XTRF Statement on Security
XTRF Management Systems Ltd. is a software company based in Poland, therefore it complies with the Polish and European Union regulations about privacy and data security, in particular the GDPR law.
Third-Party Assessment of XTRF Internal Controls and Security Infrastructure
XTRF Management Systems Ltd. is certified for compliance with ISO/IEC 27000:2013 and ISO 9001:2009 standards which directs the internal policies to manage risks and controls within the organization.
XTRF Management Systems Ltd. declares the procedures followed conform all required constraints.
Our development infrastructure is mostly hosted locally. For client production services we use dedicated servers managed by our company. We do rely on well known providers only: Amazon, OVH, Hetzner.
The list of personal data sub-processors can be found in our
According to ISO 27001 procedures we are obliged to conduct 3rd parties assessment on timely basis. Every third party is ranked according to Risk Score methodology.
Documentation is maintained in Polish and is confidential.
Cyber Security Risk Assessments
XTRF Management Systems Ltd. conducts regular security risk assessments as a part of daily duties of internal infrastructure administrators. The most basic of them, and regularly performed are as follows:
- software update reviews
- applying patches in accordance with the Common Vulnerabilities and Exposures (CVE) announcements
- examining the legality of 3rd party software used: only legal and approved software is allowed
- penetration tests, both internal and external
- user rights review in our IT infrastructure: access in accordance with approved access levels
We utilize the ESET Intrusion Detection System platform for business to ensure online real-time scanning for vulnerability. Vulnerable programs are patched as soon as possible or blocked if they cannot obey security standards.
Aside from ESET IDS we use firewalls based on mechanisms implemented in Linux kernel on Linux based machines and/or hardware firewalls and access protection built into network devices we utilize (switches, access points). Only trusted devices (based on MAC/hardware pairing) have access to our local area network. Physical access to servers is granted only to authorized persons based on access cards and access codes. On the third party installations (data centers), firewalls and access controls provided by them are in use. Access to the company's internal network and customers' installations is subject to strict continuous monitoring. Employee computers are centrally managed with AD accounts.
Standard port scanning and rootkit tools are used against all networked devices (computers, mobiles, network devices and so on). It is done periodically with back-checking if the old vulnerabilities are still closed and continuous review of up-to-date lists of possible vulnerabilities is conducted. We remedy the vulnerabilities as soon as they are found.
System administrators and our 3rd line of support rely on 2 factor authentication for accessing servers remotely.
XTRF Management Systems Ltd. uses ITIL (ISO 20000) compliant service desk (incident, problem, change management). XTRF Management Systems Ltd. declares the procedures used conforms all required constraints. Reconciliation reporting is implemented across most departments of XTRF Management Systems Ltd. Production development reports, quality metrics, (like num bug raised against a particular release) code quality metrics (num breached etc) are tracked by JIRA. Collected metrics are reported on bi-weekly basis and actioned to acquire continuous improvement.
Maintenance department is being monitored by the JIRA Service Desk platform and reported by business intelligence tools. Online dashboards are exposed to decision makers and reconciliation reports are prepared at the end of every month to measure department performance against KPIs and SLAs.
All data is classified and secured, based on its risk level, following the legal privacy and confidentiality requirements set by the Polish law. Private data of our customers is not used in any way by the XTRF Management Systems Ltd., neither for everyday use, nor in the development process. No third party has access to them either. If, for any reason, there is need for transfer of any sensitive or private data it is always done using encrypted channels or encrypted media. If there is any need to operate on customer data, it is being anonymized before use.
Data in all states can be encrypted. Transit is conducted only using secure layer transport protocols with certificates and/or encrypted media or channels. Filesystems can be encrypted as well if needed which ensures encryption of data in rest and backup status.
If any media is going to be reused it is overwritten by zeroing and formatted beforehand. Unusable (broken) media are zeroed if possible and destroyed mechanically to the point of guarantee they are unreadable.
XTRF Management Systems Ltd. employs tools dedicated to ensure that passing of credentials to and from customer is guaranteed to remain private and confidential.
In order to provide XTRF employee with password or other short secret, Customer is required to use https://credentials.xtrf.eu/
When requesting data import to be performed by XTRF specialist, when the files contains personal data, the Customer is required to use https://imports.xtrf.eu/ to securely deliver the files to XTRF employee.
In case of providing remote access to Customer server, the following procedure is expected to be followed: Remote Access to a Server
XTRF Employee Security Awareness Program
All XTRF Management Systems Ltd. personnel are acquainted with the Work Safety national regulations. All employees are under obligation to sign an internal confidentiality agreement (NDA) as part of their employment contract. Aside from that, XTRF Management Systems Ltd. collects and stores the necessary data about employees to the extent permitted by law .
A candidate is checked by a recruitment agency and then by XTRF HR Manager. They look into social networking profiles, if possible they do community interview and consult. During formal hiring process, a candidate needs to provide valid personal information such as identity card, employment certificates from previous employers, personal data, social security number, bank account number. All of them are subject to a checkup. New employees undergo training in the field of Work Safety regulations before taking up their duties.
Reporting security vulnerabilities and penetration test results
XTRF Management Systems Ltd. is open to external white-hat penetration testing and encourages all users to report any security issues found in its product.
In order to safely process the received information, the reporter is expected to encrypt the confidential files using any of the commonly available method (ZIP with AES encryption is recommended), and provide the password to a dedicated system at https://credentials.xtrf.eu/
The security incidents should be reported to the dedicated email firstname.lastname@example.org