Security and Compliance

soc2 and penetration testing reports our products are soc2 compliant the most recent report is available to customers upon request we pen test our products at least annually pen test reports are available to customers upon request please use our report a bug docid 0b1fvkpsii4rs8a7 k8k to request a copy of our most recent compliance reports security policies and information uptime, availability and sla's our uptime objective is 99% planned downtime will be announced via email at least 2 business days before the planned event planned downtime will be outside normal united states business hours our customer support team operate within standard service level agreements docid 37shjozbje og5ew4jc6u availability monitoring production systems and public apis are monitored every minute customers can subscribe to downtime notifications via the system status docid\ hz7dvek1g6etlydc9mgmc page disaster recovery our disaster recovery plan is designed to fully restore customer data, apis and customer facing applications from a total loss our recovery time objective is 2 hours the procedure is tested at least annually business continuity xecta relies on enterprise cloud services provided by microsoft and amazon web services we rely on the sla's provided by our cloud partners for business continuity of core infrastructure our employees are fully equipped to work remotely we have employees based in various locations across the united states who are capable for servicing our it systems and customer support requests our products and services are backed up and geo replicated for quick recovery in case of an outage data in transit data in transit is secured using tls 1 2 / https data at rest data is stored in a postgresql database encrypted by aes 256 disk encryption servers are housed in a tier 4 data center hosted by amazon web services (aws) all data centers are located in the usa unless a customer contract specifies otherwise data retention data is deleted 90 days after the subscription or contract ends data stored in backups are maintained for a rolling 30 day period data backup data servers are backed up in near real time and are geo redundant data isolation customer data is not co mingled each customer has an isolated data schema with unique credentials only for that customer pii data our systems capture a user email address and the ip address for activity monitoring purpose for details of how we process, and store personal data read our privacy policy docid\ f rolsshaujz 0nlrewkh and gdpr statement docid fv4whucko lphrzepgtu access control, sso and multi factor authentication the end user portals can only be accessed through federated single sign on (sso) single sign on (sso) docid 3a te7wv mx9p08ox5hkh with the end user applications using the saml2 protocols the user is authenticated against the customer azure active directory using access controls managed by the customer it department user access logs a log of user login activity is maintained for at least 1 year logs are available on request machine to machine and api security apis are secured using a client/secret key combination the api will only accept requests from machines with a valid mtls certificate and with a valid client id and client secret intrusion detection and prevention our products and services are monitored by both aws and by third party ids/ips solutions provided via aws disclosure our cybersecurity policy requires that customers are informed of a cybersecurity breach within 72 hours where feasible xecta will provide a detailed incident report to our customers if it has been determined that data has been leaked, deleted or stolen, xecta will provide details to each customer on a case by case basis xecta has a commercial cyber insurance policy provided by a reputable us insurance company to assist with restoration and recovery costs xecta corporate security employee background checks and certifications all xecta employees go through a background check and a drug alcohol screen prior to employment our key it security personnel have the relevant microsoft and amazon web services certifications all employees complete annual it security training and internal courses on data management, cybersecurity and export controls we have an annual performance review policy to review the performance of our employees employee device and endpoint monitoring xecta owned devices and employee byod devices are strictly governed to comply with our it security policies xecta requires all devices to comply with the antivirus, disk encryption, password and screen lock requirements outlined in our it policies xecta governs devices that access our network using endpoint monitoring and compliance software provided by microsoft network intrusion detection xecta monitors the company network using threat protection functionality through services such as azure active directory (azure ad), azure monitor logs, and microsoft defender for cloud corporate governance and audit xecta has a board of directors, and executive leadership team and an established it security team our board meets quarterly our it security team conduct quarterly risk management meetings and our company policies are reviewed annually our company is externally audited at least annually, and a third party cyber security firm conducts penetration testing on our products at least annually we provide all employees with in house and third party training related to our policies and procedures training is provided upon hire and at least annually to all employees our software engineers are expected to code responsibly without backdoors, or channels to capture information without consent ​ our product managers are expected to build products that comply with our data ingest, storage, processing, pii data capture, and terms of service ​ our customer success team are expected to understand our sla's, our data processing policies and be familiar with any data sovereignty issues related to a customer account or a specific contract ​ our research teams are expected to follow data usage/processing policies and only use data for the intent which it was provided​ our director+ level employees are expected to review work, and regularly audit teams for compliance with data management and processing policies​ external auditing firms conducts periodic reviews of our policies and procedures and check employee/team compliance with the policies