Skip to main content

Security Policy

At Elxo, the security of your data is of utmost importance to us. We do everything in our power to keep data safe and secure 24/7/365.

Elxo Governance 

Elxo’s security team establishes policies and controls to allow the monitoring of data and our systems. We use certified automated systems that apply these policies to continuously monitor our systems that prove our security and compliance to third-party auditors. 

Our policies are based are based on the following guiding principles. 

  1. Data access is set to give the minimum privilege to support a legitimate business requirement.
  2. The security controls are designed and implemented to be layered according to the principle of defense-in-depth.
  3. Controls are applied consistently across all systems and areas of the business.
  4. We shall constantly developing to be more mature in security, effectiveness, increased transparency and improved knowledge in security.
  5. The implementation of controls should be iterative, continuously maturing across the dimensions of improved effectiveness, increased auditability, and decreased friction. 

Data protection 

Wherever possible, Elxo supports the process of full de-identification of data in all environments. In addition to this requirement, we also implement the following: 

Data at rest 

All datastores with customer data, are encrypted at rest. Sensitive collections and tables also use row-level encryption. 

This means the data is encrypted even before it hits the database so that neither physical access, nor logical access to the database, is enough to read the most sensitive information. 

Data in transit 

Elxo uses TLS 1.2 or higher everywhere data is transmitted over potentially insecure networks. We also use features such as HSTS (HTTP Strict Transport Security) to maximize the security of our data in transit. Server TLS keys and certificates are managed by Azure. 

Secret management 

Encryption keys are managed via Azure Key Vault. This system stores key material and other passwords  which prevents direct access by any individuals, including employees of Microsoft and Elxo. The keys stored in the Azure Key Vault are used for encryption and decryption via Azure APIs.

Vendor security

Elxo uses a risk-based approach to vendor security. Factors which influence the inherent risk rating of a vendor include: 

  • How the vendor would need to use customer data 
  • How the vendor would integrate into a production environment 
  • How the vendor could impact the Elxo brand. 

Once the inherent risk rating has been determined, the security of the vendor is evaluated in order to determine a residual risk rating and an approval decision for the vendor.

Security education

Elxo provides comprehensive security training to all employees and contractors. On starting to work with Elxo, these team members are required to complete relevant trainings, with refreshes to training on an annual basis.  

Identity and access management 

Elxo maintains 2FA on all systems to reduce the risk of bad actors getting into Elxo systems. In addition, access to Elxo development, QA and Production environments are limited to job need and risk level. Access to all Elxo environments are tracked and monitored continuously. Elxo employees and contractors are automatically deprovisioned within 1 day of employment termination.