Security Overview

INTRODUCTION

As part of our commitment to privacy in the school environment, XACROS has obtained attribution for its strong, firm and secure services. To meet quality program guidelines as well as our own rigorous standards, XACROS employs two kinds of security features: those that are user-facing, and those that are embedded in the service. Users can receive messages via text message, smartphone app, or email, but contact information like phone numbers and email addresses stays private. Instead, XACROS uses third-party phone numbers to protect users’ privacy. We’ve also adopted advanced cloud computing practices and strict internal policies to ensure the integrity of the data we manage.

“I see a lot more communication now because of XACROS. Teachers don’t have to worry about giving out their emails or contacts to any random parent.”
– Asha Nalubwama, principal at BBMB Academy.

XACROS’ approach to security is guided by three principles:
  • Control - Users own their data and control their experiences.
  • Collaboration - We actively work with our users to keep the XACROS community safe.
  • Commitment - XACROS consistently audits, tests, improves, and shares our practices to protect personal information.
This writeup provides a current overview of the policies and practices that comprise our security approach. Along with the practices outlined below, XACROS works with administrators, third-party auditors, penetration testing firms, and policy advisors to continually strengthen our investments across all aspects of security.





OVERVIEW

Educators and families trust XACROS with relevant, important and sensitive information.
Our security approach consists of five critical components that allow us to maintain data security and integrity for entry, transfer, storage, and access.

  1. Corporate governance
  2. Physical security
  3. Environmental security
  4. Software security
  5. Regulatory compliance

“XACROS has paved the way for other technology resources in the classroom and fostered high grade improvement due to increased parent involvement.”
– McClean Choice, teacher at Montessori Schools

  1. Corporate Governance
  2. XACROS checks with industry-leading auditors to review and guide our policies and procedures, including Uganda’s Data Protection and Privacy Act, 2019 and EU’s General Data Protection Regulation (GDPR) law.. All XACROS' employees and contractors sign agreements that require them to preserve and protect the confidentiality of sensitive information they may access while doing their jobs.
    • All XACROS employees are scrutinized by mandatory background checks.
    • All employees receive privacy and security training frequently.
    • Employees are required to enable Two-Factor Authentication in every internal and external service where TFA is made available and practical.
    • All computers and mobile devices issued by XACROS, as well as any software that runs on those machines, are password-protected and encrypted where possible.

  3. Physical Security
  4. XACROS strictly controls physical access to user information.
    • All XACROS premises require tight security locks and keycard entry.
    • All work computers and laptops provided to XACROS personnel have encrypted disks.
    • The on-site storage of personally identifiable information (cloud-based storage) is not required.

  5. Environmental Security
  6. XACROS uses Amazon Web Services (AWS) and Virtual Private Servers (VPS) and other third-party services in the AWS environment to host and operate our databases. These are industry-leading cloud service platforms that provide nondescript facilities, professional security staff, controlled access, video surveillance, intrusion detection, and other security features. All data is separated from outside connections, and access is limited to select members of the current XACROS team.
    • XACROS stores its data within a VPS region that is secure.
    • XACROS’ main database and all backups are encrypted at rest.
    • The AWS cloud infrastructure has been designed and managed in compliance with regulations, standards, and best practices, including HIPPA, SOC 1/SSAE 16/ISAE 3402 (formerly SAS70), SOC 2, SOC 3, PCI DSS Level 1, ISO 27001, FedRAMP, DIACAP and FISMA, ITAR, FIPS 140-2, CSA, and MPAA.

  7. Software Security
  8. XACROS’ infrastructure is built on industry-tested technology and security practices.
    • XACROS uses encryption, firewall, and network security software.
    • All XACROS clients use TLS/SSL when communicating with our servers.
    • XACROS uses single sign-on (SSO) and two-factor authentication (TFA).
    • XACROS runs periodic penetration tests, then logs and resolves discovered issues.
    • XACROS has a host-based intrusion detection system to detect unauthorized access to production hosts.
    • Low-level auditing software is run on all systems to record potentially malicious actions that may take place.
    • Logging into confidential parts of company systems requires time-limited SSH keys generated by classified users. All SSH requests are logged for auditing.
    • Audit logs are sent to a central location for storage and analysis. Access to production servers and interaction with production systems is audited and logged.
    • Any VPN access to XACROS systems requires SSO and TFA. VPN access is required for many services, including remote access (through SSH) to production servers and management tools.
    XACROS’ designated System Security Team (SST) is responsible for handling the response to data breaches.

  9. Regulatory Compliance
  10. XACROS works with policy advisors to ensure that our product and practices remain compliant with relevant mandates and regulations.




The Core

At XACROS, we understand the importance of protecting personal information. Our approach to security was developed to help schools remain confident in the integrity and security of their data—and focus on helping educators and families support student success.