As part of our commitment to privacy in the school environment, XACROS has obtained attribution for its strong, firm and secure services. To meet quality program guidelines as well as our own rigorous standards, XACROS employs two kinds of security features: those that are user-facing, and those that are embedded in the service.
Users can receive messages via text message, smartphone app, or email, but contact information like phone numbers and email addresses stays private. Instead, XACROS uses third-party phone numbers to protect users’ privacy. We’ve also adopted advanced cloud computing practices and strict internal policies to ensure the integrity of the data we manage.
“I see a lot more communication now because of XACROS. Teachers don’t have to worry about giving out their emails or contacts to any random parent.”
XACROS’ approach to security is guided by three principles:
– Asha Nalubwama, principal at BBMB Academy.
- Control - Users own their data and control their experiences.
- Collaboration - We actively work with our users to keep the XACROS community safe.
- Commitment - XACROS consistently audits, tests, improves, and shares our practices to protect personal information.
Educators and families trust XACROS with relevant, important and sensitive information.
Our security approach consists of five critical components that allow us to maintain data security and integrity for entry, transfer, storage, and access.
- Corporate governance
- Physical security
- Environmental security
- Software security
- Regulatory compliance
“XACROS has paved the way for other technology resources in the classroom and fostered high grade improvement due to increased parent involvement.”
– McClean Choice, teacher at Montessori Schools
- Corporate Governance XACROS checks with industry-leading auditors to review and guide our policies and procedures, including Uganda’s Data Protection and Privacy Act, 2019 and EU’s General Data Protection Regulation (GDPR) law.. All XACROS' employees and contractors sign agreements that require them to preserve and protect the confidentiality of sensitive information they may access while doing their jobs.
- All XACROS employees are scrutinized by mandatory background checks.
- All employees receive privacy and security training frequently.
- Employees are required to enable Two-Factor Authentication in every internal and external service where TFA is made available and practical.
- All computers and mobile devices issued by XACROS, as well as any software that runs on those machines, are password-protected and encrypted where possible.
- All XACROS premises require tight security locks and keycard entry.
- All work computers and laptops provided to XACROS personnel have encrypted disks.
- The on-site storage of personally identifiable information (cloud-based storage) is not required.
- XACROS stores its data within a VPS region that is secure.
- XACROS’ main database and all backups are encrypted at rest.
- The AWS cloud infrastructure has been designed and managed in compliance with regulations, standards, and best practices, including HIPPA, SOC 1/SSAE 16/ISAE 3402 (formerly SAS70), SOC 2, SOC 3, PCI DSS Level 1, ISO 27001, FedRAMP, DIACAP and FISMA, ITAR, FIPS 140-2, CSA, and MPAA.
- XACROS uses encryption, firewall, and network security software.
- All XACROS clients use TLS/SSL when communicating with our servers.
- XACROS uses single sign-on (SSO) and two-factor authentication (TFA).
- XACROS runs periodic penetration tests, then logs and resolves discovered issues.
- XACROS has a host-based intrusion detection system to detect unauthorized access to production hosts.
- Low-level auditing software is run on all systems to record potentially malicious actions that may take place.
- Logging into confidential parts of company systems requires time-limited SSH keys generated by classified users. All SSH requests are logged for auditing.
- Audit logs are sent to a central location for storage and analysis. Access to production servers and interaction with production systems is audited and logged.
- Any VPN access to XACROS systems requires SSO and TFA. VPN access is required for many services, including remote access (through SSH) to production servers and management tools.
- XACROS meets Uganda’s Computer Misuse Act, 2011, and The Data Protection and Privacy Act, 2019 legislative requirements.
- XACROS helps schools and other end users comply with the federal FERPA regulations and EU’s GDPR law.
At XACROS, we understand the importance of protecting personal information. Our approach to security was developed to help schools remain confident in the integrity and security of their data—and focus on helping educators and families support student success.