Do you retain logs for all login attempts for a given time period or as required by the tenant?
Yes, systems must be configured to log all successful and unsuccessful login attempts by accounts with privileged access. These authentication logs must be retained for a minimum of 180 days and in accordance with the Company’s records retention guidelines.Does the solution provide re-authentication at the time of an attempted change to authentication information?
Yes, users can re-authenticate a change in credentials and we comply to any attempted change in authentication information.Can you provide the capability to present with a login notice to the intended
users before being given the opportunity to log onto a system? No, we do not present login notices to users before they log in as the users are redirected through SAP SuccessFactors.Do you have controls in place to restrict any information beyond notification
of an unsuccessful login attempt prior to successful login? Yes, there is a protocol in place to ensure that no information beyond an unsuccessful login attempt goes through prior to a successful login.Do you support use of, or integration with, existing customer-based Single Sign On (SSO) solutions to your service?
Yes, our partnerships with a wide array of integration partners ensure existing customer based Single Sign On (SSO) capability for all users to seamlessly use Xoxoday’s products. With an easy DIY setup, your SSO solution would be plugged in and ready to go. Please refer to our list of integrations to know more.Do you support identity federation standards (SAML 2.0, SPML, WS-Federation,
etc.) as a means of authenticating/authorizing users? Yes, our identity federation standards include SAML 2.0, SPML, WS-Federation and more as means of authenticating and authorizing users with airtight security protocol.What levels of isolation are used for virtual machines, physical machines,
network, storage (e.g., storage area networks), management networks and management support systems, etc.? We isolate our machines, network and storage with respect to the AWS Standards in order to keep it safe and secure.Do you allow tenants to use third-party identity assurance services?
No, tenants are only allowed to use our secure protocols and procedures to prevent cracks and folds in data handling.Do you support tenant’s access review policy?
Yes, we do support our clients’ and tenants’ access review policies.Do you support password (minimum length, age, history, complexity, and
expiration) and account lockout (lockout threshold, lockout duration) policy enforcement? Our password setting requirements comply with all factors to ensure that strong passwords are created. Passwords should be of a minimum length and contain special characters, capitalized letters, and alpha-numeric combinations.Do you allow tenants/customers to define password and account lockout policies for their accounts?
No, customers/tenants must comply with Xoxoday’s account lockout and password polices that have been incorporated for maximum security.Do you support the ability to force password changes upon first login?
No, the user can set their own password from the very first login attempt.Do you have mechanisms in place for unlocking accounts that have been locked
out (e.g., self-service via email, defined challenge questions, manual unlock)? No. As Xoxoday’s products use single sign on (SSO), the users can login via their suite email and credentials.Are audit logs reviewed on a regular basis for security events (e.g., with automated tools)?
Yes, audit logs are reviewed and recorded on a regular basis automatically. These logs are integrated with security operations/SIEM solutions.Is the option of physical and logical user audit log access restricted to authorized personnel only?
Yes, to ensure the maximum safety and authority of data in right hands, the physical and logical adult log access of users can only be accessed by authorized personnel.Do you support the integration of audit logs with tenant Security
Operations/SIEM (Security Information and Event Management) solution? No, logs are automatically audited, but are not integrated with tenant’s security ops. In case the tenant requests for logs, they can shared when asked for by the clients.Are audit logs centrally stored and retained?
Yes, regular audit logs are stored with Xoxoday and retained for future references.Describe how event logs are protected from alteration including how access to these logs is controlled.
The event logs are stores in a bucket wherein nobody can access them without an approval from the high authorities i.e. the Chief Technical Officer.Are file integrity (host) and network intrusion detection (IDS) tools
implemented to help facilitate timely detection, investigation by root cause analysis, and response to incidents? Yes, all the mechanisms related to security and policies are implemented to facilitate timely decision and investigation by root-cause analysis. These incidences are analyzed with network intrusion detection (IDS) tools.Describe the process for investigating all data breaches and security violation events.
Describe the process for informing TCCC of the breach, root cause analysis, and remediation. Please refer to: “Threat & Vulnerabilities Management Procedures”.Does your logging and monitoring framework allow isolation of an incident to specific tenants?
Yes, in case specific incidents arise for particular tenants, our logging and monitoring framework allows isolation of incidents.Are policies and procedures established and measures implemented to strictly
limit access to your sensitive data and tenant data from portable and mobile devices (e.g., laptops, cell phones, and personal digital assistants (PDAs)), which are generally higher-risk than non-portable devices (e.g., desktop computers at the provider organization’s facilities)? Yes, there are measures to limit the access of tenant’s data from non-authorized devices. Please refer to “Access Control Procedures”.Does the solution support disabling of dormant accounts (User accounts that
have not been used within a minimum of 90 days)? No. In case the accounts are deactivated or dormant, they would still be in the Xoxoday’s domain. The admin would have to manually reach out and disable the accounts that they wish to declare dormant or inactive.Does the solution maintain a password history technique in order to disallow use of any cyclic passwords?
Yes. Passwords once used cannot be reused with the password history technique in order to disallow the reuse of old passwords. Please refer to “Password Management Policy”.Is there an approval process for access requests to systems handling personal data?
Yes, with access control limit, super admins and admins can give out access to authorized individuals as per requests raised by them in order to handle their platform as well as the personal data accordingly.Is access to systems containing personal data granted using a role-based criteria?
Yes, the role of “admin” and “super admin” holds the high regards and these roles can process the personal data of users as per their choice with the access control limit capability.Is all Personal Data registered in a standard repository?
Yes, personal data is stored are registered databases that comply to all necessary inputs of a standard inventory repository.Are credentials stored in a centralized system that is TCCC approved?
Yes, all the given credentials are safely stored in a TCCC-approved centralized system in order to securely process the personal data.Do you design and implement controls to mitigate and contain data security
risks through proper separation of duties, role-based access, and least-privileged access for all personnel within your supply chain? Yes, our roles and job duties are segregated through role-based access to ensure maximum security of tenants’ databases.Will you share user entitlement remediation and certification reports with your
tenants, if inappropriate access may have been allowed to tenant data? Yes, in case an incident occurs with respect to inappropriate access of data, we shall share the reports.Do you support tenant’s multifactor authentication (e.g., RSA Secure ID, PKI
Certificates, out of band pin comprised of at least 6 digits, etc.)? Yes, we do support measures to enforce strong multifactor authentication when it comes to accessing highly restricted data.Do you support access to tenant-sensitive data by only tenant’s managed devices?
No, the data can be accessed by Xoxoday’s authorized personnel to serve you better with maximum security.What controls are in place to prevent unauthorized access to your application,
program, or object source code, and assure it is restricted to authorized personnel only? We have AWS Identity and Access Management (IAM). Access to data and systems is based on the principles of least privilege for access. Accordingly, all information systems and data are classified and further segregated to support role-based access requirements. A strong identification and authentication system and logging systems are deployed and provide centralized control to administer, monitor, and review all critical access events.Provide a description of the physical security of your Datacenter both inside
(security mechanisms and redundancies implemented to protect equipment from utility service outages like for example, power failures, network disruptions, etc.) and outside the DataCenter itself (fences, security guards or patrols, reception desk, authentication mechanisms, etc.) as well as the procedure applied to authorize personnel to enter the premises and how often the authorizations are reviewed? AWS is responsible for providing physical security to the data center as we have deployed our application on AWS. AWS provides physical data center access only to approved employees. All employees who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access and are time-bound. Requests are reviewed and approved by authorized personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions. Third-party access - Third-party access is requested by approved AWS employees, who must apply for third-party access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. These requests are approved by authorized personnel, and access is revoked after request time expires.Do you have a formal process to manage the termination and or transfer of employees? i.e.
All equipment is returned, user ID’s disabled in systems, Windows, badges, and/or keys returned. On Transfer is existing access reviewed for relevance? Yes, we have implemented the process for termination from employment. Once the employee is terminated all the access will be revoked, IDs are disabled, assets are returned and recorded as a part of the exit clearance. We have implemented the access control procedure and all the access will be revoked upon termination or transfer of an employee as per the compliance requirements.Are employees required to use a VPN when accessing the organization’s systems from all remote locations?
Yes. We use a cloud-hosted VPN with strict access controls to allow our employees to access the official network.Is a security operations center implemented to monitor the software solution?
Yes, We have implemented the security operations center to monitor, prevent, detect, investigate, and respond to cyber threats around the clock. Questions ** Answers ** What controls are in place to prevent unauthorized access to your application, program, or object source code, and assure it is restricted to authorized personnel only? We have AWS Identity and Access Management (IAM). Access to data and systems is based on the principles of least privilege for access. Accordingly, all information systems and data are classified and further segregated to support role-based access requirements. Furthermore, while defining job roles and designing access roles, privileges leading to conflicts of interests are to be avoided. A strong identification and authentication system and logging systems are deployed and provides a centralized control to administer, monitor and review all critical access events. Do you support identity federation standards (e.g., SAML, SPML, WS-Federation, etc.) as a means of authenticating/authorizing users? our identity federation standards include SAML 2.0, SPML, WS-Federation and more as means of authenticating and authorizing users with airtight security protocol Are employees required to use a VPN when accessing the organisation’s systems from all remote locations? We use a cloud hosted VPN with strict access controls to allow our employees to access the official network. Is wireless access allowed in your organisation? Wireless access is allowed and handled with high quality routers, password protection and restriction on internet usage etc. Is there a role based access control & structured process for creation of new user account for the customer operations? Are all users identified to the system by a unique User ID? All our employees are having a unique email IDs and we have implemented the role based access control. Our product team will create an account for the admin users and the password can be changed immediately. Is there a well-defined process for removing the user account and access rights at the time of an employee leaving the vendors the customer processing facility? Yes, we have the exit procedure and all the access provided to an employee will be removed or deleted. Is there a periodic audit of the user access profile by the SPOC / system administrator? Yes. We review the access provided every month and the SPOC will be our system administrator. Is there an automatic lockout for predefined number of unsuccessful attempts? Yes. We have defined the number of unsuccessful attempts. After 3 unsuccessful logins the account will get locked. Are different accounts used for applications and OS level access? Yes, we have the different levels of access. For Ex - Admin, users. Does the system prompt the change of user passwords at predefined intervals? Yes. Every 90 days How does the password reset process work? Is a secure password distribution mechanism in place? We will get an email for resetting the password. Once we click on it it will take us to a different window and provide an option to change or reset the password. Is there a defined process for installing & encrypting wireless access points, if any used by vendor? We use only internet connection through wifi and only after the approval process IT Team will provide an access. Are following actions performed on all systems used for the customer operations- -Restricted access to shared folders -Restricted USB/CD access -Internet access on need basis -admin privileges restricted Yes. We have all these controls. We have restricted access to shared folders, USB or external drives, Internet access and privileges access. Is an inventory of all information assets (e.g. documents, USB devices, passwords etc) provided to employees tracked? Is the return of assets tracked? Yes. We have a track of all these information and we will remove the access once the empoyee left the organization. Is there a mechanism for different levels of administrator privileges for system access on the customer specific servers? Is it configured in a secure manner? Yes, we have different level of access like Admin and users and its configured in a secured manner. Is inactivity timeout period specified for the customer applications? It’s an application and it supports SSO and Active directory. Time our period that we configure in SSO/AD would apply. Is development area segregated from work area? Are proper access controls implemented for development areas? Yes. We have segregated the areas. We have implemented the controls for having the access only to an authorised individuals for production area. Are all production hardware, including, but not limited to, network devices, storage, database servers, and application equipment, located in a restricted area with physical access controls? Yes, we have the controls. Groups of information services, users and information systems shall be segregated on networks. Yes. We have segregated the users. a) Whether Desktop/ Laptop sharing is allowed? b) Whether data card is accessible on desktop/ laptop? c) Whether software installation permissions present on desktop/ laptop? Sharing device is not allowed. All the permisson needs to be taken from the IT Team. Not provided these access to the employees. What controls are in place to provide logical segregation of duties at CSP end in shared environment? We have different levels of users and only upon approval and need basis will get access.’ How vendor is performing logging and monitoring of privilege access (if any) at Cloud environment? At Xoxoday for all the critical applications the 2FA has been enabled. By any mean, does the vendor/ CSP having access to the customer data? For what purpose? only Xoxoday authorised individual will have an access Are external drives such as CDs and USB drives disabled on all desktops and laptops, servers containing personal data, customer data, business data ? All the computer machines are restricted with Access to CDs, USB or any other hard drives. We do not grant access for security reasons. Are photographic, video, audio or other recording equipment, such as cameras in mobile restricted to be carried inside secure areas/ work areas/ information processing facilities ? Are vacant secure areas physically locked and periodically reviewed ? The secured areas are restricted and does not have access with electronic devices or mobiles. These areas are physically locked and periodically reviewed as a part of internal and external audits. Also these restricted area are secured with CCTV cameras and monitored 24*7 for security reasons. Are procedures defined and followed for employees for removal of all access rights (Logical Access and Physical Access) provided to them during course of employment? We have implemented the access control procedure and we revoke the access rights of the employees when not needed or termination from the employment. Access granted and revoked will be reviewed regularly and validated during the internal and external audits. Are the system utility programs that could be used to override system and application controls strictly controlled and their use restricted and that admin privileges are not assigned to all users ? Access to the systems are based on the principles of least privilege for access. All the users have restrictions on installing and uninstalling the application/softwares, they are not provided with Admin access. Admin access will be with the the IT support head and will not be available for the normal users. Are there documented procedures in place regarding steps to be followed for voluntary and involuntary employee terminations (unnecessary user entitlements) including access revocations? Are cases of voluntary or involuntary terminations addressed immediately and access is revoked immediately? Do you agree to inform BSLI incase of any involuntary termination of an employee working on client account immediately or within a reasonable timeframe incase of voluntary termination or reassignment of staff member? We remove the access immediately after termination of an employees as a part of exit procedures. We inform the BSLI incase of any involuntary termination of an employee working on client account within a reasonable timeframe Are user access provisions monitored and reviewed on an ongoing basis (Access reconciliation review) to ensure additions, deletions and changes to the accounts and access rights are properly tracked ? We have implemented the role based access control policy. We regularly monitor the user access controls and make neccessary reconciliation for security reasons. Are Users Handling BSLI data given access to Corporate / Public Mails ? If Yes, Are there any restrictions on domains to which the mails can be sent ? Our employees are provided access for corporate emails. But we have restricted for accessing other email service provider, sending the PII on emails, sending an email to personal email Ids etc for maximum security. Are users handling BSLI data provided access to Internet? Is there a Proxy / Content Filtering Solution in place for cotrolled access to Internet? Are Proxy / Content Filtering Solution logs monitored and reviewed ? All our employees are not provided with access to the client data. Only authorised individual will have access on need and approval basis. The approvers are either the Product Heads or CTO. Content Filtering Solution in place for cotrolled access to Internet and all the logs are monitored. Do you have a documented procedure in place for user access management ? Whether access to system and data is granted exclusively on a need to know/access and Principle of Least privilege and that the approvals are documented by accountable party ? We have the documented procedure in place for user access management. Attached the Access Control Procedure. An Identity and Access Management (IAM) solution has been defined to manage user access through role-based access profiles that support the implementation of accesses based on the principles of need to know basis and support segregation of duties. Access to data and systems are based on the principles of least privilege for access and need to know basis. Accordingly, all information systems and data are classified and further segregated to support role-based access requirements. Only authorised individual will have access on need and approval basis. The approvers are either the Product Heads or CTO. Do you maintain a policy, operational plan and procedures for teleworking activities ? And whether teleworking activity is authorized and controlled by management and does it ensure that suitable arrangements are in place for this way of working. (Teleworking refers to all forms of work outside of the office, including non-traditional work environments, such as those referred to as “telecommuting”, “flexible workplace”, “remote work” and “virtual work” environments) We provide option of work from home/remotely to our employees. We use a cloud hosted VPN with strict access controls to allow our employees to access the official network. This VPN is managed by our IT team and is linked with the SSO/Active Directory. Does patch management process ensure all system are installed with latest security patches (OS layer, Application layer, Data base layer, Network layer) ? Do you have a formal vulnerability assessment and penetration testing (VAPT) process / procedure / policy / manual is documented and operational? Do you have security hardening (technical specification, minimum baseline security MBSS guidelines for all infrastructure elements such as Application, OS, Network and Database) ? Are external drives such as CDs and USB drives disabled on all desktops and laptops, servers containing personal data, customer data, business data ? All the computer machines are restricted with Access to CDs, USB or any other hard drives. We do not grant access for security reasons. We have Changed default credentials and turned off services that are not needed. MFA has been enabled to make sure that only authorised individuals have access. We have implemented Cloudflare web application firewall, IDS, Guard Duty etc in order to prevent DDOS-type attacks. (Attached the evidence of Cloudflare web application firewall, IDS, VA/PT reports, guard Duty etc) We have implemented the role-based access control system and Only authorized users have access to the servers. logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our ElasticSearch server and retained in the long-term cloud storage. mechanisms are implemented to detect, address, and stabilize vulnerabilities We also have implemented the backup plan. We use TLS1.2 encryption for Data at transit and AES256 Data at rest for maximum security. Data backups are done daily and in a secured way in AWS. Have you deployed controls to protect computer systems against virus and spywares, malwares, Trojans, malicious codes, etc.? Do you log the Anti-Virus compliance status of all systems ? All the systems are secured with Bitdefender end point security, VPN, Active directory, Firewall etc for maximum security. Is access to sensitive areas (server location, tape library, computer room, etc.) physically restricted to authorized personnel? If Yes, does the physical access system log the access capturing the data, time, door access, employee coordinates during logging physical access ? Are all physical access control logs periodically reviewed and retained per retention requirements? Are visitors signed into the building by an employee who accepts responsibility for the visitors during the course of their visit? All the sensitive areas are restricted and authorized personnel only can have access. Our facility is having Biometric access system and all the logs are maintained and periodically reviewed. We also have visitors management guidelines and All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. Does the Vendor support on-premise / in the Cloud Third Party Cloud Access Security Broker (CASB) services AWS Identity and Access Management (IAM) enables us to manage access to AWS services and resources securely If application is Internet exposed and contains Informaation related to Customers, Finance or employee should implement mandatory 2FA we don’t provide multi-factor authentication. As of now, there’s oAuth2.0 and SAML-based tokens. JSON-based token is available for maximum security direct-email logins. Ability to have clearly defined roles with fine grained accesses to be created as per Functional roles and maintain SoD when creating the same We have 3 types of roles - User, Admin and Super Admin. Based on the roles and responsibility these access can be provided on need and and approval basis. Ability to rename / disable default IDs within application Manage accounts - Manage Super Admin/Admins - https://xoxoday.gitbook.io/application/user-guide/for-admins-1/getting-started/settings/manage-super-admin-admins#can-the-super-admin-disable-his-her-own-account-if-no-how-is-the-scenario-of-the-exit-of-a-super-admin-handled Data Confidentiality is compromised (Misuse of the customer Policyholder / Employee information, leakage of critical customer personal / policy details resulting in financial or reputational loss for the customer ) Xoxoday application platform collects PII like Name, email ID and Phone number of the employees those who will be using this platform. Xoxoday is ISO 27001:2013 certified, GDPR compliant and SOC 2 type I certified organization and have all the required technical and organizational controls in place and auditred during the internal and external audits. We have implemented the role-based access control system and Only authorized users have access to the servers. We use Amazon IAM for Identity access management. logs are collected using the AWS Audit Trail, meanwhile the application related logs are collected in our ElasticSearch server and retained in the long-term cloud storage. mechanisms are implemented to detect, address, and stabilize vulnerabilities We also have implemented the backup plan. We use TLS1.2 encryption for Data at transit and AES256 Data at rest for maximum security. Data backups are done daily and in a secured way in AWS. Describe the mechanisms in place (processes, tools, etc.) to check for vulnerabilities at the application, Operating System, middleware and the network layers both internally and externally and how frequently these controls are performed. Our network is protected through the use of key cloud security services, integration with our Cloudflare edge protection networks, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks. Vulnerability scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems. In addition to our extensive internal scanning and testing program, Xoxoday employs third-party security experts to perform a Vulnerability assessment and penetration testing. Describe the Access management process in place at the provider’s end pointing out how you ensure timely removal of accesses that are no longer required and how you control the adequacy of the privileges to the job role. Also describe the revalidation processes and the frequency of its execution. Access to data and systems are based on the principles of least privilege for access. Accordingly, all information systems and data are classified and further segregated to support role based access requirements. Furthermore, while defining job roles and designing access roles, privileges leading to conflicts of interests are to be avoided. A strong identification and authentication system and logging systems are deployed and provides a centralized control to administer, monitor and review all critical access. We conduct the access control review on frequent basis and revoke all the access provided for exit employees. Provide the procedure implemented at your end to manage your Shared Ids (e.g. root, Sys, System, etc.), Group IDs (generic accounts used by several individual belonging to a same team for example) and Local accounts. Describe how you restrict, log and monitor privileged accounts usage and access to security devices (E.g., hypervisors, firewalls, vulnerability scanners, network sniffers, APIs, etc.), how you ensure users changing team or leaving can no longer access the Group ID and what is the level of traceability of such IDs We have unique user IDs for all and does not use generic user IDs.Access to data and systems are based on the principles of least privilege for access. We conduct the access control review on frequent basis and revoke all the access provided for exit employees. An Identity and Access Management (IAM) solution has been defined to manage user access through role-based access profiles that support the implementation of accesses based on the principles of need to know basis and support segregation of duties. Privileges relating to Administration of user access privileges and role configurations are different from the authorized approver that approves access requests. The approvers are either the Product Heads or respective function Heads are their authorized delegates. Attached the Access control procedure. Describe the process to ensure and monitor that Segregation of Duties is respected and how frequently it is controlled An Identity and Access Management (IAM) solution has been defined to manage user access through role-based access profiles that support the implementation of accesses based on the principles of need to know basis and support segregation of duties. Do employees have a unique log-in ID when accessing data? All our employees are having the unique log in IDs. Are employees required to use a VPN when accessing the organisation’s systems from all remote locations? We use a cloud hosted VPN with strict access controls to allow our employees to access the official network. Does your organisation provide any web applications used by the customer or containing the customer data? We provide application web application. Is there an Internet-accessible self-service portal available that allows clients to configure security settings and view access logs, security events and alerts? Admins can control the application and will have an access to alerts and security events. If an employee no longer requires remote access to the customer network, is there a process to inform the the customer in a timely manner to revoke access? We inform the the customer to revoke access. In case of any exceptions due to which anti-malware activities fail (e.g. antivirus scans cannot be conducted or patches cannot not be applied), are alternative controls implemented to reduce the exposure on remote endpoints? We have the alerting system in place and we perfom the scaning immediately in order to reduce the risk. Do fourth-parties, (e.g., subcontractors, sub-processors, sub-service organizations) have access to or process client scoped data? They do not have access. Is proper access control implemented for secure access to the customer data ? Yes. We have role-based access system through access control policy to make sure that only the authorised individual has access to the required information. All the Access to data and systems are based on the principles of least privilege for access. An Identity and Access Management (IAM) solution has been defined to manage user access through role-based access profiles that support the implementation of accesses based on the principles of need-to-know basis and support segregation of duties. The approvers are either the Product Heads or respective function Heads are their authorized delegates. Are there necessary controls for securing sensitive information according to the data classification (like Identity access management, access rights)? Yes, We have the necessary controls in place in order to protec the information according to the data classification. For ex - Identity access management (IAM) Do you have a SIEM for monitoring and maintaining logs over security incidents from various components (e.g. IDS, IPS, firewall logs )? Yes. We have a SIEM in pance for monitoring and maintaining logs over security incidents from various components. what kind of identity and access management services are provided by cloud : 1- Independent IDM Stack - all information related to user account is managed by SAAS vendor 2: Using credentials provided by enterprise - user account creation done at tenant within the enterprise boundary used by SAAS vendor to provide Sign On services 3: Federated IDM : User account details are managed by enterprise /tenant.SAAS vendor uses federated idnetity details on demand basis to allow sign on and access control Please click here to know more about admin acceess, Login, SSO Logins - https://xoxoday.gitbook.io/application/user-guide/for-admins-1/getting-started Share the privilege account reconciliation policy. Access to data and systems are based on the principles of least privilege for access. Accordingly, all information systems and data are classified and further segregated to support role-based access requirements. A strong identification and authentication system and logging systems are deployed and provides a centralized control to administer, monitor and review all critical access. We have role-based access system through access control policy to make sure that only the authorised individual has access to the required information. An Identity and Access Management (IAM) solution has been defined to manage user access through role-based access profiles that support the implementation of accesses based on the principles Will vendor employees be accessing any the customer application? How access to those applications is managed? (e.g. through SSO). Only authorised individual would access on need and approval basis. We also use SSO. Are vendor Employees who are associated with the customer process are using their official email IDs for communication with the customer? All our employees are using official email IDs Who will have access to the customer users / customers data in your organization and if any Access Control (Role Base Access Control or any other) is imposed on server / database where the customer users / customers data will be stored? We have implemented Role based Access control policy and only authorised individual will have access upon need and approval basis. Supplier applies security controls and measures on remote access. Access to data and systems are based on the principles of least privilege for access. Accordingly, all information systems and data are classified and further segregated to support role based access requirements. Furthermore, while defining job roles and designing access roles, privileges leading to conflicts of interests are to be avoided. We use a cloud hosted VPN with strict access controls to allow our employees to access the official network. This VPN is managed by our IT team and it’s linked with the SSO/Active Directory. Supplier has a security monitoring process in place. We monitor and review these privileged access provided and do the necessary reconciliation as per the Access control policy implemented . The solution provides possibilities for identity integration with the customer Microsoft Azure AD, and supports Single Sign On (SSO). E2. SSO may be achieved either through a SAML 2.0 federated trust setup or through Microsoft Azure SaaS integration. E3. Additional factors may be used in authentication as well (MFA).- Xoxoday application has a rich set of integrations with HRMS, HRIS, CRM, Survey, Marketing automation, SSO, SAML tools like SAP SuccessFactors, Zoho People, Darwin Box, Hubspot, Freshworks, Zapier, Hubspot, Type Form, Survey Monkey, Survey Gizmo, SAML 2.0, etc 2. SSO SSO Redirection - The client has to generate temporary token for SSO and redirect the user to Xoxoday with this temporary token. Please click here - https://xoxoday.gitbook.io/application/developer-resources/storefront-integration/api-endpoints/sso-redirection#sso-token-from-company-session