Security

Updated September 6, 2022

The Protection and Privacy of Customer Data Is Our #1 Operational Priority.

Security and reliability are key to our customers’ success as well as our own, so it will come as no surprise that we take our commitment to security, data protection and privacy very seriously.

Compliance

Xurrent classifies itself as a data processor with respect to its customers’ data and as a data controller with respect to account data.

Our ISO 27001 and ISO 27018 certifications confirm and ensure that Xurrent has successfully established an ISMS (Information Security Management System) for its SaaS (Software as a Service) offering with all required controls and has also implemented additional safeguards for protecting PII (Personally Identifiable Information) in the cloud.

The System and Organization Controls (SOC) reports demonstrate how Xurrent achieves key compliance controls and objectives and help customers and their auditors understand the controls Xurrent has established to support operations and compliance. Customers can request Xurrent’s latest SOC 2 Type 2 report by submitting a request for this report using the Xurrent services.

Privacy

The robust privacy protection requirements of the General Data Protection Regulation (GDPR) of the European Union (EU) and the European Economic Area (EEA) are in line with the values of Xurrent.  Apart from making sure that the Xurrent organization remains in compliance, Xurrent provides all capabilities needed by customers to make sure that they are able to comply with the GDPR requirements that may apply to their use of the Xurrent services.

For more information on Xurrent’s GDPR commitment, visit GDPR Compliance.

Security

Xurrent built its service from the ground up to be a true SaaS environment in the cloud with Security and Privacy in mind at every step of the development. While we develop and enhance the service on a weekly basis, AWS’ exceptionally flexible, reliable, and secure cloud infrastructure provides us with the ability to store and process all customer data in the processing region of choice. AWS makes abiding by industry and government requirements simple and also ensures the highest standards in data security, privacy and protection. Xurrent and AWS have a comprehensive suite of compliance programs with robust controls in place to manage the service in alignment with security best practices and a variety of IT security and compliance standards.

Security Measures

Confidentiality

Security starts with the people at Xurrent.  Xurrent staff members are required to conduct themselves in a manner consistent with Xurrent’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards.

All staff members undergo appropriate backgrounds checks prior to hiring.

All staff members sign a confidentiality agreement outlining their responsibility in protecting customer data.

We continuously train staff members on best security practices, including how to identify social hacks, phishing scams, and hackers.

Xurrent maintains your data privacy by allowing only authorized individuals access to information when it is critical to complete tasks for you.  Xurrent staff members will not process customer data without authorization.

Internal R&D Processes

Security and privacy are fundamental to the design of the Xurrent services.  Security-oriented environments start with high coding standards that guard against attempted security breaches and are accompanied by rigorous code reviews and automated tests with high code coverage.  Xurrent relies only on open source software to ensure the code that the Xurrent services depend on is known.  Xurrent employs the strictest development processes and coding standards to ensure that both adhere to the best security practices.  In addition, Xurrent’s continuous validation and testing platform performs a set of various white box and black box tests for quality assurance, including regular penetration tests.  Xurrent’s processes are implemented and supported with security as a top priority across all system layers, from the physical layers up to the application layer.

Internal Security

4me has no internal office network, which rules out an entire class of security threats often associated with offices and internal networks. Instead, 4me utilizes a zero-trust access model. Key staff members are spread over 3 continents: North America, Europe, and Oceania, ensuring continuity of the business.

Physical Security

All customer data uploaded to the 4me services is always stored within the region selected by the customer, for example the European Economic Area (EEA).  4me does not allow customer data to be stored nor to be transferred anywhere else.  4me has made this choice to ensure adherence to the most respective data protection laws.

All data centers that run the 4me services are secured and monitored 24/7 and physical access to AWS facilities is strictly limited to select AWS staff.  No staff of 4me has, nor will be permitted to have, physical access to the AWS facilities.

For more information about AWS Cloud Security, see https://aws.amazon.com/security/.

For more information about AWS Compliance Programs, see https://aws.amazon.com/compliance/.

Although 4me relies solely on AWS to deliver the 4me services, this does not mean 4me is locked into AWS.  The 4me services can be transferred easily to any other cloud provider should the need ever arise.  This fact is proven by customers that run the 4me software within their own premises.

Infrastructure Security

The 4me infrastructure is electronically accessible to 4me staff, contractors and any other person as necessary to provide the 4me services.  4me maintains access controls and policies to manage what access is allowed to the 4me infrastructure from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls.  4me maintains corrective action and incident response plans to respond to potential security threats.

4me takes all necessary precautions to ensure that every layer involved in data transfer is secured by best-of-breed technologies.  Services are based on a security-oriented bare minimal, lightweight operating system, preventing the exploitation of entire classes of zero-day and other vulnerabilities.  Additionally, 4me uses certain techniques that avoid erroneous instance-configuration changes, upgrades and corruption that are common sources of security breaches.

4me codes and automates its infrastructure.  Any infrastructure changes are coded, reviewed, run automatically as code, validated and tested in 4me’s segregated development, staging and QA environments before being deployed to the production environments.  This too avoids a whole range of erroneous and ad-hoc infrastructure changes that are common sources of security breaches and unavailability.

Firewalls are configured according to industry best practices and unnecessary ports are blocked by configuration with security groups.  All 4me services run within VPCs with ACLs and additional custom measures.  The network is continuously monitored and 4me has various controls in place to trigger security alerts.

All 4me services support the latest email standards for inbound and outbound email, including required TLS encryption, and support for SPF, DKIM and DMARC alignment.

Customer Data Security in Transit and At Rest

The 4me services support the latest recommended secure cipher suites and protocols to encrypt all traffic in transit.  All internal data in transit between services within the 4me infrastructure is protected by TLS v1.3 and the best available cipher suites and protocols.

All customer data is encrypted at rest – including databases, search indexes, files storage, memory caches, log data, backups, and all disks.

4me monitors the changing cryptographic landscape closely and works promptly to upgrade the 4me services to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve.

Access Management

4me has established a password policy with required configurations and expiration intervals for all systems it controls.  Passwords must be long and complex and are forced to be changed every 90 days.

No internal server under the control of 4me is accessible with a password.  Only key based systems are allowed, which keys are regularly rotated.  In addition, multi-factor authentication is required, also at the API level and when working through a command-line interface.

4me segregates all its different environments: development, staging, QA, demo and production.  All these environments have no users defined, so no one can access the production environment directly.  Access is granted via a role-based system in a bastion account.

Availability & Performance

We are committed to making 4me a highly-available and highly-performant service.  See our history at http://status.4me.com/.

Disaster Recovery

Customer data is stored logically across multiple physical locations within the region selected by the customer, protecting the services from loss of connectivity, power infrastructure and other common location-specific failures.

Production transactions are replicated among these discrete locations, to protect the availability of the 4me services in the event of a location-specific catastrophic event.  All databases can be restored to a recent point in time.

Multiple daily and weekly backups are created and stored in the primary operation region within the region selected by the customer.  On a 6-monthly basis, 4me performs tests to ensure that backups can be correctly restored.

Monitoring

4me gains deep visibility into all API calls and all infrastructure changes including when, what, who and from where calls and changes were made.  4me staff is alerted when specific events occur or thresholds are exceeded.  4me maintains an extensive, centralized encrypted logging environment in all of its environments which contains information pertaining to security, monitoring, availability, access, and other metrics about the 4me services, to help with streamlining the services, investigations and compliance reporting, and to improve the security measures and reduce the risk profile.

Security Incidents

When a breach of security occurs, 4me promptly notifies the affected customers of any unauthorized access to their customer data.  4me has incident management policies and procedures in place to handle such events.

External Audits

4me engages credentialed external auditors to verify the adequacy of its security and privacy measures.

4me engages independent entities to conduct regular application-level and infrastructure-level penetration tests.  4me’s security team reviews and prioritizes the reported findings and tracks them to resolution.

Security Features for 4me Administrators

In addition to the security measures 4me employs for its processes and systems, 4me provides customers capabilities to protect their data.

Audit Trails

4me keeps an audit trail of all changes to customer data, that customers can view.  A limited number of 4me support staff can view a limited subset of the audit trail, only to enable them to fulfil their support duties towards customers.

System Logs

4me gives insights into events, particularly access events, happening within a 4me account via a system log that 4me administrators can keep track of and analyze.

Authentication Logs

Detailed authentication logs are available both to 4me users and administrators.  4me logs every access attempt, noting the IP address of the connection.

Role-Based Access

4me supports role-based access through its interface.  Customer’s 4me administrators manage and control user access, including the provisioning of new users with a defined access level.

Single Sign-On

A 4me account can be integrated with a wide variety of single sign-on (SSO) providers, such as OneLogin, Okta, Azure, Google Cloud Identity and more, using either the SAML or OpenID Connect protocol.

SCIM provisioning

A 4me account can be provisioned and managed with users, organizations and sites via the 4me SCIM API.  SCIM is used by Single Sign-On (SSO) services and identity providers to manage people across a variety of tools.

Multi-Factor Authentication

All users can enable multi-factor authentication to access 4me using hardware security keys, touch ID, and/or authentication apps.  Furthermore, administrators can require all users of their organization’s 4me account to activate multi-factor authentication.

Password Policy

A customer’s 4me administrator can define a password policy that all of the customer’s 4me users must adhere to.

Email Policy

A customer’s 4me administrator can ensure that outbound email sent by 4me is in alignment with SPF, DKIM and DMARC policies.

Idle Session Timeout

A customer’s 4me administrator can define the idle session timeout duration for the customer’s 4me users.

Malware Detection

All inbound email and all attachments that are uploaded by a customer’s 4me users are checked for viruses, unwanted applications, and other malware.

Whitelist Attachment Extensions

A customer’s 4me account owner has the option to whitelist file extensions to permit files with those extensions to be attached to records in 4me.  This allows a customer to make sure 4me’s attachment policy is in line with the customer’s security policies.

API Access

Access to the 4me APIs can be limited to a scope that is controlled by the customer.  Customers are responsible for ensuring that each access token follows the principle of least-privilege, granting access only to the records that are necessary for its legitimate purpose.

OAuth 2.0

Customers can securely integrate their 4me accounts with other applications using the OAuth 2.0 authorization framework.  This framework gives customers more control over the scope of the access they give other applications to their 4me accounts.

Webhook Policies

Webhooks are used by 4me customers to keep other applications in sync with their 4me accounts.  Customers can add an extra layer of security by dictating a signing algorithm that 4me has to use to sign the payload of outbound webhook requests.

Data Retention

Customers can define a data retention policy for the record types that may contain personally identifiable information (PII).

Anonymization

Persons who request to be forgotten can be anonymized in the 4me services.

Anonymous Login

For organizations to comply with regulations such as the EU Whistleblower Directive, 4me offers the option to allow people to submit requests anonymously (e.g. to report misconduct or wrongdoing).

End User Privacy

Organizations can make sure that people who they support, but who should not be aware of each other in the self-service portal, are not allowed to see or select each other. This will prevent them, for example, from registering requests for each other and from mentioning each other in their requests. This extra privacy setting is typically important for government agencies that support citizens, higher education institutions that support students, as well as retailers that support consumers. It can be activated to prevent the accidental breach of the privacy of people who are grouped in a special organization record or in a separate 4me account.

Return of Customer Data

4me customers own the data they store in the 4me service.  Customers are free to export this data at any given time.

Report a Security Vulnerability

4me welcomes any feedback that can help make the 4me services more secure.  To report a possible security vulnerability that affects the 4me services, send an email to [email protected].

When reporting a possible security vulnerability, please include a detailed summary of the vulnerability, as this will allow 4me’s support staff to respond more rapidly and effectively.  Security vulnerabilities are given priority over any other incidents that may affect the 4me services (even over incidents that affect the availability of the service) and are handled through a separate procedure.  Throughout this procedure, 4me is committed to safeguarding the privacy of the person who reported the possible security vulnerability.  Use the 4me Security public key to encrypt sensitive information sent via email.

After reporting a possible security vulnerability, 4me will confirm that it has been received.  4me will subsequently attempt to validate and reproduce the reported vulnerability.  If additional information is required in order to validate or reproduce the issue, 4me will work with the person who reported the possible security vulnerability as needed.  When the initial investigation is complete, the results will be delivered to you.  If the vulnerability cannot be validated, this will be shared with this person.

On the other hand, if the vulnerability has been verified, a plan for its resolution and public disclosure will be shared instead.  If the vulnerability is found to be caused by a third-party software product, 4me will notify this third party.  4me will continue to work with the third party to ensure that a fix gets implemented.  The identity of the person who reported the possible security vulnerability will not be disclosed to the third party without this person’s explicit permission.

4me will coordinate public notification of the validated vulnerability with the person who reported it.  4me security bulletins are posted within the 4me service.  The person who reported it, or his/her company, may want to post its advisories on its own website or in security forums.  When possible, 4me would prefer that the respective public disclosures be posted simultaneously.

Responsible Disclosure

Notifying a vendor before publicly releasing information about a security vulnerability is a best practice known as responsible disclosure.  Responsible disclosure allows companies like 4me to better protect its customers by fixing vulnerabilities before they are brought to the attention of someone who may want to exploit them.  We strongly encourage anyone who is interested in researching and reporting security vulnerabilities to observe the simple courtesies of responsible disclosure.  4me follows the same practice when it discovers and reports security vulnerabilities to other organizations.

Security Notifications

For the protection of our customers, 4me does not disclose, discuss or confirm security vulnerabilities until a full investigation has occurred and any necessary patches or releases have been implemented.  Once a security vulnerability has been fixed, 4me publishes a 4me security bulletin about the vulnerability via a broadcast within the 4me service.