Security policy

Owned by Oksana Vishchuk
Last updated: Nov 22, 2023 by MJ@XTRF
5 min read

XTRF Statement on Security

XTRF Management Systems Ltd. is a software company based in Poland. Therefore, it complies with the Polish and European Union regulations about privacy and data security, in particular, the GDPR law.

Third-Party Assessment of XTRF Internal Controls and Security Infrastructure

XTRF Management Systems Ltd. is certified for compliance with ISO/IEC 27001:2017 and ISO 9001:2009 standards, which directs the internal policies to manage risks and controls within the organization.
XTRF Management Systems Ltd. declares the procedures followed to conform to all required constraints.

Infrastructure

Our development infrastructure is hosted in dedicated data centers. We maintain separate development, staging, and production infrastructure.

For client production services, we use dedicated servers managed by our company and cloud services. We do rely on well-known providers only: Google Cloud Platform, OVH, and Hetzner.

 The list of personal data sub-processors can be found in our knowledge base.

According to ISO 27001 procedures, we are obliged to conduct 3rd parties assessments on a timely basis. Every third party is ranked according to the Risk Score methodology.

Access to production infrastructure is limited only to a dedicated administration team with appropriate training and security credentials.

Cyber Security Risk Assessments

XTRF Management Systems Ltd. conducts regular security risk assessments as a part of the daily duties of internal infrastructure administrators. The most basic of them, and regularly performed, are as follows:

  • software update reviews

  • applying patches in accordance with the Common Vulnerabilities and Exposures (CVE) announcements

  • examining the legality of 3rd party software used: only legal and approved software is allowed

  • penetration tests, both internal and external

  • user rights review in our IT infrastructure: access in accordance with approved access levels

We utilize the ESET Intrusion Detection System platform for business to ensure online real-time scanning for vulnerability. Vulnerable programs are patched as soon as possible or blocked if they cannot obey security standards.
Aside from ESET IDS, we use firewalls based on mechanisms implemented in Linux kernel on Linux-based machines and/or hardware firewalls and access protection built into network devices we utilize (switches, access points). Only trusted devices (based on MAC/hardware pairing) have access to our local area network. Physical access to servers is granted only to authorized persons based on access cards and access codes. On the third-party installations (data centers), firewalls and access controls provided by them are in use. Access to the company's internal network and customers' installations is subject to strict continuous monitoring.

Standard port scanning and rootkit tools are used against all networked devices (computers, mobiles, network devices, and so on). It is done periodically by back-checking if the old vulnerabilities are still closed, and a continuous review of up-to-date lists of possible vulnerabilities is conducted. We act upon the vulnerabilities as soon as they are found.

Dual factor authentication is enabled for all critical systems, and where possible, authorization is delegated to the SSO identity provider.

Incident response

XTRF Management Systems Ltd. uses an ITIL (ISO 20000) compliant service desk (incident, problem, change management).  XTRF Management Systems Ltd. declares the procedures used conform to all required constraints. Reconciliation reporting is implemented across most departments of XTRF Management Systems Ltd. Production development reports, quality metrics (like the number of bugs raised against a particular release), and code quality metrics (number breached, etc.) are tracked by JIRA. Collected metrics are reported bi-weekly and actioned to acquire continuous improvement.

The Maintenance department is monitored by the JIRA Service Desk platform and reported by business intelligence tools. Online dashboards are exposed to decision-makers, and reconciliation reports are prepared at the end of every month to measure department performance against KPIs and SLAs.

Data Security

All data is classified and secured, based on its risk level, following the legal privacy and confidentiality requirements set by the Polish and EU laws. The private data of our customers is not used in any way by XTRF Management Systems Ltd., neither for everyday use nor in the development process. No third party has access to them either. If, for any reason, there is a need for the transfer of any sensitive or private data, it is always done using encrypted channels or encrypted media. If there is any need to operate on customer data, it is anonymized before use.

Data in all states can be encrypted. Transit is conducted only using secure layer transport protocols with trusted certificates and/or encrypted media or channels. Depending on risk assessment, filesystems can also be encrypted if needed, ensuring data encryption at rest and backup status.

If any media is going to be reused, it is overwritten by zeroing and formatted beforehand. Unusable (broken) media are zeroed if possible and destroyed mechanically to the point of guaranteeing they are unreadable.

The physical security of our data is managed by the hosting provider, which is required to have at least the same level of data protection and standards compliance as we do.

Backup and disaster recovery

All production data is backed up at least once daily to a different data center in a different physical location. Storage for backups is encrypted. Disaster recovery plans are regularly tested.

Infrastructure is managed using Infrastructure as a Code process, and the configuration files are managed in the centralized, versioned repository.

Credentials management

XTRF Management Systems Ltd. employs tools dedicated to ensuring that the passing of credentials to and from customers is guaranteed to remain private and confidential.

To provide an XTRF employee with a password or other short secret, a Customer is required to use https://credentials.xtrf.eu/

When requesting data import to be performed by an XTRF specialist, when the files contain personal data, the Customer must use https://imports.xtrf.eu/ to securely deliver the files to the XTRF employee.

In case of providing remote access to the Customer server, the following procedure is expected to be followed: Server remote access.

XTRF Employee Security Awareness Program

All XTRF Management Systems Ltd. personnel are acquainted with the Work Safety national regulations. All employees are under obligation to sign an internal confidentiality agreement (NDA) as part of their employment contract. Aside from that, XTRF Management Systems Ltd. collects and stores the necessary data about employees to the extent permitted by law.

A candidate is checked by a recruitment agency and then by XTRF HR Manager. They look into social networking profiles, and if possible, they do community interview and consult. During the formal hiring process, a candidate must provide valid personal information such as an identity card, employment certificates from previous employers, personal data, social security number, and bank account number. All of them are subject to a checkup. New employees undergo training in the field of Work Safety regulations before taking up their duties.

Reporting security vulnerabilities and penetration test results

XTRF Management Systems Ltd. is open to external white-hat penetration testing and encourages all users to report any security issues found in its products.
To safely process the received information, the reporter is expected to encrypt the confidential files using any of the commonly available methods (ZIP with AES encryption is recommended) and provide the password to a dedicated system at https://credentials.xtrf.eu/

The security incidents should be reported to the dedicated email security@xtrf.eu