Frequently Asked Questions on Data & Information Security

  1. What security policies, procedures, standards and guidelines does worxogo follow?
    • We are ISO 27001:2013 certified. Our Cloud Services Providers – Amazon Web Services and Microsoft Azure are SOC 1 and SOC 2 Compliant.
  2. Which is the cloud service platform (CSP) on which worxogo applications are deployed?
    • All worxogo applications are deployed on the Amazon Web Services (AWS) and Azure cloud service platform.
  3. What type of application is the worxogo platform?
    • Mia is delivered as a Software-as-a-Service (SaaS) application for field sales, inside sales and back office.
    • As a “Responsive Web Application”, Mia can be rendered seamlessly across multiple devices – PCs, Tablets, Mobile Phones.
  4. Where are the AWS and Azure servers located?
    • The AWS servers are located in Singapore/Mumbai for all worxogo deployments.
    • All Azure servers are located in the South East Asia region.
    • However, based on specific client needs, the physical location of the AWS server can be moved to a specific jurisdictional area.
  5. How many clients are deployed on a single server?
    • All client deployments are done on a single tenant basis on AWS or Azure instances. Hence customers’ data is segregated.
  6. How often does worxogo update its servers?
    • worxogo runs monthly Vulnerability Assessment and Penetration Tests (VAPT) every month and performs patch upgrades accordingly.
    • We also run periodic Web Application Security Assessments (WASA) by third party service providers to take an independent assessment of our security posture.
  7. Who does the data extract from Client Systems?
    • The client IT team does the data extract from their systems on the basis of inputs provided by the worxogo team.
    • In the absence of the IT team, the business team may provide spreadsheets of the relevant data.
    • The data elements that are required on the worxogo platform are mutually agreed upon between worxogo and client teams.
  8. From where does the data get picked up for transmitting into worxogo?
    • Data can be picked up from the underlying transaction processing systems and delivered to Secure File Transfer Protocol (SFTP) servers.
    • Data is always picked up in batch mode. No online, real-time interfaces are built from the worxogo platforms to any legacy systems that exist in the customer landscape.
    • Data is placed in the appropriate SFTP storage areas provided in the customer landscape by the customer IT or Business team and the automated integration runs from worxogo pick up these files.
  9. Who is responsible for extracting and loading the data into the SFTP servers?
    • The client team – whether IT or Business – is responsible for extracting and loading the data into the SFTP storage areas of the client landscape.
    • worxogo will not access any client legacy system directly.
    • worxogo will only access the SFTP storage areas as specified by the client IT team or policies.
  10. Is the data transfer between the client SFTP storage area and worxogo platforms secure?
    • The SFTP protocol inherently provides a secure channel for transferring such data.
    • Additionally, worxogo provides for whitelisting of specific IP addresses which will be used for pulling data into the worxogo platforms. This arrangement enhances security compliance significantly.
    • Data transfer within worxogo systems and landscape is limited to within the worxogo Virtual Private Clouds (VPC) and done over secure channels only (secured using Secure Socket Layer [SSL]).
  11. Are there any Application Programming Interfaces (APIs) provided as part of the worxogo platform for Integration?
    • No. There are no APIs provided to any outside system as of September, 2019.
    • In case there are specific client requests, such APIs can be delivered.
  12. What does the data contain? Does it contain any customer specific information? Are transaction information records transmitted to worxogo?
    • The data contains ONLY aggregated information of the end-user (Employee, Supervisor) performance. For example, if an employee has made 10 customer calls against a target of 12 calls on a particular date, the information into worxogo will merely state the number 10 (actual calls made) and the number 12 (target calls to be made) along with the date and the employee identifier.
    • No customer specific data or information is taken into the worxogo platform.
    • No transaction information records are taken into the worxogo platform for any transaction.
  13. Who has access to the data?
    • Data is accessed by the client IT or Business Teams – depending on who is providing the data for loading into the worxogo platforms.
    • On the worxogo platforms, the users have access to only the relevant data to them. For example, a specific user belonging to the “NORTH” region, will have access only to her data. He/She cannot access data belonging to the “SOUTH” or any other region. All other dimensions that are relevant for such authorisations will apply to ensure that no user gets access to data that is not directly required by him/her. The principles of “Least Privilege” apply.
    • Developers and System Administrators at worxogo have controlled access to the data in order to facilitate system maintenance and product deployment. This access is logged.
  14. Who has access to the servers deployed by worxogo and how do they have access?
    • Developers and System Administrators have access to the servers. Such access is restricted to deployment of code (for developers) and system maintenance (for system administrators).
    • This access is controlled on a need basis and provided on a “Least Privilege” principle.
    • All access is logged so that future audit is supported.
    • All access is approved by the appropriate authority – respective product managers or the engineering manager.
    • Access to all production servers is through a Gateway Server (a.k.a Bastion Server). Server access is controlled through firewalls (AWS Security Group).
    • Public access (general user access) is only allowed through “https” protocols.
  15. What is worxogo’s data retention and backup policy?
    • worxogo retains data for a period of 38 months. This data can be deleted at the client’s request at the end of the contract.
    • worxogo does a backup of data twice a day by taking a complete snapshot of the drive.