At Xref, data privacy and security are our highest priority. We take all the necessary steps required to ensure our practices and policies are compliant with the highest global standards. In this statement each section is designed to guide you through our security measures and provide you with a better understanding of Xref’s level of trust.
We have also included the following information to accompany this statement.
Xref is ISO 27001 certified, ensuring best practise for software development and information management associated with candidate referencing and employee engagement, validating Xref's platform security
Our ISO 27001 can be found here.
The Xref platform is fully hosted in AWS across different regions in the world. More specifically, Sydney, Frankfurt, Toronto and N. Virginia.
Xref has DDOS (Denial of service) and IDS (Intrusion Detection) mitigation in place at all data centers.
Some of AWS security and compliance related links are given below:
All databases are kept separate to prevent corruption and overlap. We have multiple layers of logic that segregate user and company accounts from each other.
Account data is constantly mirrored and regularly backed up offsite.
Xref’s account passwords are hashed and salted. Our own staff can't view them.
If you lose your password, it can't be retrieved—it must be reset.
Some of our other security features include:
Access to our systems and your data is restricted only to those who need access in order to provide you awesome support.
We also have all the “people security” things you’d expect to see:
Security is the responsibility of everyone who works for us. We train our employees so that they can identify security risks and empower them to take action to prevent bad things from happening.
We have redundant, geographically separate data centers so that we can provide consistent services for you. In the event one of our data centers becomes unavailable, we can recover quickly so that you can still use the Xref platform.
All Xref offices are secured by keycard access. Our office network is segmented and monitored. We have a dedicated internal security team that constantly monitors our environment for vulnerabilities.
We can secure the Xref application, but if your computer gets compromised and someone gets into your Xref account, that's not good for either of us.
Xref strives to stay on top of the latest security developments internally and by working with external security researchers and companies. We appreciate the community’s efforts in creating a more secure web.
Everyday, new security issues and attack vectors are created and we take all security concerns seriously. We take a proactive approach to emerging security issues.
If you’ve discovered a vulnerability in the Xref application or suspect that your account has been compromised or you are seeing suspicious activity on your account, please email us at firstname.lastname@example.org.
We value your trust in us and we take pride in providing you with an IT security system that meets international accredited standards. Xref’s platform undergoes regular international and external audits with a new ISO 27001 certification reissued every three years.
You can find our current ISO 27001 certification here.
Xref follows the recommended ISO 27001 controls closely. Our risk applicability register outlines whether we have implemented controls for the different risks areas highlighted under the ISO 27001 requirements.
At Xref we take IT security very seriously, we continually monitor our systems to ensure that it provides a high level of protection for our clients and their data. We understand that technological risks are always present, as such we conduct an annual penetration test to safeguard the platform. A summary of our report can be viewed below.
Top management at Xref understands the Information Security needs and expectations of its interested parties both within the organisation and from external parties including clients, suppliers, regulatory and Governmental departments.
Confidentiality, Integrity and Availability of information in ISM are integral parts of its management function and view these as their primary responsibility and fundamental to best business practice. Information security policy is aligned to the requirements of ISO/IEC 27001:2013;
The Company is committed to:
● Comply to all applicable laws and regulations and contractual obligations
● Implement Information Security Objectives that take into account information security requirements following the results of applicable risk assessments
● Communicate these Objectives and performance against them to all interested parties
● Adopt an Information Security Management System comprising manual and procedures which provide direction and guidance on information security matters relating to employees, customers, suppliers and other interested parties who come into contact with its work
● Work closely with Customers, Business Partners and Suppliers in seeking to establish appropriate information security standards
● Adopt a forward-thinking approach on future business decisions, including the continual review of risk evaluation criteria, which may impact on Information Security
● Ensure management resources to better meet information security requirements
● Instruct all members of staff in the needs and responsibilities of Information Security Management
● Constantly strive to meet its customer’s expectations
● Implement continual improvement initiatives, including risk assessment and risk treatment strategies
Responsibility for upholding this policy is company-wide under the authority of the CTO who encourages the personal commitment of all staff to address information security as part of their skills.
The policy has been approved by the Directors and is reviewed annually or sooner should a significant change occur in order to ensure its continuing suitability, adequacy and effectiveness.
We are delighted to be able to provide employee reference services to you. This section will take you through our specific safeguards for export out of the EEA.
Xref is committed to being fully compliant with the GDPR regulations and the Australian privacy laws. In doing so, we have in place specific safeguards to ensure that all personal information exported out of the EEA are protected.
Xref operates out of 4 geographical locations, Sydney, Frankfurt, Toronto and North Virginia. You can choose to store data within the EU region. In the event that personal information is required to be transferred out of the EEA, we have measures in place to ensure that we meet the GDPR requirements to safeguard all personal data.
We also have the following management safeguards in place for data exports out of the EEA:
Please let us know if you have any further questions and we look forward to being able to make your hiring journey better.
Xref is a multi-tenant platform that offers candidate referencing as a service. There are 2 ways this application can be used.
For more information regarding the list of current integrations, please see: https://www.xref.com/integrations.
Xref platform is a web application. It is accessed over the HTTPS protocol via a web browser (i.e. Chrome) which support TLS 1.2. Recommended browsers are latest versions of Chrome, Firefox, Edge and IE 11 or later.
Xref runs all of its infrastructure on highly available and redundant AWS services and we have a 3-tier architecture. The presentation layer consists of Cloudfront+S3 and is written in Angular. The application layer is deployed on Serverless infrastructure consist of api-gateway and Lambda and it will scale automatically.
The applications follow microservice architecture to distribute tasks and is written in Python/Django. Data layer is deployed on AWS managed RDS- Aurora service and elastic search. Data transmission within the application happens though the private network. AWS VPCs utilised for network controls. Security groups and NACLs are configured to ensure defence in depth principle is followed.
We also use other third-party services SendGrid, Mailchimp and Mailgun to send transactional emails.
There are 4 categories of individuals/entities whom we collect data from:
All data that we have collected are encrypted in transit and at rest.
Xref is also ISO 27001 certified to provide clients with assurance that their data is sufficiently secured. We renew this certification annually.
You choose where you would like data to be stored.
You can choose between our 4 geographical AWS storage locations in Sydney, Frankfurt, Toronto and North Virginia.
Yes. Employers can vary the level of access on the platform for their staff.
Our customer support team onboards a client and setup the first user with admin access on the system. The user can then add more users to their account and grant them roles. Each user can be assigned roles by the admin so they have the required access on the company's data.
The platform offers logs for all actions by any user in the account and is available for audit by any Xref Recruiter platform user admin. We have configured AWS CloudTrail alerts for unauthorised changes in infrastructure.
Our support team has only read only access granted to logs. All access by our support are logged and tracked.
Controlled via MDM (JAMF), disk encryption, auto-lock policy, admin privileges for the user, firewall, password policy, anti-malware installed via MDM.
All information exchange happens securely using SSL based communication between the server and client device, and the application and the database. All data is encrypted at rest using AWS KMS and in transit using SSL/TLS using 256-bit RSA encryption.
Xref does an automated monthly infrastructure patching. As soon as a patch is available its will be tested in a controlled environment and then moved a production environment.
Data is backed up automatically by AWS RDS service as both full backup on a daily basis, and as an incremental backup every 15 minutes.
Databases are deployed in multi-AZ to minimise the data loss if one of them is down.
Xref provides its services as a SaaS platform on a shared tenancy model. Each customer's data is isolated logically not physically on the application layer. Each user will get access to data filtering their company and employer/user permissions.
We aim to complete recovery of all IT infrastructure and all IT services within 1 hour and RPO 16 hours.
We perform a DR and incident response test every 6 months.
Xref is committed to complying with the GDPR and all Australian privacy laws.
Yes. We have a data breach notification team. If you suspect that there is a breach, you can contact us at email@example.com.
Each candidate and referee has to agree to a collection statement before continuing with the platform. They can decline if they do not agree with the collection statement.
All data is kept up to 7 years.
If you require a different time period, please speak to our sales team or customer success team for assistance.
Data can also be purged on request.
We conduct information security awareness training on an annual basis and when staff is onboarded.
Our contracts include a right to audit some sub-processors that we have engaged.
Yes. For more information on our sub-processors, please refer to our sub-processor page, https://www.xref.com/sub-processors
Xref engages external service providers to support our systems (‘sub-processors’).
Our purpose of using sub-processors is to outsource areas of the service that are not within our expertise in order to provide you with a better product experience.
You can find our list of sub-processors here.