Protecting your cloud hosted information is critical; we understand that a lapse in security coverage can put your data, customer information, uptime, and potentially your company’s reputation at risk. When relying on a third party, a certain amount of confidence is needed. You will need to trust vendors to manage and handle your online data securely. We appreciate your trust and want you to know that xTuple is committed to protecting the integrity of your data and doing everything in our power to maintain your security and your trust.
This Security Policy provides a brief introduction to the security policies at xTuple. Our security policies are not limited to this document. Effective security is a continually evolving effort. We routinely audit and manage the security of our services and apply security best practices. This is intended as an overview of key steps taken to protect your data. We are available to answer questions or provide more in-depth information. Please contact us at Opsec@xtuple.com.
Our internal development, operations, and processes have been constructed with security in mind.
A well-built environment starts with high coding standards that guard against attempted security breaches and are accompanied by code reviews and tests. We have strict development processes and we follow specified coding standards to ensure the best security practices.
System components undergo tests and source code reviews to assess the security of our application, architecture, and service layers.
Server and system access are limited to select xTuple staff.
Our physical infrastructure is hosted and managed on Amazon Web Services (AWS) and IBM Softlayer. We rely on their secure infrastructure to store data across multiple cloud regions and availability zones.
Servers are housed in highly secure datacenters to ensure the utmost in data security and protection. All datacenters hosting our solutions are secured and monitored 24/7. Physical access to datacenter facilities is strictly limited to select cloud staff. They continually manage risk and undergo recurring assessments to ensure compliance with industry standards.
Datacenter policies for handling fire detection, power loss, climate disasters, temperature control, datacenter management, etc. can be found on the datacenters' websites:
AWS Cloud Security — https://aws.amazon.com/security/
xTuple provides several security capabilities. No one will be able to connect to or view your PostgreSQL server as long as you take care of the connection credentials we provide you. A strong password policy, restricting outside access and using xTuple Client features such as enabling "Use Enhanced Authentication" and password expiration/rotation can thwart many avenues of compromise. Important aspects of data security are under your control and require your participation.
All employees undergo pre-employment background checks and must agree to company policies including security policies. We provide ongoing security awareness training designed to keep all members of staff informed and vigilant of security risks.
During the employee exit process at xTuple all access for the ex-employee is removed.
The ex-employee signs an agreement not to discuss any business operations or customer details upon separation.
SSL Encryption between the xTuple Client and PostgreSQL database is enabled by default. Communications between the client application and server are protected from man-in-the-middle attempts.
Whether you're hosted on AWS or IBM SoftLayer, the cloud servers automatically back up your data once per night. 3 days of backup are stored locally on the server and are always accessible to you. 30 days of backups are stored in AWS S3 storage and are available upon request.
The following section describes what you can do to protect your account.
You are responsible for maintaining the secrecy of your password and account information at all times. We recommend you use a strong passphrase and rotate your password. Password rotation can be configured and enforced through your xTuple Client application.