Last updated: March 18, 2016
This Security Policy is part of the General Terms of Service ("TOS"), a Legally Binding Agreement.
Ensuring Customer Data is secure and readily available is a high priority at Xola.
We maintain our Digital Properties and all associated data with technical, administrative and physical safeguards to protect against loss, unauthorized access, destruction, misuse, modification and improper disclosure. When you enter sensitive information (such as a credit card number) in our Digital Properties, we encrypt the transmission of that information using industry-standard encryption methods. No computer system or information can, however, ever be fully protected against every possible hazard. Xola is committed to providing reasonable and appropriate security controls to protect our Services, Associated Websites, and information against foreseeable hazards. If you have any questions about Xola security, you can contact us at email@example.com.
This Security Policy contains defined terms, which are defined in Article 1 of the TOS or elsewhere in the TOS. Please refer to these defined terms in reviewing this Security Policy.
By accessing, viewing or using all or any part of the our Digital Properties by, for example, downloading any materials, or by completing any registration process via the Associated Websites, you are accepting the terms and conditions of this Security Policy and the entire Contract.
If you are agreeing to this Security Policy and Contract on behalf of a corporation or other legal entity, you represent that you have the authority to bind such entity and its affiliates to the Contract. If you do not have such authority you must not enter into this Contract and may not use any of our Services or content.
If you do not agree with this Security Policy or any portion of the Contract, you have not accepted the Contract and you may not use any of our Digital Properties or content.
Having considered the above Preliminary Matters and mutual agreements below, the Parties hereby agree as follows:
Cardholder Data Recommended Practices
At a minimum, Subscriber should implement the practices set forth below:
Subscriber should do the following:
- Maintain updated anti-virus software on all workstations engaged in credit card processing and remove any programs that the anti-virus software flags as potentially malicious.
- Restrict permission to install software on those computers to Subscriber's business owner and/or trusted senior staff.
- Maintain up-to-date versions of operating systems (e.g., Microsoft Windows or Macintosh OS) and web browsers (e.g., Internet Explorer, Safari or Firefox), with all security updates and patches installed.
- Ensure that every individual that logs into the Services has a unique username and password that is known only by that individual.
- Only store credit card account numbers in encrypted credit card fields designed for that purpose.
- Destroy any hard copy documents that have Cardholder Data written on them.
Subscriber should not do the following:
- Share the Subscriber's account or password;
- Record Cardholder Data in notes, contact logs, or other unencrypted text fields within the Digital Properties;
- Record Cardholder Data in any locally installed software program, unless that program and Subscriber's computer network meet all PCI requirements; or
- Email End User's credit card numbers, ask End Users to email credit card numbers to Subscriber, or record credit card track data.
At a minimum, Subscriber should implement the practices set forth below:
- Location and Backup. All Subscriber Data is located on secure servers, or backup directories that require access authentication.
- Firewalls. All secure servers are protected by multiple, redundant firewalls and intrusion detection and prevention systems that are regularly monitored and tested (details of firewall configuration are not shared publicly for maximum security).
- SSL Encryption. 2048-bit Secure Socket Layer Certificates with 256-bit encryption is employed to protect all data access across the Internet.
- Qualified Security Assessor (QSA) Approved Scanning Vendor (ASV), delivers accurate vulnerability scanning and actionable reporting, that enables Xola to quickly rank risks and gauge compliance against PCI-DSS Standards. Daily Vulnerability Assessments monitor the Xola network perimeter against daily threats to help protect Xola and our customers from hackers, data breaches, adware, spyware, pop-ups, browser exploits, and phishing attempts.
PCI-DSS. Xola complies with the PCI DSS standards. We are dedicated to the six (6) PCI DSS best security practices for credit card protection, which include, but are not limited to:
- Maintaining a secure network;
- Protecting the Cardholder Data;
- Maintaining a Vulnerability Management Program;
- Implementing strong access control measures;
- Monitoring and testing production and development networks; and
- Maintaining an Information Security Program and policies.
- We recommend you adopt PCI DSS. Any merchant who accepts Visa, MasterCard, American Express, or Discover credit cards for payment is subject to the Payment Card Industry Data Security Standard (PCI DSS), which outlines credit card processing merchants' responsibilities for the protection of Cardholder Data. We strongly recommend you follow the requirements of the PCI DSS when handling Cardholder Data. Please refer to the PCI DSS website for a complete list of all rules and restrictions that may apply: https://www.pcisecuritystandards.org/.
- Responsibility for Cardholder Data. If Subscriber uses the optional Integrated Merchant Account service to process payments, Xola is responsible for protecting Cardholder Data only after such Cardholder Data is encrypted and received by Xola's server(s). Subscriber remains responsible for the proper handling and protection of Cardholder Data until such Cardholder Data is encrypted and received by Xola's server(s).
Data Center SSAE 16 Type II and Type III Compliance
Xola hosts Subscriber Data at multiple secure and redundant data centers in geographically diverse locations. Each data center is secured and monitored 24x7x365 by a staff of highly trained data center facility experts. The primary data center features:
- A Zone 4 earthquake-rated reinforced structure;
- Multiple redundant, enterprise switching hardware at every stage;
- A monitoring system providing real-time data on equipment operation, enabling instant identification of problems;
- Multiple paralleled N+1 UPS modules configured in redundant systems allow for A/B power configuration;
- 20 megawatts of expandable N+1 power backup utilizing generators;
- A Very Early Smoke Detection Alarm (VESDA) early smoke detection with pre-action dry pipe fire suppression systems;
- Multiple fiber route entrances to structures;
- Access control systems leveraging a biometric scan and personal identification number (PIN), with separate locks for all Xola server cabinets; and
- The backup data center features the same facility specifications as the primary data center. The backup data center receives a backup of subscriber data at least once per 24-hour period.
Physical and Personnel Security
- Physical Security Measures. Physical access to the primary data center and the backup data center is restricted by 24x7x365 on-site security and Network Operations Center staff. The facility is controlled by alarm systems with cameras on perimeter points of the building along with video and camera surveillance within the facility. Multi-level access authorization with man trap, biometric verification and security controlled access level assignments are used.
Personnel Security Measures.
- Background Checks and NDA Agreements. Our technical or management personnel with access to Subscriber Data are subjected to background checks prior to hiring, and must sign non-disclosure and data security agreements that protect both Xola and Subscriber Data.
- Transfer Restrictions. Our personnel are not permitted to transfer Subscriber Data onto any hard drive, flash drive, mobile device, or other storage device, except those contained within either the primary data center or backup data center. Subscriber Data is not transferred to Xola corporate workstations.
Changes to this Security Policy
Xola reserves the right to change this Security Policy. Xola will provide notification of the material changes to this Security Policy through a notification on the Associated Websites or via email at least thirty (30) business days prior to the change taking effect.
Attn: IT Security
67 Langton Street
San Francisco, CA 94103