As a company that takes data security and privacy very seriously, we recognize that Xref’s information security practices are important to you. While we don’t like to expose too much detail around our practices (as it can empower the very people we are protecting ourselves against), we have provided some general information below to give you confidence in how we secure the data entrusted to us.
- Xref is ISO 27001 certified, ensuring best practice for an information security management system, validating Xref's platform security.
Data Center Security
- Xref uses multiple systems placed in different AWS world-class data centers around the world
- Xref has DDOS (Denial of service) and IDS (Intrusion Detection) mitigation in place at all of our data centers.
- For more detailed information on the latest state of the art measures adopted by our hosting provider, please click here.
Protection from Data Loss, Corruption
- All database are kept separate to prevent corruption and overlap. We have multiple layers of logic that segregate user and company accounts from each other.
- Account data is constantly mirrored and regularly backed up offsite.
- All data is encrypted in transit and at rest.
Application Level Security
- Xref’s account passwords are hashed and salted. Our own staff can't even view them. If you lose your password, it can't be retrieved—it must be reset.
- All login pages (from our website and mobile website) pass data via SSL/TLS.
- The entire Xref application is encrypted with TLS.
- Login pages have brute force protection.
- We perform regular external security penetration tests throughout the year. The tests involve high-level server penetration tests and in-depth testing for vulnerabilities inside the application.
Internal IT Security
- Xref offices are secured by keycard access
- Our office network is segmented and monitored.
- We have a dedicated internal security team that constantly monitors our environment for vulnerabilities.
Internal Protocol and Education
- We continuously train employees on best security practices, including how to identify social engineering, phishing scams, and hackers.
- Employees on teams that have access to customer data (such as customer success and our developers) undergo background checks prior to employment.
- All employees sign a Privacy Safeguard Agreement outlining their responsibility in protecting customer data.
Protecting Xref Against You
- We can secure the Xref application, but if your computer gets compromised and someone gets into your Xref account, that's not good for either of us.
- We monitor and will automatically suspend accounts for signs of irregular or suspicious login activity.
- Certain changes to your account, such as to your password, will trigger email notifications to the account owner.
- We monitor accounts for signs of abuse.
- We make 2-Factor Authentication and extended security available to our customers.
- We provide the ability to establish multiple levels of access within accounts.