Customer Data Security
We comply with GDPR, SOC 1, SOC 2, HIPAA, and FedRAMP. We try to go far beyond these standards in everything we do.
Since 2003, xAssets products have been used by Army, Navy and Air Force and government defense contractors in the US, UK and Germany.
Applications have included Servicing and Maintenance, Explosives Management, ITAM and discovery, and help desk solutions.
This means our products are regularly tested to be compliant with the strictest security standards and we uphold
the same levels of governance and security in our server configurations and consulting services.
The xAssets cloud runs exclusively Windows Server 2022. Every server runs an identical configuration,
is firewalled, encrypted, and is locked down to US DoD STIG requirements with continuous monitoring.
You can read more about our hosted infrastructure here .
A PDF document covering xAssets security is here .
Customer data is protected as follows
- Single sign on to all major SSO providers is supported
- Customers can download a compressed backup of their data daily
- Data is encrypted at rest and in transmission
- Single tenant architecture
- Customers have full visibility, control, and ownership of their data when stored in our cloud
- If any breach occurred we must notify you as soon as we know
- Where possible data is held only in the jurisdiction chosen by the customer
- Servers are firewalled and hardened to US DoD STIG requirements
The US Air Force granted certification in January 2018 for all xAssets Version 7 products to be used on the two main
US air force networks - NIPRNET and SIPRNET. This means the product is written to the highest standards and specifications and
has passed stringent tests covering all aspects of software security in a web based environment.
This means that the products are safe to use in web environments and best practises have been deployed.
xAssets goes beyond these standards, so for example we provide a means to allow cloud customers to save discovery credentials
directly on their network with no transmission over the web, and the product requires high encryption SSL to function,
thus disallowing low security communication protocols.
Our cloud platform is highly secured to STIG requirements, these are the standards set by the US Department of Defense (DoD).
See the Hosted Infrastructure page for details.
Data Security for hosted implementations is covered through a comprehensive Backup and Disaster Recovery Plan,
which includes backup to multiple geographically distinct sites. Server failover is implemented for all
Onsite implementations take care of their own backup and Disaster Recovery provisions. xAssets Engineers will
help guide customers through the implementation of an effective strategy as part of the deployment process.
All solutions have the option to restrict data for specific user groups. See below.
Users see just the data records and functionality they need.
User Security is implemented through the user of User Groups. Each group has specific permissions, and can
have its own dashboards, menus, queries and reports. Each user group can also have restricted access to data.
Self Service profiles can also be implemented within xAssets Applications. This allows end users access to
request assets, create and manage their own help desk calls, and manage their own assets, tasks, purchase orders,
approvals, maintenance processes and other processes configured to the customers requirements.
The business rules within the xAssets application implement audit history recording as follows:
- Every change to an asset record is recorded in a history table
- Full asset history can be viewed from the Audit Information tab in the Asset Entry Screen
- History tables can be used in Historical Reporting such as the IMACS reports
- Changes to reference data records record data modified and user modified, on each database table
Our Track Record
- No outages since we started hosting in 2003
- No data breaches
- No data losses
- All DDOS attacks handled successfully
- No viruses
- No systems compromised in any way
All systems are patched weekly. Availability, vulnerability, firewall, logs and penetration scans run continuously