We value your trust in us and we take pride in providing you with an IT security system that meets international accredited standards. Xref’s platform undergoes regular international and external audits with a new ISO 27001 certification reissued every three years.

You can find our current ISO 27001 certification here.

Xref follows the recommended ISO 27001 controls closely. Our risk applicability register outlines whether we have implemented controls for the different risks areas highlighted under the ISO 27001 requirements.

At Xref we take IT security very seriously, we continually monitor our systems to ensure that it provides a high level of protection for our clients and their data. We understand that technological risks are always present, as such we conduct an annual penetration test to safeguard the platform. A summary of our report can be viewed below.

Top management at Xref understands the Information Security needs and expectations of its interested parties both within the organisation and from external parties including clients, suppliers, regulatory and Governmental departments.

Confidentiality, Integrity and Availability of information in ISM are integral parts of its management function and view these as their primary responsibility and fundamental to best business practice. Information security policy is aligned to the requirements of ISO/IEC 27001:2022;

‍

The Company is committed to:

●       Comply to all applicable laws and regulations and contractual obligations

●       Implement Information Security Objectives that take into account information security requirements following the results of applicable risk assessments

●       Communicate these Objectives and performance against them to all interested parties

●       Adopt an Information Security Management System comprising manual and procedures which provide direction and guidance on information security matters relating to employees, customers, suppliers and other interested parties who come into contact with its work

●       Work closely with Customers, Business Partners and Suppliers in seeking to establish appropriate information security standards

●       Adopt a forward-thinking approach on future business decisions, including the continual review of risk evaluation criteria, which may impact on Information Security

●       Ensure management resources to better meet information security requirements

●       Instruct all members of staff in the needs and responsibilities of Information Security Management

●       Constantly strive to meet its customer’s expectations

●       Implement continual improvement initiatives, including risk assessment and risk treatment strategies

Responsibility for upholding this policy is company-wide under the authority of the CTO who encourages the personal commitment of all staff to address information security as part of their skills.

The policy has been approved by the Directors and is reviewed annually or sooner should a significant change occur in order to ensure its continuing suitability, adequacy and effectiveness.

‍

We are delighted to be able to provide employee reference services to you. This section will take you through our specific safeguards for export out of the EEA.

Xref is committed to being fully compliant with the GDPR regulations and the Australian privacy laws. In doing so, we have in place specific safeguards to ensure that all personal information exported out of the EEA are protected.

Xref operates out of 4 geographical locations, Sydney, Frankfurt, Toronto and North Virginia. You can choose to store data within the EU region. In the event that personal information is required to be transferred out of the EEA, we have measures in place to ensure that we meet the GDPR requirements to safeguard all personal data.

‍

Technical Safeguards

• VPN software is installed to access production environment to export data. This is further restricted by limiting access by certain staff to access that export database.
• All staff devices are controlled remotely via MDM software and Jamf which allows us to control, encrypt and remotely wipe staff devices where required.
• All data is encrypted at rest using AES 256 and encrypted in transit using TLS 1.2.  When the data is being sent out from the storage system to the browser, data continues to be encrypted.
• Database resides in a network which cannot be accessed via the internet.
• Regular internal and external audit is performed on our data security systems.

‍

Management Safeguards

We also have the following management safeguards in place for data exports out of the EEA:

• Data access to staff is restricted on a need-to-know basis.
• Data export function is only provided to certain management staff and all data export requests are logged.
• Staff can only access company platforms on a company provided device and not personal devices.
• Annual security awareness training for all staff.

‍

Please let us know if you have any further questions and we look forward to being able to make your hiring journey better.

‍

General

‍

1. How does the Xref application work?

Xref is a multi-tenant platform that offers candidate referencing as a service. There are 2 ways this application can be used.

• A standalone platform where you can setup your team, permissions & questionnaires, etc. Your team members can then start taking references straight away.
• As an integration with one of the ATS that your company is already using. The only condition to this is that Xref must have to have an integration in production with your ATS.

For more information regarding the list of current integrations, please see: https://www.xref.com/integrations.

Xref platform is a web application. It is accessed over the HTTPS protocol via a web browser (i.e. Chrome) which support TLS 1.2. Recommended browsers are latest versions of Chrome, Firefox, Edge and IE 11 or later.

2. How does the application architecture work?

Xref runs all of its infrastructure on highly available and redundant AWS services and we have a 3-tier architecture. The presentation layer consists of Cloudfront+S3 and is written in Angular. The application layer is deployed on Serverless infrastructure consist of api-gateway and Lambda and it will scale automatically.

The applications follow microservice architecture to distribute tasks and is written in Python/Django. Data layer is deployed on AWS managed RDS- Aurora service and elastic search. Data transmission within the application happens though the private network. AWS VPCs utilised for network controls. Security groups and NACLs are configured to ensure defence in depth principle is followed.

We also use other third-party services SendGrid, Mailchimp and Mailgun to send transactional emails.

Security

‍

3. What types of data does Xref collect?

 There are 4 categories of individuals/entities whom we collect data from:

• Employers
  These are the platform users from your organisation. We collect their first and last names, email addresses, phone numbers, job titles, profile pictures, IP addresses and user agents.
• Employees
  These are the employees from your organisation (including managers and ex-employees). We collect their first and last names, email addresses, phone numbers, locations, information about employment (work history, industry, job titles, departments), information about their competencies and skills, IP addresses, user agent, additional information (LinkedIn profile, notes/comments provided by the employee in the surveys).
•  Candidates
  These are the job applicants from whom you require a reference. We collect their first and last names, email addresses, phone numbers, information about employment (work history, industry, job titles), IP addresses, user agents, and additional information (notes/comments provided by the candidate during the process).
• Referees
  These are people designated by the candidate to provide the references. We collect their first and last names, email addresses, phone numbers, locations, job titles, answers to the survey questions, IP addresses, user agents and additional information (notes/comments provided by the referee in the survey).

4. How does Xref ensure that data collected is secure?

All data that we have collected are encrypted in transit and at rest.

Xref is also ISO 27001 certified to provide clients with assurance that their data is sufficiently secured. We renew this certification annually.  

5. Where is data currently stored?

You choose where you would like data to be stored.

You can choose between our 4 geographical AWS storage locations in Sydney, Frankfurt, Toronto and North Virginia.

‍

6. Can data access be controlled on the employer’s end?

Yes. Employers can vary the level of access on the platform for their staff.  

Our customer support team onboards a client and setup the first user with admin access on the system. The user can then add more users to their account and grant them roles. Each user can be assigned roles by the admin so they have the required access on the company's data.

7. Is access managed and monitored? If yes, how?

The platform offers logs for all actions by any user in the account and is available for audit by any Xref Recruiter platform user admin. We have configured AWS CloudTrail alerts for unauthorised changes in infrastructure.

8. What types of security controls are implemented to prevent unauthorised alteration of log records by our support team?

Our support team has only read only access granted to logs. All access by our support are logged and tracked.

9. What staff management policies have been implemented in the organisation to prevent unauthorised access?

• Password Controls
  
  Some controls in our password policy are:
       -    Allowing admin users to set passwords that will apply to all users in that account.
       -    Users failing to provide correct credentials 5 times in a row will be locked out for some time.
  
  If a user does not log into the system for a period, their accounts will be made inactive automatically and they will be locked out until access is granted again.  

• Access Control
      -    Access to our staff is granted based on their assigned roles.
      -    We keep a detailed audit log of each action taken on any data by any component of the system.
      -    We internally use third party tools like Papertrail, AWS Cloudwatch to check and monitor logs. These logs are retained for 1 month.

‍

10. How are staff devices managed?

Controlled via MDM (JAMF), disk encryption, auto-lock policy, admin privileges for the user, firewall, password policy, anti-malware installed via MDM.

11. How are critical failures, anomalous activities or security incidents detected within the organisation’s networks, systems, or event logs?

• We use Pagerduty to notify us of critical failures. We monitor changing access levels and configuration through AWS-config and AWS-cloudtrail. An email alert will be sent to us through SNS for any changes.
• We use CloudConformity, Tenable, Security hub, AWS cloudtrail, AWS config and Guardduty to audit infrastructure for security vulnerabilities and irregular activities.

12. What controls do you have to protect the development environment during source code?

• We follow the ISO 27001 requirements for protecting the development environment at the source code stage.  
• We also follow an agile development process. Every change goes through a manual review and testing in two different environments before it gets deployed to production.
• We have enabled Github vulnerability scanner for identifying and alerting security leaks.
• We adopt a test-driven approach when implementing new applications. Each new feature or bug fix will have an all possible scenarios written as tests with the code. The tests are run on Travis each time and a code will be committed to the repository.
• PRs are required to be reviewed by peers before merging, and all tests must indicate a pass before proceeding.
• Sandbox and development environments are completely segregated from the production environment.  
• Change/control is all managed via JIRA and Confluence through an agile development process.
• All development machines are protected with BitDefender Endpoint Security software.
• All files are scanned automatically for malware before they are uploaded to the system.

13. What types of encryption is used for the Xref system?

All information exchange happens securely using SSL based communication between the server and client device, and the application and the database. All data is encrypted at rest using AWS KMS and in transit using SSL/TLS using 256-bit RSA encryption.

14. What sort of patch management process does Xref have?

Xref does an automated monthly infrastructure patching. As soon as a patch is available its will be tested in a controlled environment and then moved a production environment.

15. How is dataloss minimised?

Data is backed up automatically by AWS RDS service as both full backup on a daily basis, and as an incremental backup every 15 minutes.

Databases are deployed in multi-AZ to minimise the data loss if one of them is down.

16. Are independent IT security testing programs, assurance audit and/or assessments performed?

• We perform an internal audit every 6 months
• External consultants audit Xref on an annual basis.
• Penetration tests are conducted every year.

17. How is data segregated from Xref’s other client’s data?

 Xref provides its services as a SaaS platform on a shared tenancy model. Each customer's data is isolated logically not physically on the application layer. Each user will get access to data filtering their company and employer/user permissions.

18. What is the business continuity plan?

We aim to complete recovery of all IT infrastructure and all IT services within 1 hour and RPO 16 hours.

We perform a DR and incident response test every 6 months.

‍

Compliance and Privacy

‍

19. What regulations does Xref comply with?

Xref is committed to complying with the GDPR and all Australian privacy laws.

20. Does Xref have a privacy policy?

Yes. Our privacy policy can be viewed here

21. Does Xref have a data breach plan?

Yes. We have a data breach notification team. If you suspect that there is a breach, you can contact us at security@xref.com.

22. How is consent from the candidate or referee captured?

Each candidate and referee has to agree to a collection statement before continuing with the platform. They can decline if they do not agree with the collection statement.

23. How long is data retained?

All data is kept up to 7 years.

If you require a different time period, please speak to our sales team or customer success team for assistance.

Data can also be purged on request.

24. What sort of IT security training and awareness do you provide staff?

 We conduct information security awareness training on an annual basis and when staff is onboarded.

25. How does Xref ensure that any third parties engaged also comply with the privacy regulations in Australia and implements the appropriate security and risk management controls?

Our contracts include a right to audit some sub-processors that we have engaged.

‍

26.    Will any personal information be provided to sub-contractors?

Yes. For more information on our sub-processors, please refer to our sub-processor page, https://www.xref.com/sub-processors

Xref engages external service providers to support our systems (‘sub-processors’).

Our purpose of using sub-processors is to outsource areas of the service that are not within our expertise in order to provide you with a better product experience.

You can find our list of sub-processors here.

Our privacy policy will explain how our data is used and how Xref complies with the data protection laws. More information can be found through the link.