Last updated: July 27, 2022
As a company that takes data security and privacy very seriously, we recognise that Xref’s information security practices are important to you. While we cannot share every detail around our practices (as it can empower the very people we are protecting ourselves against), we endeavour to provide the information required to offer our users confidence in how we secure the data entrusted to us.
Xref is ISO 27001 certified, ensuring best practice for an information security management system, validating Xref's platform security.
Xref uses multiple systems placed in different AWS, world-class data centers around the world.
Xref has DDOS (Denial of service) and IDS (Intrusion Detection) mitigation in place at all data centers.
For more detailed information on the latest state of the art measures adopted by our hosting provider, please click here.
All databases are kept separate to prevent corruption and overlap. We have multiple layers of logic that segregate user and company accounts from each other.
Account data is constantly mirrored and regularly backed up offsite.
All data is encrypted in transit and at rest.
Xref’s account passwords are hashed and salted. Our own staff can't even view them. If you lose your password, it can't be retrieved—it must be reset.
All login pages (from our website and mobile website) pass data via SSL/TLS.
The entire Xref application is encrypted with TLS.
Login pages have brute force protection.
We perform regular external security penetration tests throughout the year. The tests involve high-level server penetration tests and in-depth testing for vulnerabilities inside the application.
All Xref offices are secured by keycard access.
Our office network is segmented and monitored.
We have a dedicated internal security team that constantly monitors our environment for vulnerabilities.
We continuously train employees on best security practices, including how to identify social engineering, phishing scams, and hackers.
Employees on teams that have access to customer data (such as customer success and our developers) undergo background checks prior to employment.
All employees sign a Privacy Safeguard Agreement outlining their responsibility in protecting customer data.
We can secure the Xref application, but if your computer gets compromised and someone gets into your Xref account, that's not good for either of us.
We monitor for signs of irregular or suspicious login activity and will automatically suspend accounts that raise any concerns.
Certain changes to your account, such as to your password, will trigger email notifications to the account owner.
We monitor accounts for signs of abuse.
We make 2-Factor Authentication and extended security available to our customers.
We provide the ability to establish multiple levels of access within accounts.