Xink Security

As a Software-as-a-Service (SaaS) company, ensuring the security of our hosting environment is of utmost importance. We understand that our prospects and customers rely on us to provide a secure platform for their data, and we take that responsibility very seriously.

At Xink, we strive to build a security-awareness culture. The Xink platform, built with the words ‘privacy-by-design’, implies that privacy and security as one of our biggest concerns and focus areas. Xink is a centralized management platform for company email signatures. With Xink, your company will:

Enforce and achieve brand consistency through email signatures.
Extend email marketing campaigns to email signatures.

We consider the data on our platform to be solely your data, and we never share it with third parties.

We have implemented several processes to ensure the best security practices are followed and up to date. Xink adheres to major security frameworks such as ISO, NIST, and OWASP and has policies in place that align with these standards. All our employees are required to have knowledge of and adhere to the company's policies and we designated a role in our team to achieve this goal.

Infrastructure

Xink is a cloud-based service (SaaS) hosted on Microsoft Azure. All Microsoft Azure data centers are certified with the following standards:

  • ISO 27001, 27017, and 27018
  • SOC 1 and 2

Microsoft Azure is a highly secure and reliable infrastructure that is trusted by millions of users worldwide. It provides an outstanding uptime availability guarantee of 99.5% - 99.99% according to SLA and has backup and recovery systems that make it the best choice for the Xink platform.

At Xink, we take security very seriously and have implemented measures to ensure the safety and privacy of our customers' data. Microsoft Azure is responsible for managing the security and compliance of the cloud computing infrastructure, while Xink manages the security and compliance of the software and data stored on Microsoft Azure infrastructure.

We follow the principle of least privilege when it comes to granting access to our systems and data. This means that we strictly grant access on a need-to-know basis according to Security Role Privileges. Only those employees who require access to specific data or systems to perform their job responsibilities are granted access. For instance, even a database developer cannot access database information where it is not relevant to their job. By implementing this approach, we prevent unauthorized access and potential data breaches, ensuring that our customers' data is always kept safe and secure.

Web servers

Clients access the Xink web portal through the website - app.xink.io. We encrypt all data in transit and at rest. We require HTTPS for all services using TLS (v1.2 or higher using non-deprecated cipher suites). This ensures that data in transit is encrypted and cannot be intercepted or modified by attackers. We encrypt data at rest using industry-standard encryption algorithms to ensure that sensitive data is protected even if an attacker gains unauthorized access to our systems.

Databases

We offer different locations for our clients worldwide. There are currently five data centers available:

  • USA
  • Canada
  • United Kingdom
  • European Union
  • Australia

Databases are Azure SQL Database from Microsoft.

Data security

Encryption-at-rest
Most of the data is stored in a SQL database, and some data can be cached in Azure Storage, which both belong to the data center chosen. Azure SQL Database is always running on the latest stable version of the SQL Server database engine and patched OS with 99.99% availability. SQL Database is a fully managed service with built-in high availability, backups, and other common maintenance operations. Microsoft handles all patching and updating of the SQL and operating system code.

Data in Azure SQL Database is encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant.
Windows and Linux virtual machines using Azure disk encryption, which uses Windows BitLocker technology and Linux DM-Crypt to protect both operating system disks and data disks with full-volume encryption. We store passwords using a one-way, salted hash algorithm that can’t be decrypted.

Encryption-at-transfer
Xink requires HTTPS for all services using TLS (v1.2 or higher using non-deprecated cipher suites).

Backups
Snapshots of the database are taken daily. Backups have the same protection in place as production databases.

Supplemental Diagram

We offer a variety of deployment methods, depending on your preferences:

  1. The add-in (manifest file) is excellent for Outlook on Windows/Mac and Outlook on the web (browser). It allows the end-users to see their email signatures as they compose the email. In addition, they can select among multiple email signatures (shared mailbox signatures, other languages, an internal signature, etc.).
  2. The Client-side method is for Windows/Mac. It allows the end-users to customize their email signatures(s) in a controlled manner (for 100% flexibility – E.g. LinkedIn/Twitter profile links, tick mobile off, select the manager signature when sending on behalf of, etc.).
  3. The Server-side is easy to set up. First, emails are re-routed through one of our Azure servers. Then, we inject the new/reply signature and return the email to your 365 tenant where you sent the email.
  4. Both the add-in and the methods will allow end-users to see their email signatures as they compose their email (no risk – no re-routing of company emails).
Application security

The Xink service is a web-based software as a service application. Users can access their data via a web browser, mobile application (Android and iOS), or application programmatic interface (API).

Xink is developed following the security best practices defined by the OWASP Foundation and keeping a Security by Design approach at all times.

Xink platform

Integrations

We support several SaaS systems integrations with your Xink account. We allow admins to access their accounts via the Application Programming Interface (API). The Xink API is a RESTful interface, allowing you to programmatically update and access much of your data. All supported options:

  • Xink Developer API
  • Salesforce
  • Zendesk

Login security

Xink admins can decide the mechanism used by their users to log in to their Xink accounts. Password will be good for 180 days and renewal is required after expiration. Admins can also force a Password Reset for all users in the organization. MFA is implemented as an extra security layer that can be chosen by the administrator.

User provisioning and de-provisioning

The combination of all roles assigned to the role group defines everything that a role group member can manage in his organization. For example, if you hire a new employee for your helpdesk staff, you simply add the new employee to the Help Desk role group, and he/she is ready to go.

Data Control

Clients are in full control of their data; can request the removal of data and it will be removed immediately. Otherwise, data will be stored for 3 (three) months automatically after account deactivation.

Operational security

Xink information security 

Xink maintains a formal information security management program with the dedicated role. This role is charged with implementing security controls and monitoring Xink for malicious activity.

Data

Xink securely (encrypted at rest) stores data that could be classified as personally identifiable information (PII) such as name, organization, email, and phone number manually entered or imported via API to Xink by the client. This includes any other information provided by the client for use in their email signature.

Xink is not in control of what data the client decides to include in their email signature. It is solely the obligation of the client not to include information that is not intended to be used in their email signature.

Human resources

Background checks and pre-employment screening with a minimum of two references are part of our hiring process. A background check could be conducted anytime, on any employee, with or without notice, if necessary.

Physical security 

Xink is a cloud-based service (SaaS) hosted on Microsoft Azure. Microsoft Azure manages the security and compliance of the cloud computing infrastructure. We have trusted physical security to Microsoft Azure and according to Microsoft policy, these are some of the implementations:

  • Building security, ID cards, biometric scanning, and everything physical to mention
  • Employee background checks and strict accessibility to location and physical hardware
  • Disposal procedures are in place and compliant with ISO 27001.
  • 24/7 monitoring of all data centers, secured perimeters
  • Faulty drives are demagnetized and destroyed

Uninterruptible Power Supply (UPS) units provide backup power in the event of an electrical failure for critical and essential loads in the facility. Generators provide backup power for the entire facility. Xink personnel don’t directly access any serving or networking infrastructure; instead, we rely on Azure’s services. Please refer to how Microsoft secure data centers in Microsoft Azure Trust Center.

Network security 

Xink uses Virtual Private Cloud from Microsoft Azure and has designed the network architecture to be secure, scalable, and easily managed using the networking services and building blocks Microsoft Azure provides.

To ensure that only authorized traffic is allowed, we have implemented strict measures such as only allowing our load balancer to receive external web traffic. Additionally, each host is assigned a specific role and security groups are used to define the expected traffic between these roles.

Microsoft Azure uses application isolation, operating system restrictions, and encrypted connections.

Risk and vulnerability management

Penetration Tests

Internal penetration tests are conducted monthly. Penetration testing results are available on request from Xink. Third-party are free to conduct pen-test on our platform as long as they agree to:

  • Disclose all findings to Xink.
  • Not make findings public.

If a vulnerability is discovered or reported, we take immediate action to mitigate the issue. We work promptly to investigate and address the vulnerability, and if necessary, we release emergency patches to ensure the security of our platform. We prioritize the safety and security of our customers' data and take any potential threats or vulnerabilities very seriously.

Software development life cycle

Xink employs a suite of automated tests and manual reviews for changes to our codebase using the git revision control system. Code changes are first tested on a staging server before being pushed to production servers. Critical updates can also be pushed directly to production servers.

Incident response 

Xink maintains an Incident Response Plan designed to establish a reasonable and consistent response to security incidents and suspected security incidents. These incident response procedures detail how Xink Security triages, investigates, remediates, and reports on security incidents. According to GDPR law, a breach must be reported to the local authorities within 72 hours of the breach and customers will be informed as soon as the discovered breach is confirmed.

Business continuity plan (BCP) and disaster recovery

At Xink, we have a disaster recovery plan. All data can be restored up to two hours back. In a BCP scenario, the most important task is to get affected clients back to the normal operation of the business as soon as possible. At Xink, we hold data that has been synchronized to the Xink database and data held by a client can be reloaded into the system to regenerate email signatures without a hassle.

Signature templates, campaigns, logs etc., are restored quickly. Usually, email signatures are stored locally on client devices, so a disturbed service would not affect normal business for our clients. If server-side signatures are used in Office 365, connectors can easily be removed in the Office 365 tenant and hence bypass the Xink server delay until a potential issue has been resolved.

Data retention and disposal

Client controls access to their information, retention and disposal. On request, their data will be erased immediately and completely. By default, if an account was deactivated and the client no longer uses Xink and did not request data deletion, data will be automatically deleted from the Xink server after 90 days.

Privacy, certifications and compliance

Privacy Policy

Please follow this link for Xink Privacy Policy


Certifications and compliance

Xink is a cloud-based service (SaaS) hosted on Microsoft Azure. All Microsoft Azure data centers are certified with the following standards:

  • ISO 27001, 27017, and 27018
  • SOC 1 and 2

Please refer to the latest relevant certifications:
Microsoft Azure ISO 27001 certificate
Microsoft Azure SOC 2 Audit Report
Microsoft Azure shared responsibility model

 

GDPR

Under the GDPR, “data controllers” (i.e. entities that determine the purposes and means of processing data) are required to enter into agreements with other entities that process data on their behalf (called “data processors”). Xink offers its customers, who are controllers of EU personal data, the option to enter into a robust data processing agreement under which Xink commits to process and safeguard personal data in accordance with GDPR requirements. This includes Xink’s commitment to process personal data consistent with the data controller's instructions.

DPA

To use the Xink platform, clients must sign a Data Processing Agreement designating Xink as the Data Processor and the client as the Data Controller. This agreement allows Xink to process the data provided to generate email signatures, campaigns, and related services. Client data is only stored on the Xink platform.


Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.