Xref's Statement of Trust

At Xref, data privacy and security are our highest priority. We take all the necessary steps required to ensure our practices and policies are compliant with the highest global standards. In this statement each section is designed to guide you through our security measures and provide you with a better understanding of Xref’s level of trust.

We have also included the following information to accompany this statement.

  • Penetration Test
  • ISMS Policy Statement
  • Statement of Applicability
  • Specific Safeguards for Transfers Outside the EEA
  • FAQs
  • ISO certification
  • Sub-Processors
  • Privacy Policy
1.     Certifications

ISO/IEC 27001:2013

Xref is ISO 27001 certified, ensuring best practise for software development and information management associated with candidate referencing and employee engagement, validating Xref's platform security

Our ISO 27001 can be found here.


2.     Data Centers

The Xref platform is fully hosted in AWS across different regions in the world. More specifically, Sydney, Frankfurt, Toronto and N. Virginia.

Xref has DDOS (Denial of service) and IDS (Intrusion Detection) mitigation in place at all data centers.

Some of AWS security and compliance related links are given below:


3.     Protection from Data Loss, Corruption

All databases are kept separate to prevent corruption and overlap. We have multiple layers of logic that segregate user and company accounts from each other.

Account data is constantly mirrored and regularly backed up offsite.


4.     Application Level Security

Xref’s account passwords are hashed and salted. Our own staff can't view them.

If you lose your password, it can't be retrieved—it must be reset.

Some of our other security features include:

  • Encrypting all your data in transit using TLS 1.2 and at rest using AES 256;
  • Having an independent penetration test conducted on an annual basis; and
  • Continuously scanning our applications for vulnerabilities, using a combination of static source code analysis and dynamic testing.


5.     Operational Security

Access to our systems and your data is restricted only to those who need access in order to provide you awesome support.

We also have all the “people security” things you’d expect to see:

  • Background checks for our employees
  • Signed confidentiality agreements
  • Termination/access removal processes
  • Acceptable use agreements.

Security is the responsibility of everyone who works for us. We train our employees so that they can identify security risks and empower them to take action to prevent bad things from happening.


6.     Business Continuity/Disaster Recovery

We have redundant, geographically separate data centers so that we can provide consistent services for you. In the event one of our data centers becomes unavailable, we can recover quickly so that you can still use the Xref platform.


7.     Internal IT Security

All Xref offices are secured by keycard access. Our office network is segmented and monitored. We have a dedicated internal security team that constantly monitors our environment for vulnerabilities.


8.     Protecting your Xref Account

We can secure the Xref application, but if your computer gets compromised and someone gets into your Xref account, that's not good for either of us.

  • We monitor for signs of irregular or suspicious login activity and will automatically suspend accounts that raise any concerns.
  • Certain changes to your account, such as to your password, will trigger email notifications to the account owner.
  • We monitor accounts for signs of abuse.
  • We make 2-Factor Authentication and extended security available to our customers.
  • We provide the ability to establish multiple levels of access within accounts.


9.    Responsible Disclosure

Xref strives to stay on top of the latest security developments internally and by working with external security researchers and companies. We appreciate the community’s efforts in creating a more secure web.

Everyday, new security issues and attack vectors are created and we take all security concerns seriously. We take a proactive approach to emerging security issues.

If you’ve discovered a vulnerability in the Xref application or suspect that your account has been compromised or you are seeing suspicious activity on your account, please email us at security@xref.com.

ISO Certification

We value your trust in us and we take pride in providing you with an IT security system that meets international accredited standards. Xref’s platform undergoes regular international and external audits with a new ISO 27001 certification reissued every three years.

You can find our current ISO 27001 certification here.

Download certification

Statement of Applicability

Xref follows the recommended ISO 27001 controls closely. Our risk applicability register outlines whether we have implemented controls for the different risks areas highlighted under the ISO 27001 requirements.

Download register

Penetration Test Report

At Xref we take IT security very seriously, we continually monitor our systems to ensure that it provides a high level of protection for our clients and their data. We understand that technological risks are always present, as such we conduct an annual penetration test to safeguard the platform. A summary of our report can be viewed below.

Download report

ISMS Policy Statement

Top management at Xref understands the Information Security needs and expectations of its interested parties both within the organisation and from external parties including clients, suppliers, regulatory and Governmental departments.

Confidentiality, Integrity and Availability of information in ISM are integral parts of its management function and view these as their primary responsibility and fundamental to best business practice. Information security policy is aligned to the requirements of ISO/IEC 27001:2013;

The Company is committed to:

●       Comply to all applicable laws and regulations and contractual obligations

●       Implement Information Security Objectives that take into account information security requirements following the results of applicable risk assessments

●       Communicate these Objectives and performance against them to all interested parties

●       Adopt an Information Security Management System comprising manual and procedures which provide direction and guidance on information security matters relating to employees, customers, suppliers and other interested parties who come into contact with its work

●       Work closely with Customers, Business Partners and Suppliers in seeking to establish appropriate information security standards

●       Adopt a forward-thinking approach on future business decisions, including the continual review of risk evaluation criteria, which may impact on Information Security

●       Ensure management resources to better meet information security requirements

●       Instruct all members of staff in the needs and responsibilities of Information Security Management

●       Constantly strive to meet its customer’s expectations

●       Implement continual improvement initiatives, including risk assessment and risk treatment strategies


Responsibility for upholding this policy is company-wide under the authority of the CTO who encourages the personal commitment of all staff to address information security as part of their skills.

The policy has been approved by the Directors and is reviewed annually or sooner should a significant change occur in order to ensure its continuing suitability, adequacy and effectiveness.

Specific Safeguards for Transfers Outside EEA

We are delighted to be able to provide employee reference services to you. This section will take you through our specific safeguards for export out of the EEA.

Xref is committed to being fully compliant with the GDPR regulations and the Australian privacy laws. In doing so, we have in place specific safeguards to ensure that all personal information exported out of the EEA are protected.

Xref operates out of 4 geographical locations, Sydney, Frankfurt, Toronto and North Virginia. You can choose to store data within the EU region. In the event that personal information is required to be transferred out of the EEA, we have measures in place to ensure that we meet the GDPR requirements to safeguard all personal data.

Technical Safeguards
  • VPN software is installed to access production environment to export data. This is further restricted by limiting access by certain staff to access that export database.
  • All staff devices are controlled remotely via MDM software and Jamf which allows us to control, encrypt and remotely wipe staff devices where required.
  • All data is encrypted at rest using AES 256 and encrypted in transit using TLS 1.2.  When the data is being sent out from the storage system to the browser, data continues to be encrypted.
  • Database resides in a network which cannot be accessed via the internet.
  • Regular internal and external audit is performed on our data security systems.

Management Safeguards

We also have the following management safeguards in place for data exports out of the EEA:

  • Data access to staff is restricted on a need-to-know basis.
  • Data export function is only provided to certain management staff and all data export requests are logged.
  • Staff can only access company platforms on a company provided device and not personal devices.
  • Annual security awareness training for all staff.

Please let us know if you have any further questions and we look forward to being able to make your hiring journey better.



1. How does the Xref application work?

Xref is a multi-tenant platform that offers candidate referencing as a service. There are 2 ways this application can be used.

  • A standalone platform where you can setup your team, permissions & questionnaires, etc. Your team members can then start taking references straight away.
  • As an integration with one of the ATS that your company is already using. The only condition to this is that Xref must have to have an integration in production with your ATS.

For more information regarding the list of current integrations, please see: https://www.xref.com/integrations.

Xref platform is a web application. It is accessed over the HTTPS protocol via a web browser (i.e. Chrome) which support TLS 1.2. Recommended browsers are latest versions of Chrome, Firefox, Edge and IE 11 or later.


2. How does the application architecture work?

Xref runs all of its infrastructure on highly available and redundant AWS services and we have a 3-tier architecture. The presentation layer consists of Cloudfront+S3 and is written in Angular. The application layer is deployed on Serverless infrastructure consist of api-gateway and Lambda and it will scale automatically.

The applications follow microservice architecture to distribute tasks and is written in Python/Django. Data layer is deployed on AWS managed RDS- Aurora service and elastic search. Data transmission within the application happens though the private network. AWS VPCs utilised for network controls. Security groups and NACLs are configured to ensure defence in depth principle is followed.

We also use other third-party services SendGrid, Mailchimp and Mailgun to send transactional emails.



3. What types of data does Xref collect?

 There are 4 categories of individuals/entities whom we collect data from:

  • Employers
    These are the platform users from your organisation. We collect their first and last names, email addresses, phone numbers, job titles, profile pictures, IP addresses and user agents.
  • Employees
    These are the employees from your organisation (including managers and ex-employees). We collect their first and last names, email addresses, phone numbers, locations, information about employment (work history, industry, job titles, departments), information about their competencies and skills, IP addresses, user agent, additional information (LinkedIn profile, notes/comments provided by the employee in the surveys).
  •  Candidates
    These are the job applicants from whom you require a reference. We collect their first and last names, email addresses, phone numbers, information about employment (work history, industry, job titles), IP addresses, user agents, and additional information (notes/comments provided by the candidate during the process).
  • Referees
    These are people designated by the candidate to provide the references. We collect their first and last names, email addresses, phone numbers, locations, job titles, answers to the survey questions, IP addresses, user agents and additional information (notes/comments provided by the referee in the survey).


4. How does Xref ensure that data collected is secure?

All data that we have collected are encrypted in transit and at rest.

Xref is also ISO 27001 certified to provide clients with assurance that their data is sufficiently secured. We renew this certification annually.  


5. Where is data currently stored?

You choose where you would like data to be stored.

You can choose between our 4 geographical AWS storage locations in Sydney, Frankfurt, Toronto and North Virginia.

6. Can data access be controlled on the employer’s end?

Yes. Employers can vary the level of access on the platform for their staff.  

Our customer support team onboards a client and setup the first user with admin access on the system. The user can then add more users to their account and grant them roles. Each user can be assigned roles by the admin so they have the required access on the company's data.


7. Is access managed and monitored? If yes, how?

The platform offers logs for all actions by any user in the account and is available for audit by any Xref Recruiter platform user admin. We have configured AWS CloudTrail alerts for unauthorised changes in infrastructure.


8. What types of security controls are implemented to prevent unauthorised alteration of log records by our support team?

Our support team has only read only access granted to logs. All access by our support are logged and tracked.


9. What staff management policies have been implemented in the organisation to prevent unauthorised access?
  • Password Controls

    Some controls in our password policy are:
         -    Allowing admin users to set passwords that will apply to all users in that account.
         -    Users failing to provide correct credentials 5 times in a row will be locked out for some time.

    If a user does not log into the system for a period, their accounts will be made inactive automatically and they will be locked out until access is granted again.  
  • Access Control
        -    Access to our staff is granted based on their assigned roles.
        -    We keep a detailed audit log of each action taken on any data by any component of the system.
        -    We internally use third party tools like Papertrail, AWS Cloudwatch to check and monitor logs. These logs are retained for 1 month.

10. How are staff devices managed?

Controlled via MDM (JAMF), disk encryption, auto-lock policy, admin privileges for the user, firewall, password policy, anti-malware installed via MDM.


11. How are critical failures, anomalous activities or security incidents detected within the organisation’s networks, systems, or event logs?
  • We use Pagerduty to notify us of critical failures. We monitor changing access levels and configuration through AWS-config and AWS-cloudtrail. An email alert will be sent to us through SNS for any changes.
  • We use CloudConformity, Tenable, Security hub, AWS cloudtrail, AWS config and Guardduty to audit infrastructure for security vulnerabilities and irregular activities.


12. What controls do you have to protect the development environment during source code?
  • We follow the ISO 27001 requirements for protecting the development environment at the source code stage.  
  • We also follow an agile development process. Every change goes through a manual review and testing in two different environments before it gets deployed to production.
  • We have enabled Github vulnerability scanner for identifying and alerting security leaks.
  • We adopt a test-driven approach when implementing new applications. Each new feature or bug fix will have an all possible scenarios written as tests with the code. The tests are run on Travis each time and a code will be committed to the repository.
  • PRs are required to be reviewed by peers before merging, and all tests must indicate a pass before proceeding.
  • Sandbox and development environments are completely segregated from the production environment.  
  • Change/control is all managed via JIRA and Confluence through an agile development process.
  • All development machines are protected with BitDefender Endpoint Security software.
  • All files are scanned automatically for malware before they are uploaded to the system.


13. What types of encryption is used for the Xref system?

All information exchange happens securely using SSL based communication between the server and client device, and the application and the database. All data is encrypted at rest using AWS KMS and in transit using SSL/TLS using 256-bit RSA encryption.


14. What sort of patch management process does Xref have?

Xref does an automated monthly infrastructure patching. As soon as a patch is available its will be tested in a controlled environment and then moved a production environment.


15. How is dataloss minimised?

Data is backed up automatically by AWS RDS service as both full backup on a daily basis, and as an incremental backup every 15 minutes.

Databases are deployed in multi-AZ to minimise the data loss if one of them is down.


16. Are independent IT security testing programs, assurance audit and/or assessments performed?
  • We perform an internal audit every 6 months
  • External consultants audit Xref on an annual basis.
  • Penetration tests are conducted every year.


17. How is data segregated from Xref’s other client’s data?

 Xref provides its services as a SaaS platform on a shared tenancy model. Each customer's data is isolated logically not physically on the application layer. Each user will get access to data filtering their company and employer/user permissions.


18. What is the business continuity plan?

We aim to complete recovery of all IT infrastructure and all IT services within 1 hour and RPO 16 hours.

We perform a DR and incident response test every 6 months.

Compliance and Privacy

19. What regulations does Xref comply with?

Xref is committed to complying with the GDPR and all Australian privacy laws.


20. Does Xref have a privacy policy?

Yes. Our privacy policy can be viewed here


21. Does Xref have a data breach plan?

Yes. We have a data breach notification team. If you suspect that there is a breach, you can contact us at security@xref.com.


22. How is consent from the candidate or referee captured?

Each candidate and referee has to agree to a collection statement before continuing with the platform. They can decline if they do not agree with the collection statement.


23. How long is data retained?

All data is kept up to 7 years.

If you require a different time period, please speak to our sales team or customer success team for assistance.

Data can also be purged on request.


24. What sort of IT security training and awareness do you provide staff?

 We conduct information security awareness training on an annual basis and when staff is onboarded.


25. How does Xref ensure that any third parties engaged also comply with the privacy regulations in Australia and implements the appropriate security and risk management controls?

Our contracts include a right to audit some sub-processors that we have engaged.

26.    Will any personal information be provided to sub-contractors?

Yes. For more information on our sub-processors, please refer to our sub-processor page, https://www.xref.com/sub-processors

Sub Processors

Xref engages external service providers to support our systems (‘sub-processors’).

Our purpose of using sub-processors is to outsource areas of the service that are not within our expertise in order to provide you with a better product experience.

You can find our list of sub-processors here.

View list

Privacy Policy

Our privacy policy will explain how our data is used and how Xref complies with the data protection laws. More information can be found through the link.

View privacy policy