Prior to employment, potential candidates undergo interviews for suitability into the vacant role and a full spectrum background check. Upon employment, the candidate must read, sign, and adhere to a series of documents outlining their responsibilities for information security.

Terminated employees are removed from all systems. All access to management systems, hardware, tools and SaaS platform is revoked immediately. All assets must be returned to the company.

xMatters AUP is a set of rules that must be followed by all xMatters employees. The document focuses on the handling procedures of any asset – including data, hardware, and information systems (software) – to produce security-conscious operations for minimizing risk to people, processes, technology, and environments.

All new employees undergo information security training that covers requirements for the security, availability, and confidentiality of information.  This is then completed annually.

Strict controls apply to endpoints connected to xMatters networks especially those with access to sensitive information which is an integral part of the overall IT security framework.

Users are only provided with access to the network, systems, applications, and network services that they have been specifically authorized to use. Access to the system is audited semi-annually, logged, and verified.

To further reduce the risk of unauthorized access to data, xMatters Access Control model is based on role based access control to create separation of state. There is continuous monitoring at the application and infrastructure level with all monitoring data sent to an event management system. Principles of least privilege are enforced.

xMatters employs multi-factor authentication for all access to systems with client data. Whenever possible, xMatters uses private keys for authentication, in addition to the multi-factor authentication on a separate device. Clients can also use Federated Access Control; xMatters uses Security Assertion Markup Language (SAML) version 2.0 protocol for Identity Provider (IDP) Single Sign-On (SSO).

All employees are required to use an approved password manager. Password managers generate, store, and enter unique and complex passwords to avoid password reuse, phishing, and other password-related risks. To manage access to these accounts an authentication tool is used.

xMatters access control and continuous monitoring logs all database access and ships the logs to a centralized system. Administrative access, use of privileged commands, and system calls on all servers are logged and retained.

Log information is protected against tampering and unauthorized access. System administrator and system operator activities are logged, and access/change actions can be reviewed.

For corporate data, xMatters uses Intelligent Hub for monitoring policy compliance.

Servers and endpoint devices such as laptops and desktops are protected and monitored from malwares, malicious and unsafe codes or applications by deploying a set of protection tools.

Access to the office, computer room, and work area containing sensitive information are physically restricted to limit access to only authorized personnel. Employees use access cards for entering the offices and maintain a visitor log. There are surveillance cameras and security in place to monitor the buildings.

Physical Security Audits are conducted annually.

xMatters Cloud Based Software as a Service (SaaS) application is coded using Secure Software Development Life Cycle (SSDLC). Security is a part of the Requirements, Architecture, Design, Development, Testing, and Deployment. The Open Web Application Security Project (OWASP) recommendations are used in regard to the Top Ten most common vulnerabilities. The Code is analyzed by Quality Control and an automated tool as well, there are tests conducted for the OWASP Top Ten using internal tools and external Vulnerability Scanning and Penetration Testing.

xMatters has established policies and procedures that specify that client data is not stored on portable devices. All devices that are used to support clients are protected by cryptographic controls.  xMatters has any media which has stored or processed data, destroyed after being decommissioned. This media sanitization practice is in accordance to National Institute of Standards and Technology (NIST) Special Publication (SP) 800-88 Guidelines.