Security

Updated January, 2025

The Protection and Privacy of Customer Data Is Our #1 Operational Priority.

Security and reliability are key to our customers’ success as well as our own, so it will come as no surprise that we take our commitment to security, data protection and privacy very seriously.

Compliance

Xurrent classifies itself as a data processor with respect to its customers’ data and as a data controller with respect to account data.

Our ISO 27001 and ISO 27018 certifications confirm and ensure that Xurrent has successfully established an ISMS (Information Security Management System) for its SaaS (Software as a Service) offering with all required controls and has also implemented additional safeguards for protecting PII (Personally Identifiable Information) in the cloud.

The System and Organization Controls (SOC) reports demonstrate how Xurrent achieves key compliance controls and objectives and help customers and their auditors understand the controls Xurrent has established to support operations and compliance. Customers can request Xurrent’s latest SOC 2 Type 2 report by submitting a request for this report using the Xurrent services.

Privacy

The robust privacy protection requirements of the General Data Protection Regulation (GDPR) of the European Union (EU) and the European Economic Area (EEA) are in line with the values of Xurrent.  Apart from making sure that the Xurrent organization remains in compliance, Xurrent provides all capabilities needed by customers to make sure that they are able to comply with the GDPR requirements that may apply to their use of the Xurrent services.

For more information on Xurrent’s GDPR commitment, visit GDPR Compliance.

Security

Xurrent built its service from the ground up to be a true SaaS environment in the cloud with Security and Privacy in mind at every step of the development. While we develop and enhance the service on a weekly basis, AWS’ exceptionally flexible, reliable, and secure cloud infrastructure provides us with the ability to store and process all customer data in the processing region of choice. AWS makes abiding by industry and government requirements simple and also ensures the highest standards in data security, privacy and protection. Xurrent and AWS have a comprehensive suite of compliance programs with robust controls in place to manage the service in alignment with security best practices and a variety of IT security and compliance standards.

Security Measures

Confidentiality

Security starts with the people at Xurrent.  Xurrent staff members are required to conduct themselves in a manner consistent with Xurrent’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards.

All staff members undergo appropriate backgrounds checks prior to hiring.

All staff members sign a confidentiality agreement outlining their responsibility in protecting customer data.

We continuously train staff members on best security practices, including how to identify social hacks, phishing scams, and hackers.

Xurrent maintains your data privacy by allowing only authorized individuals access to information when it is critical to complete tasks for you.  Xurrent staff members will not process customer data without authorization.

Internal R&D Processes

Security and privacy are fundamental to the design of the Xurrent services.  Security-oriented environments start with high coding standards that guard against attempted security breaches and are accompanied by rigorous code reviews and automated tests with high code coverage.  Xurrent relies only on open source software to ensure the code that the Xurrent services depend on is known.  Xurrent employs the strictest development processes and coding standards to ensure that both adhere to the best security practices.  In addition, Xurrent’s continuous validation and testing platform performs a set of various white box and black box tests for quality assurance, including regular penetration tests.  Xurrent’s processes are implemented and supported with security as a top priority across all system layers, from the physical layers up to the application layer.

Internal Security

Xurrent has no internal office network, which rules out an entire class of security threats often associated with offices and internal networks. Instead, Xurrent utilizes a zero-trust access model. Key staff members are spread over 3 continents: North America, Europe, and Oceania, ensuring continuity of the business.

Physical Security

All customer data uploaded to the Xurrent services is always stored within the region selected by the customer, for example the European Economic Area (EEA).  Xurrent does not allow customer data to be stored nor to be transferred anywhere else.  Xurrent has made this choice to ensure adherence to the most respective data protection laws.

All data centers that run the Xurrent services are secured and monitored 24/7 and physical access to AWS facilities is strictly limited to select AWS staff.  No staff of Xurrent has, nor will be permitted to have, physical access to the AWS facilities.

For more information about AWS Cloud Security, see https://aws.amazon.com/security/.

For more information about AWS Compliance Programs, see https://aws.amazon.com/compliance/.

Although Xurrent relies solely on AWS to deliver the Xurrent services, this does not mean Xurrent is locked into AWS.  The Xurrent services can be transferred easily to any other cloud provider should the need ever arise.  This fact is proven by customers that run the Xurrent software within their own premises.

Infrastructure Security

The Xurrent infrastructure is electronically accessible to Xurrent staff, contractors and any other person as necessary to provide the Xurrent services.  Xurrent maintains access controls and policies to manage what access is allowed to the Xurrent infrastructure from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls.  Xurrent maintains corrective action and incident response plans to respond to potential security threats.

Xurrent takes all necessary precautions to ensure that every layer involved in data transfer is secured by best-of-breed technologies.  Services are based on a security-oriented bare minimal, lightweight operating system, preventing the exploitation of entire classes of zero-day and other vulnerabilities.  Additionally, Xurrent uses certain techniques that avoid erroneous instance-configuration changes, upgrades and corruption that are common sources of security breaches.

Xurrent codes and automates its infrastructure.  Any infrastructure changes are coded, reviewed, run automatically as code, validated and tested in Xurrent’s segregated development, staging and QA environments before being deployed to the production environments.  This too avoids a whole range of erroneous and ad-hoc infrastructure changes that are common sources of security breaches and unavailability.

Firewalls are configured according to industry best practices and unnecessary ports are blocked by configuration with security groups.  All Xurrent services run within VPCs with ACLs and additional custom measures.  The network is continuously monitored and Xurrent has various controls in place to trigger security alerts.

All Xurrent services support the latest email standards for inbound and outbound email, including required TLS encryption, and support for SPF, DKIM and DMARC alignment.

Customer Data Security in Transit and At Rest

The Xurrent services support the latest recommended secure cipher suites and protocols to encrypt all traffic in transit.  All internal data in transit between services within the Xurrent infrastructure is protected by TLS v1.3 and the best available cipher suites and protocols.

All customer data is encrypted at rest – including databases, search indexes, files storage, memory caches, log data, backups, and all disks.

Xurrent monitors the changing cryptographic landscape closely and works promptly to upgrade the Xurrent services to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve.

Access Management

Xurrent has established a password policy with required configurations and expiration intervals for all systems it controls.  Passwords must be long and complex and are forced to be changed every 90 days.

No internal server under the control of Xurrent is accessible with a password.  Only key based systems are allowed, which keys are regularly rotated.  In addition, multi-factor authentication is required, also at the API level and when working through a command-line interface.

Xurrent segregates all its different environments: development, staging, QA, demo and production.  All these environments have no users defined, so no one can access the production environment directly.  Access is granted via a role-based system in a bastion account.

Availability & Performance

We are committed to making Xurrent a highly-available and highly-performant service.  See our history at https://status.xurrent.com/.

Disaster Recovery

Customer data is stored logically across multiple physical locations within the region selected by the customer, protecting the services from loss of connectivity, power infrastructure and other common location-specific failures.

Production transactions are replicated among these discrete locations, to protect the availability of the Xurrent services in the event of a location-specific catastrophic event.  All databases can be restored to a recent point in time.

Multiple daily and weekly backups are created and stored in the primary operation region within the region selected by the customer.  On a 6-monthly basis, Xurrent performs tests to ensure that backups can be correctly restored.

Monitoring

Xurrent gains deep visibility into all API calls and all infrastructure changes including when, what, who and from where calls and changes were made.  Xurrent staff is alerted when specific events occur or thresholds are exceeded.  Xurrent maintains an extensive, centralized encrypted logging environment in all of its environments which contains information pertaining to security, monitoring, availability, access, and other metrics about the Xurrent services, to help with streamlining the services, investigations and compliance reporting, and to improve the security measures and reduce the risk profile.

Security Incidents

When a breach of security occurs, Xurrent promptly notifies the affected customers of any unauthorized access to their customer data.  Xurrent has incident management policies and procedures in place to handle such events.

External Audits

Xurrent engages credentialed external auditors to verify the adequacy of its security and privacy measures.

Xurrent engages independent entities to conduct regular application-level and infrastructure-level penetration tests.  Xurrent’s security team reviews and prioritizes the reported findings and tracks them to resolution.

Security Features for Xurrent Administrators

In addition to the security measures Xurrent employs for its processes and systems, Xurrent provides customers capabilities to protect their data.

Audit Trails

Xurrent keeps an audit trail of all changes to customer data, that customers can view.  A limited number of Xurrent support staff can view a limited subset of the audit trail, only to enable them to fulfil their support duties towards customers.

System Logs

Xurrent gives insights into events, particularly access events, happening within a Xurrent account via a system log that Xurrent administrators can keep track of and analyze.

Authentication Logs

Detailed authentication logs are available both to Xurrent users and administrators.  Xurrent logs every access attempt, noting the IP address of the connection.

Role-Based Access

Xurrent supports role-based access through its interface.  Customer’s Xurrent administrators manage and control user access, including the provisioning of new users with a defined access level.

Single Sign-On

A Xurrent account can be integrated with a wide variety of single sign-on (SSO) providers, such as OneLogin, Okta, Azure, Google Cloud Identity and more, using either the SAML or OpenID Connect protocol.

SCIM provisioning

A Xurrent account can be provisioned and managed with users, organizations and sites via the Xurrent SCIM API.  SCIM is used by Single Sign-On (SSO) services and identity providers to manage people across a variety of tools.

Multi-Factor Authentication

All users can enable multi-factor authentication to access Xurrent using hardware security keys, touch ID, and/or authentication apps.  Furthermore, administrators can require all users of their organization’s Xurrent account to activate multi-factor authentication.

Password Policy

A customer’s Xurrent administrator can define a password policy that all of the customer’s Xurrent users must adhere to.

Email Policy

A customer’s Xurrent administrator can ensure that outbound email sent by Xurrent is in alignment with SPF, DKIM and DMARC policies.

Idle Session Timeout

A customer’s Xurrent administrator can define the idle session timeout duration for the customer’s Xurrent users.

Malware Detection

All inbound email and all attachments that are uploaded by a customer’s Xurrent users are checked for viruses, unwanted applications, and other malware.

Whitelist Attachment Extensions

A customer’s Xurrent account owner has the option to whitelist file extensions to permit files with those extensions to be attached to records in Xurrent.  This allows a customer to make sure Xurrent’s attachment policy is in line with the customer’s security policies.

API Access

Access to the Xurrent APIs can be limited to a scope that is controlled by the customer.  Customers are responsible for ensuring that each access token follows the principle of least-privilege, granting access only to the records that are necessary for its legitimate purpose.

OAuth 2.0

Customers can securely integrate their Xurrent accounts with other applications using the OAuth 2.0 authorization framework.  This framework gives customers more control over the scope of the access they give other applications to their Xurrent accounts.

Webhook Policies

Webhooks are used by Xurrent customers to keep other applications in sync with their Xurrent accounts.  Customers can add an extra layer of security by dictating a signing algorithm that Xurrent has to use to sign the payload of outbound webhook requests.

Data Retention

Customers can define a data retention policy for the record types that may contain personally identifiable information (PII).

Anonymization

Persons who request to be forgotten can be anonymized in the Xurrent services.

Anonymous Login

For organizations to comply with regulations such as the EU Whistleblower Directive, Xurrent offers the option to allow people to submit requests anonymously (e.g. to report misconduct or wrongdoing).

End User Privacy

Organizations can make sure that people who they support, but who should not be aware of each other in the self-service portal, are not allowed to see or select each other. This will prevent them, for example, from registering requests for each other and from mentioning each other in their requests. This extra privacy setting is typically important for government agencies that support citizens, higher education institutions that support students, as well as retailers that support consumers. It can be activated to prevent the accidental breach of the privacy of people who are grouped in a special organization record or in a separate Xurrent account.

Return of Customer Data

Xurrent customers own the data they store in the Xurrent service.  Customers are free to export this data at any given time.

Report a Security Vulnerability

Xurrent welcomes any feedback that can help make the Xurrent services more secure.  To report a possible security vulnerability that affects the Xurrent services, send an email to [email protected].

When reporting a possible security vulnerability, please include a detailed summary of the vulnerability, as this will allow Xurrent’s support staff to respond more rapidly and effectively.  Security vulnerabilities are given priority over any other incidents that may affect the Xurrent services (even over incidents that affect the availability of the service) and are handled through a separate procedure.  Throughout this procedure, Xurrent is committed to safeguarding the privacy of the person who reported the possible security vulnerability.  Use the Xurrent Security public key to encrypt sensitive information sent via email.

After reporting a possible security vulnerability, Xurrent will confirm that it has been received.  Xurrent will subsequently attempt to validate and reproduce the reported vulnerability.  If additional information is required in order to validate or reproduce the issue, Xurrent will work with the person who reported the possible security vulnerability as needed.  When the initial investigation is complete, the results will be delivered to you.  If the vulnerability cannot be validated, this will be shared with this person.

On the other hand, if the vulnerability has been verified, a plan for its resolution and public disclosure will be shared instead.  If the vulnerability is found to be caused by a third-party software product, Xurrent will notify this third party.  Xurrent will continue to work with the third party to ensure that a fix gets implemented.  The identity of the person who reported the possible security vulnerability will not be disclosed to the third party without this person’s explicit permission.

Xurrent will coordinate public notification of the validated vulnerability with the person who reported it.  Xurrent security bulletins are posted within the Xurrent service.  The person who reported it, or his/her company, may want to post its advisories on its own website or in security forums.  When possible, Xurrent would prefer that the respective public disclosures be posted simultaneously.

Responsible Disclosure

Notifying a vendor before publicly releasing information about a security vulnerability is a best practice known as responsible disclosure.  Responsible disclosure allows companies like Xurrent to better protect its customers by fixing vulnerabilities before they are brought to the attention of someone who may want to exploit them.  We strongly encourage anyone who is interested in researching and reporting security vulnerabilities to observe the simple courtesies of responsible disclosure.  Xurrent follows the same practice when it discovers and reports security vulnerabilities to other organizations.

Security Notifications

For the protection of our customers, Xurrent does not disclose, discuss or confirm security vulnerabilities until a full investigation has occurred and any necessary patches or releases have been implemented.  Once a security vulnerability has been fixed, Xurrent publishes a Xurrent security bulletin about the vulnerability via a broadcast within the Xurrent service.