled by professional security staff using a combination of video surveillance, intrusion detection systems, multiple sets of two-factor authentication and other electronic means. Only authorized personnel with legitimate business needs are granted access to the data centres. All physical access to datacentres by AWS employees is logged and audited routinely and all visitors require ID and are escorted by authorized staff.

AWS maintains and continues to enhance their SOC reports, certifications, including SOC, PCI, ISO and many more. Additional details are maintained on the AWS Compliance section of their website.

Environmental security

Every datacentre has automatic fire detection and suppression equipment. They have fully redundant electrical power systems that are maintainable without impact to operations 24x7 and have UPS and back-up generators in case of electrical failure for critical and essential loads.

Climate and temperature are precisely controlled by personnel and systems to ensure optimal performance of servers and other hardware.

All systems and equipment are monitored and receive preventative maintenance to maintain continued operability of equipment.

Business continuity management

Amazon’s infrastructure has a high level of availability and provides customers the features to deploy a resilient IT architecture. AWS has designed its systems to tolerate system or hardware failures with minimal customer impact. Datacentre Business Continuity Management at AWS is under the direction of the Amazon Infrastructure Group.

Core applications are deployed in an N+1 configuration, so that in the event of a datacentre failure, there is sufficient capacity to enable traffic to be load balanced to the remaining sites.

Xirocco deploys into multiple Availability Zones to ensure that Xirocco can continue to function in the loss of an Amazon datacentre.

Secure transmission and sessions

Connection to the Xirocco products and services environment is through secure socket layer/transport layer security (SSL/TLS), using strong encryption and authentication (TLS 1.2 with SHA256, certificate, 128-bit keys), to ensure that your users have a secure connection from their browsers to our services. Sessions are terminated implicitly by a user sign out event.

Customer data on our AWS servers is encrypted using …… and is decrypted on user access, ensuring data can only be accessed through the application after requisite authorisation criteria have been satisfied.

Access controls

User IDs and passwords are both set by the user. Xirocco uses a more secure login process for users with Two-Factor Authentication (or 2FA). Two-Factor Authentication is an extra layer of security that requires users to submit not only the username and password, but also an additional piece of information that can only be known to the user. This additional layer of security aims to further minimise risk and protect businesses from an online security breach. Password strength is enforced and encrypted. Within the application, role-based access rights can be assigned, allowing control over what a user can see and use. The application also maintains a detailed event log, capturing items such as authentication, asset creation, deletion, and modification.

Servers do not use passwords and require 2048-bit SSH-2 RSA keys to provide direct access to the box. All keys are unique to individual administrators or service accounts and are not shared. Network level firewalls prevent unauthorized traffic from reaching servers in the datacentre.

Backups

All data is backed up using daily and weekly images. Master/slave replication additionally ensures that database backups are hot-swappable. Backups and replications are not transported off site but are stored in different Amazon datacentres from the Xirocco application to ensure that they can be recovered in case of loss of the primary datacentre.

Code testing and assessments

Xirocco tests all code for security vulnerabilities before release, and regularly scans our network and systems for vulnerabilities. Third-party vulnerability testing has also been performed by InteliSecure .

Security monitoring

To identify and manage threats, our team monitors notifications from various sources and alerts from internal systems.

Antivirus

Xirocco deploys, operates and maintains up-to-date effective anti-virus software on all computer systems that are liable to attack from malicious software. Through contractual policies, Xirocco mandates all third parties it works with to maintain a comparable level of virus protection.

Phising/Spam

Xirocco uses Office 365 Exchange email with connection and spam filtering. Office 365 uses a defense-in-depth approach to provide industry-leading security for their datacenters and customer data. They also give us enterprise-grade user and administrative controls to further secure our IT environment.