Security and Compliance
Our products are SOC2 compliant. The most recent report is available to customers upon request. We pen-test our products at least annually. Pen-Test reports are available to customers upon request. Please use our Customer Support Ticketing System to request a copy of our most recent compliance reports.
Our uptime objective is 99%. Planned downtime will be announced via email at least 2 business days before the planned event. Planned downtime will be outside normal United States business hours. Our customer support team operate within standard Service Level Agreements
Production Systems and Public APIs are monitored every minute. Customers can subscribe to downtime notifications via the System Status page
Our disaster recovery plan is designed to fully restore customer data, APIs and customer facing applications from a total loss. Our recovery time objective is 2 hours. The procedure is tested at least annually.
Xecta relies on enterprise cloud services provided by Microsoft and Amazon Web Services. We rely on the SLA's provided by our cloud partners for business continuity of core infrastructure. Our employees are fully equipped to work remotely. We have employees based in various locations across the United States who are capable for servicing our IT systems and customer support requests. Our products and services are backed up and geo-replicated for quick recovery in case of an outage.
Data in transit is secured using TLS 1.2 / Https
Data is stored in a PostgreSQL database encrypted by AES 256 disk encryption. Servers are housed in a Tier 4 data center hosted by Amazon Web Services (AWS). All data centers are located in the USA unless a customer contract specifies otherwise.
Data is deleted 90 days after the subscription or contract ends. Data stored in backups are maintained for a rolling 30-day period.
Data servers are backed up in near-real time and are geo-redundant.
Customer data is not co-mingled. Each customer has an isolated data schema with unique credentials only for that customer.
The end user portals can only be accessed through federated Single Sign On (SSO). We provide instructions to integrate Azure Active Directory with the end user applications using the SAML2 protocols. The user is authenticated against the customer Azure Active Directory using access controls managed by the customer IT Department.
A log of user login activity is maintained for at least 1 year. Logs are available on request.
APIs are secured using a client/secret key combination. The API will only accept requests from machines with a valid mTLS certificate and with a valid client ID and client Secret
Our products and services are monitored by both AWS and by third-party IDS/IPS solutions provided via AWS
Our cybersecurity policy requires that customers are informed of a cybersecurity breach within 72 hours where feasible. Xecta will provide a detailed incident report to our customers. If it has been determined that data has been leaked, deleted or stolen, Xecta will provide details to each customer on a case-by-case basis. Xecta has a commercial cyber insurance policy provided by a reputable US insurance company to assist with restoration and recovery costs.
All Xecta employees go through a background check and a drug alcohol screen prior to employment. Our key IT security personnel have the relevant Microsoft and Amazon Web Services Certifications. All employees complete annual IT security training and internal courses on data management, cybersecurity and export controls. We have an annual performance review policy to review the performance of our employees.
Xecta owned devices and employee BYOD devices are strictly governed to comply with our IT Security policies. Xecta requires all devices to comply with the antivirus, disk encryption, password and screen lock requirements outlined in our IT policies. Xecta governs devices that access our network using endpoint monitoring and compliance software provided by Microsoft.
Xecta monitors the company network using threat protection functionality through services such as Azure Active Directory (Azure AD), Azure Monitor logs, and Microsoft Defender for Cloud.
Xecta has a board of directors, and executive leadership team and an established IT security team. Our board meets quarterly. Our IT security team conduct quarterly risk management meetings and our company policies are reviewed annually. Our company is externally audited at least annually, and a third-party cyber security firm conducts penetration testing on our products at least annually.
We provide all employees with in-house and third-party training related to our policies and procedures. Training is provided upon-hire and at least annually to all employees.
- Our Software Engineers are expected to code responsibly without backdoors, or channels to capture information without consent.
- Our Product Managers are expected to build products that comply with our data ingest, storage, processing, PII data capture, and Terms of Service.
- Our Customer Success Team are expected to understand our SLA's, our data processing policies and be familiar with any data sovereignty issues related to a customer account or a specific contract.
- Our Research Teams are expected to follow data usage/processing policies and only use data for the intent which it was provided.
- Our Director+ level employees are expected to review work, and regularly audit teams for compliance with data management and processing policies.
External Auditing firms conducts periodic reviews of our policies and procedures and check employee/team compliance with the policies