Xink Security

Xink is a cloud-based service (SaaS) hosted on Microsoft Azure. All Microsoft Azure data centers are certified with the following standards:

Microsoft Azure is the most secured, state-of-the-art infrastructure trusted by millions in the world. Along with the outstanding up-time availability guarantee of 99.5% - 99.99% (according to SLA), backup and recovery systems, make the best choice for the Xink platform.

Microsoft Azure manages the security and compliance of the cloud computing infrastructure, and Xink manages the security and compliance of the software and data stored on Microsoft Azure infrastructure.

All-access is strictly granted solely on-need-to basis according to Security Role Privileges, which means that even a database developer cannot access database information where this is not relevant to his/her job.

Web servers

Clients access the Xink web portal through the website - app.xink.io. We encrypt all data, in transit and at rest. Xink requires HTTPS for all services using TLS (v1.2 or higher using non-deprecated cipher suites).

Databases

We offer different locations for our clients worldwide. There are currently five data centers available:

• USA
• Canada
• United Kingdom
• European Union
• Australia

Databases are Azure SQL Database from Microsoft.

Data security

Encryption-at-rest
Most of the data is stored in a SQL database and some data can be cached in Azure Storage, which both belong to the data center chosen. Azure SQL Database is always running on the latest stable version of the SQL Server database engine and patched OS with 99.99% availability. SQL Database is a fully managed service that has built-in high availability, backups, and other common maintenance operations. Microsoft handles all patching and updating of the SQL and operating system code.

Data in Azure SQL Database is encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant.
Windows and Linux virtual machines using Azure disk encryption, which uses Windows BitLocker technology and Linux DM-Crypt to protect both operating system disks and data disks with full volume encryption. We store passwords using a one-way, salted hash algorithm that can’t be decrypted.

Encryption-at-transfer
Xink requires HTTPS for all services using TLS (v1.2 or higher using non-deprecated cipher suites).

Backups
Snapshots of the database are taken daily. Backups have the same protection in place as production databases

We offer a variety of deployment methods, depending on your preferences:

The Xink service is a web-based software as a service application. Users can access their data via a web browser, mobile application (Android and iOS), or application programmatic interface (API).

Xink is developed following the security best practices defined by the OWASP Foundation and keeping a Security by Design approach at all times.

Xink platform

Integrations

We support several SaaS systems integrations with your Xink account. We allow admins to access their accounts via the Application Programming Interface (API). The Xink API is a RESTful interface, allowing you to programmatically update and access much of your data. All supported options:

• Xink Developer API
• Salesforce
• Zendesk

Login security

Xink admins can decide the mechanism used by their users to log in to their Xink accounts. Password will be good for 180 days and renewal is required after expiration. Admins can also force a Password Reset for all users in the organization. MFA is implemented as an extra security layer that can be chosen by the administrator.

User provisioning and de-provisioning

The combination of all roles assigned to the role group defines everything that a role group member can manage in his organization. For example, if you hire a new employee for your helpdesk staff, you simply add the new employee to the Help Desk role group, and he/she is ready to go.

Data Control

Clients are in full control of their data; can request the removal of data and it will be removed immediately. Otherwise, data will be stored for 3 (three) months automatically after account deactivation.

Xink information security 

Xink maintains a formal information security management program with the dedicated Security Team. This team is charged with implementing security controls and monitoring Xink for malicious activity.

Data

Xink securely (encrypted at rest) stores data that could be classified as personally identifiable information (PII) such as name, organization, email, and phone number manually entered or imported via API to Xink by the client. This includes any other information provided by the client for use in their email signature.

Xink is not in control of what data the client decides to include in their email signature. It is solely the obligation of the client not to include information that is not intended to be used in their email signature.

Human resources

Background checks and pre-employment screening with a minimum of two references are part of our hiring process. A background check could be conducted anytime, on any employee, with or without notice, if necessary.

Physical security 

Xink is a cloud-based service (SaaS) hosted on Microsoft Azure. Microsoft Azure manages the security and compliance of the cloud computing infrastructure. We have trusted physical security to Microsoft Azure and according to Microsoft policy, these are some of the implementations:

• Building security, ID cards, biometric scanning, and everything physical to mention
• Employee background checks and strict accessibility to location and physical hardware
• Disposal procedures are in place and compliant with ISO 27001.
• 24/7 monitoring of all data centers, secured perimeters
• Faulty drives are demagnetized and destroyed

Uninterruptible Power Supply (UPS) units provide backup power in the event of an electrical failure for critical and essential loads in the facility. Generators provide backup power for the entire facility. Xink personnel don’t directly access any serving or networking infrastructure; instead, we rely on Azure’s services. Please refer to how Microsoft secure data centers in Microsoft Azure Trust Center.

Network security 

Xink uses Virtual Private Cloud from Microsoft Azure and has designed the network architecture to be secure, scalable, and easily managed using the networking services and building blocks Microsoft Azure provides.

Our production infrastructure is locked down so that only our load balancer machines are allowed to receive external web traffic. Each host is assigned a role; security groups are used to define the expected traffic between these roles.

Microsoft Azure uses application isolation, operating system restrictions, and encrypted connections.

Penetration Tests

Penetration tests are conducted on a monthly basis. Test results are reviewed and discussed regularly, and the penetration testing results are available on request from Xink via a support ticket (subject to NDA). Third-party are free to conduct pen-test on our platform as long as they agree to:

• Disclose all findings to Xink.
• Not make findings public.

If a vulnerability is discovered/reported, the Xink InfoSec team take all necessary steps to mitigate the issue immediately.

Software development life cycle

Xink uses the git revision control system. Changes to Xink’s code base go through a suite of automated tests and go through a round of manual review. When code changes pass the automated testing system, the changes are first pushed to a staging server wherein Xink employees are able to test changes before an eventual push to production servers and our customer base. Xink DevOps also have the ability to “cherry-pick” critical updates and push them immediately to production servers.

Incident response 

Xink maintains an Incident Response Plan designed to establish a reasonable and consistent response to security incidents and suspected security incidents. These incident response procedures detail how Xink Security triages, investigates, remediates, and reports on security incidents. According to GDPR law, a breach must be reported to the local authorities within 72 hours of the breach and customers will be informed as soon as the discovered breach is confirmed.

Business continuity plan (BCP) and disaster recovery

At Xink we have a disaster recovery plan. All data can be restored up to two hours back. In a BCP scenario, the most important task is to get affected clients back to the normal operation of the business as soon as possible. At Xink we hold data that has been synchronized to the Xink database and data held by a client can be reloaded into the system to regenerated email signatures without a hassle.

Signature templates, campaigns, logs etc. are restored quickly. Usually, email signatures are stored locally on client devices so a disturbed service would not affect normal business for our clients. If server-side signatures are used in Office 365, connectors can easily be removed in the Office 365 tenant and hence bypass the Xink server delay until a potential issue has been resolved.

Data retention and disposal

Client controls access to their information, retention and disposal. On request, their data will be erased immediately and completely. By default, if an account was deactivated and the client is no longer using Xink and did not request data deletion, data will be automatically deleted from the Xink server after 90 days.

Privacy Policy

We adhere to major current standards and follow the principals according to OWASP, NIST, ISO 27001 and SOC2. You can request Information Security Policy (ISP) for full details.

Xink only stores data that is necessary for the functionality of the services provided. We never share data with a 3d party or use it other than for the purpose to provide the service. Your data is processed by and stored on Microsoft Azure. Data that could be used by the client and stored on Xink Azure:

• Signature images (Synced from 3d party services such as Azure AD, or added manually)
• Signature text (this could include person identifiable information (PII) such as name, organization, email, phone number or any other information provided/synced by the client for use in their email signature)
• Links (URLs) are provided in the signature
• Mailboxes/users (Synced from 3d party services such as Azure AD, or added manually, this could include person identifiable information (PII) such as name, organization, email, phone number or any other information provided/synced by the client)

Certifications and compliance

Xink is a cloud-based service (SaaS) hosted on Microsoft Azure. All Microsoft Azure data centers are certified with the following standards:

• ISO 27001, 27017, and 27018
• SOC 1 and 2

Please refer to the latest relevant certifications:
Microsoft Azure ISO 27001 certificate
Microsoft Azure SOC 2 Audit Report
Microsoft Azure shared responsibility model

GDPR

Under the GDPR, “data controllers” (i.e. entities that determine the purposes and means of processing data) are required to enter into agreements with other entities that process data on their behalf (called “data processors”). Xink offers its customers who are controllers of EU personal data the option to enter into a robust data processing agreement under which XInk commits to process and safeguard personal data in accordance with GDPR requirements. This includes Xink’s commitment to process personal data consistent with the instructions of the data controller.

DPA

When you as a client utilise the Xink platform, we need to mutually sign a Data Processing Agreement (DPA) which statutes Xink as the data processor and you as the client, the owner of data. With this DPA you give Xink the right to process the data for us to generate all email signatures, campaigns and all related services that you might have chosen for us to handle. Your data only stays on the Xink platform.