You are in Safe Hands
We work with clients across industries – banks and other financial institutions, media, eCommerce, CPG and a few others. We usually need access to clients' sensitive customer and financial information. It is our responsibility to protect our clients’ confidential information and their data. We ensure that any client data is stored only on secure and reliable cloud service providers: Amazon Web Services or Google Cloud. We have necessary processes and safeguards in place to ensure the data is not downloaded by any member of the team working on client projects. Our employee onboarding process has sessions dedicated for Data & Information Security, and best practices to handle clients’ sensitive data.
We also have regular internal sessions on evolving data threats and if any new safeguards and policies need to be introduced. A summary of Xtage Labs security policies, processes and procedures are outlined below.
Policies & Trainings
- Xtage Labs data security policies and standards reviewed quarterly
- Any evolving threat and potential breaches incorporated and circulated to all employees
- Dedicated session for new employees to apprise them of Xtage Labs data & information security policies
- Regular internal sessions to stress on data & information security
- Data & Information security is part of every employee KRA
Authorization & Access Control
- Access to a client’s confidential information is restricted to employees who have a need to know. No one else is permitted to access this data.
- Access to Xtage Labs computer systems is granted or revoked by network administrators in response to requests from managers
- Client data is accessed only by restricted users, using security management features of the corresponding cloud service providers.
- Copying of client data on personal systems is prohibited
- All server, storage & other services' credentials are accessible to only manager level employees
- All connections to the servers occur over encrypted SSH, SSL, or VPN channels
- All client and respondent information is classified, confidential, and protected
- All Xtage Labs employees are required to sign and adhere to Non Disclosure and Confidentiality agreements to protect clients' data and confidential information, as well Xtage Labs’ confidential information
- All subcontractors and suppliers to Xtage Labs must sign and adhere to the strict Non Disclosure and Confidentiality agreements to protect clients' data and confidential information
PII (Personally Identifying Information) Suppression Policy
- Sensitive PII is currently defined by the Federal Communications Commission (FCC) as credit card numbers, financial account numbers, government issued ID numbers, health information, or information regarding children
- We keep PII data only in secure encrypted format, as agreed upon the client
- We always try to minimize use of PII data & do not store PIIs, unless specifically required for an engagement
Data Storage Servers
- Xtage Labs uses Google Cloud, Amazon Web Services for all our clients. Each of these platforms provides enterprise grade security features
- Only service account key based authentication is used to access data
- Service accounts are limited to Xtage Labs employees
- We also promote other techniques like CIDR Notation and firewall rules for VM machines
- Xtage Labs honours client requests to remove PII and any other sensitive information provided to us
- We follow a well-defined process to remove PII for all client data & carry it out as the first step in a project kick-off
- On completion of an assignment, we delete all client data from our systems, after client’s confirmation to delete these (post sign-off)
- Removal of data from cloud servers
- Data on database backup disks and archived data.
- Audit of team laptops by the manager to verify that no client information has been stored on personal machines
- Our policy forbids retention of paper output that includes client data.
- In some circumstances working reports are printed for internal meetings, which are identified and disposed of using a shredder
- Xtage Labs has an evolved development process that includes security standards, security code reviews, quality assurance testing and release controls
- Security standards have been developed using industry best practices and are updated to include current trends and threats
- We strive to conform to OWASP standards for our web based solutions
- Architecture security reviews are performed when needed by the Security Team to ensure proper controls are in place and security standards are followed
- During the development phase, Xtage Labs strictly follows key based authentication with defined service accounts
- Only managers can have access to all of the production environment using key based authentication
- Data backups are performed in a timely manner on secure cloud servers
- This solution provides quick recovery from backup when required, as well as protection of data
Employee Access to Client Data
- We have taken measures to ensure that access to both live data and reporting data is given only on a need basis
- Access privileges are reviewed periodically and with every change of job responsibilities
- No employee can download data from a cloud server under any circumstances
Client Data Confidentiality
- We do not share collected data with any competitors, organizations, or individuals without express written consent of the data owner.
- We insist on an explicit data confidentiality clause in all our contracts with our clients
- We place a high value on the security of data, which is always treated as confidential.