Xink Security

Xink is a cloud-based service (SaaS) hosted on Microsoft Azure. All Microsoft Azure data centers are certified with the following standards:

Microsoft Azure is a highly secure and reliable infrastructure that is trusted by millions of users worldwide. It provides an outstanding uptime availability guarantee of 99.5% - 99.99% according to SLA and has backup and recovery systems that make it the best choice for the Xink platform.

At Xink, we take security very seriously and have implemented measures to ensure the safety and privacy of our customers' data. Microsoft Azure is responsible for managing the security and compliance of the cloud computing infrastructure, while Xink manages the security and compliance of the software and data stored on Microsoft Azure infrastructure.

We follow the principle of least privilege when it comes to granting access to our systems and data. This means that we strictly grant access on a need-to-know basis according to Security Role Privileges. Only those employees who require access to specific data or systems to perform their job responsibilities are granted access. For instance, even a database developer cannot access database information where it is not relevant to their job. By implementing this approach, we prevent unauthorized access and potential data breaches, ensuring that our customers' data is always kept safe and secure.

Web servers

Clients access the Xink web portal via a secure, dedicated website at app.xink.io/app-[dc].xink.io. To ensure the highest level of security, all data in transit and at rest is protected using robust encryption protocols. Data in transit is secured through the mandatory use of HTTPS, employing Transport Layer Security (TLS) version 1.2 or higher with modern, non-deprecated cipher suites. This approach guarantees that data transmitted between clients and the portal remains confidential, tamper-proof, and safeguarded against interception by malicious actors.

Databases

We offer different locations for our clients worldwide. There are currently five data centers available:

• USA
• Canada
• United Kingdom
• European Union
• Australia

Databases are Azure SQL Database from Microsoft.

Data security

Encryption-at-rest
The Xink platform leverages a robust and secure infrastructure for data storage, primarily utilizing Azure SQL Database and Azure Storage, hosted within the selected data center. Azure SQL Database operates on the latest stable version of the SQL Server database engine and patched operating system, ensuring optimal performance and security. As a fully managed service, Azure SQL Database provides a 99.99% availability guarantee, incorporating built-in high availability, automated backups, and routine maintenance operations. Microsoft manages all patching and updates for both the SQL Server and underlying operating system, reducing operational overhead and ensuring consistent security.

Data stored in Azure SQL Database is protected using transparent data encryption (TDE) with 256-bit Advanced Encryption Standard (AES), one of the most secure block ciphers available, and is fully compliant with FIPS 140-2 standards. This ensures that data remains encrypted at rest and is decrypted seamlessly during authorized access, safeguarding sensitive information against unauthorized access.

Additionally, select data may be cached in Azure Storage to optimize performance, with encryption applied consistently to maintain security. For virtual machines, Xink employs Azure Disk Encryption, utilizing Windows BitLocker for Windows-based systems and DM-Crypt for Linux-based systems to provide full-volume encryption for both operating system and data disks. Passwords are securely stored using a one-way, salted hash algorithm, rendering them non-decryptable and further enhancing the platform’s security posture.

Encryption-at-transfer

Xink mandates the use of HTTPS for all services, enforcing Transport Layer Security (TLS) version 1.2 or higher with non-deprecated cipher suites.

Backups
Snapshots of the database are taken daily. Backups have the same protection in place as production databases.

We offer a variety of deployment methods, depending on your preferences:

The Xink platform is a web-based Software as a Service (SaaS) application, providing flexible access to user data through multiple channels, including web browsers, mobile applications (available on Android and iOS), and an Application Programming Interface (API). This multi-platform accessibility ensures a seamless and secure user experience across diverse devices and integration scenarios.

Xink is developed with a Security by Design approach, embedding security considerations into every phase of the development lifecycle. The platform adheres to industry-leading security best practices as defined by the Open Web Application Security Project (OWASP) Foundation. By aligning with OWASP guidelines, Xink ensures robust protection against common vulnerabilities and threats, maintaining the confidentiality, integrity, and availability of user data across all access points.

Xink platform

Integrations

We support several SaaS systems integrations with your Xink account. We allow admins to access their accounts via the Application Programming Interface (API). The Xink API is a RESTful interface, allowing you to programmatically update and access much of your data. All supported options:

• Xink Developer API
• Salesforce
• Zendesk

Login security

Xink provides administrators with flexible control over user authentication mechanisms to access their accounts, ensuring tailored security configurations that align with organizational requirements. Administrators can define the login methods for their users, enhancing security and usability based on specific needs.

Passwords for Xink accounts are configured to expire after 180 days, requiring users to renew them to maintain account security. Additionally, administrators have the authority to enforce a mandatory password reset for all users within the organization, enabling rapid response to potential security concerns or policy updates.

To further strengthen account security, Xink supports Multi-Factor Authentication (MFA) as an optional layer of protection. Administrators can enable MFA to require additional verification steps during login, significantly reducing the risk of unauthorized access. This comprehensive approach to authentication management reflects Xink’s commitment to providing secure, configurable, and robust access controls for its users.

User provisioning and de-provisioning

Xink employs a role-based access control (RBAC) system, where the permissions assigned to a role group collectively determine the management capabilities of its members within the organization. This streamlined approach simplifies user administration and ensures consistent application of access rights. For instance, when onboarding a new helpdesk employee, an administrator can assign the individual to the Help Desk role group, automatically granting them the predefined permissions associated with that group. This enables the new employee to immediately perform their designated tasks without requiring manual configuration of individual permissions, enhancing operational efficiency and maintaining robust security controls.

Data Control

Xink empowers clients with full control over their data, ensuring compliance with data privacy and management preferences. Clients may request the immediate deletion of their data at any time, and Xink will promptly execute such requests to maintain transparency and trust. In the absence of a deletion request, data associated with a deactivated account is automatically retained for a period of three (3) months. This retention policy balances data accessibility for potential reactivation with the need to securely manage and dispose of inactive data, aligning with industry best practices for data governance and security

Xink information security 

We maintain a formal Information Security Management Program, overseen by a dedicated role responsible for implementing and upholding robust security controls. This role is tasked with continuously monitoring the Xink platform for potential malicious activity, ensuring proactive detection and response to threats.

Data

Xink securely stores data that may be classified as Personally Identifiable Information (PII), such as names, organizations, email addresses, and phone numbers, which clients manually enter or import via the Xink API for use in their email signatures. All such data is encrypted at rest using industry-standard encryption algorithms, ensuring protection against unauthorized access in accordance with best practices for data security.

Clients retain full control and responsibility over the data they choose to include in their email signatures. Xink does not dictate or regulate the type of information incorporated into these signatures. It is the sole obligation of the client to ensure that only appropriate and intended information is included, safeguarding against the inclusion of sensitive or unintended data.

Human resources

We implement a rigorous hiring process that includes comprehensive background checks and pre-employment screening, requiring a minimum of two professional references for all candidates. This ensures that only qualified and trustworthy individuals join the organization. Additionally, Xink reserves the right to conduct background checks on any employee at any time, with or without prior notice, as deemed necessary to maintain a secure and compliant workforce

Physical security 

Xink is a cloud-based service (SaaS) hosted on Microsoft Azure. Microsoft Azure manages the security and compliance of the cloud computing infrastructure. We have trusted physical security to Microsoft Azure and according to Microsoft policy, these are some of the implementations:

• Building security, ID cards, biometric scanning, and everything physical to mention
• Employee background checks and strict accessibility to location and physical hardware
• Disposal procedures are in place and compliant with ISO 27001.
• 24/7 monitoring of all data centers, secured perimeters
• Faulty drives are demagnetized and destroyed

As a cloud-based SaaS platform hosted on Microsoft Azure, Xink does not involve direct access by Xink personnel to the underlying server or networking infrastructure. Instead, Xink relies entirely on Azure's managed services, which include comprehensive physical security protocols. Please refer to how Microsoft secure data centers in Microsoft Azure Trust Center.

Network security 

Xink leverages Microsoft Azure’s Virtual Private Cloud (VPC) to establish a secure, scalable, and manageable network architecture. By utilizing Azure’s advanced networking services and building blocks, Xink ensures a robust and efficient infrastructure tailored to meet stringent security and performance requirements.

To safeguard network traffic, Xink implements strict access controls, including restricting external web traffic exclusively to the load balancer. This minimizes exposure to potential threats and ensures that only authorized traffic enters the system. Furthermore, each host within the Xink infrastructure is assigned a specific role, with Azure security groups configured to define and enforce precise traffic rules between these roles. This granular approach enhances security by limiting communication to only what is necessary for operational functionality.

Microsoft Azure complements Xink’s security measures through application isolation, operating system restrictions, and encrypted connections. These features collectively ensure that workloads are isolated, access is tightly controlled, and all data transmissions are protected using industry-standard encryption protocols. By combining Azure’s secure infrastructure with Xink’s tailored network design, the platform maintains a high level of security, scalability, and manageability for its clients.

For additional details on Microsoft Azure’s security practices, refer to the Microsoft Azure Trust Center at https://www.microsoft.com/en-us/trust-center.

Penetration Tests

Internal penetration tests are conducted monthly. Penetration testing results are available on request from Xink. Third-party are free to conduct pen-test on our platform as long as they agree to:

• Disclose all findings to Xink.
• Not make findings public.

If a vulnerability is discovered or reported, we take immediate action to mitigate the issue. We work promptly to investigate and address the vulnerability, and if necessary, we release emergency patches to ensure the security of our platform. We prioritize the safety and security of our customers' data and take any potential threats or vulnerabilities very seriously.

Software development life cycle

Xink employs a rigorous and multi-layered approach to ensure the integrity and security of our codebase through the use of the Git revision control system. All code changes undergo a comprehensive process that includes both automated testing and manual reviews to identify and mitigate potential issues prior to deployment.

To further enhance stability, code changes are first deployed to a staging server for thorough testing in a controlled environment, simulating production conditions. This step ensures that updates are validated before reaching production servers, minimizing the risk of disruptions. In cases where critical updates are required to address urgent security or functionality concerns, our team supports the ability to push these updates directly to production servers, ensuring swift resolution while maintaining strict oversight.

Incident response 

Xink maintains an Incident Response Plan designed to establish a reasonable and consistent response to security incidents and suspected security incidents. These incident response procedures detail how Xink Security triages, investigates, remediates, and reports on security incidents. According to GDPR law, a breach must be reported to the local authorities within 72 hours of the breach and customers will be informed as soon as the discovered breach is confirmed.

Business continuity plan (BCP) and disaster recovery

At Xink, we have a disaster recovery plan. Our primary objective is to restore affected clients to normal business operations as quickly as possible. Xink’s infrastructure supports data restoration capabilities, enabling recovery of all data up to two hours prior to an incident, ensuring minimal data loss.

Signature templates, campaigns, logs etc., are restored quickly. In most cases, email signatures are stored locally on client devices, meaning that a service disruption at Xink does not impact clients’ ability to continue normal business operations.

For clients utilizing server-side signatures in Office 365, Xink provides a streamlined contingency mechanism. Connectors can be easily removed within the Office 365 tenant, allowing clients to bypass the Xink server in the event of a delay or issue until full resolution is achieved. This flexibility ensures uninterrupted email signature functionality during recovery.

Data retention and disposal

Xink empowers clients with full authority over their data, including access, retention, and disposal. At the client’s request, Xink will immediately and completely erase data, ensuring compliance with privacy preferences and regulatory requirements. In cases where an account is deactivated and the client ceases to use Xink without requesting data deletion, the data is automatically deleted from Xink’s servers after a retention period of 90 days. This policy balances client convenience with secure data management, ensuring that inactive data is securely disposed of in accordance with industry best practices

Privacy Policy

Please follow this link for Xink Privacy Policy. 

Certifications and compliance

Xink is a cloud-based service (SaaS) hosted on Microsoft Azure. All Microsoft Azure data centers are certified with the following standards:

• ISO 27001, 27017, and 27018
• SOC 1 and 2

Please refer to the latest relevant certifications:
Microsoft Azure ISO 27001 certificate
Microsoft Azure SOC 2 Audit Report
Microsoft Azure shared responsibility model

GDPR

Under the GDPR, “data controllers” (i.e. entities that determine the purposes and means of processing data) are required to enter into agreements with other entities that process data on their behalf (called “data processors”). Xink offers its customers, who are controllers of EU personal data, the option to enter into a robust data processing agreement under which Xink commits to process and safeguard personal data in accordance with GDPR requirements. This includes Xink’s commitment to process personal data consistent with the data controller's instructions.

DPA

To use the Xink platform, clients must sign a Data Processing Agreement designating Xink as the Data Processor and the client as the Data Controller. This agreement allows Xink to process the data provided to generate email signatures, campaigns, and related services. 

All client data is stored exclusively on the Xink platform, hosted securely within Microsoft Azure’s infrastructure, and is protected using industry-standard encryption both in transit and at rest. This controlled environment, coupled with the DPA, ensures that client data is processed and safeguarded with the highest standards of security and privacy, aligning with regulatory obligations and Xink’s commitment to data protection.