We maintain an active Information Security Review Board (ISRB) as a cornerstone of our security strategy. This board plays a pivotal role in fostering a culture of security throughout the organization. Regular updates on the evolving landscape of security threats, hygiene standards, and the ongoing progress of our Information Security Program are provided not only to our executive leadership but also to our executive board. This commitment ensures that our security mindset permeates the entire team, from top management to every individual within our organization.

We use AWS, MongoDB and OpenAI in US regions with multiple availability zones which ensures security of the Cloud. To Protect what is in the cloud, we follow multi-layer security policies with segregated VPCs, Private Subnets, Private Load Balancers, Security Groups and WAF (Web Access Firewall) level protection. AWS is responsible for security of the cloud and has several security and privacy certifications including SOC 2 Type II and ISO 27001. MongoDB leverage AWS as backend Infrastructure and thus covered by same security provisions. Similarly, OpenAI is also has SOC 2 Type 2, GDPR and CCA compliances.

Data Protection in Transit
XCalibrate employs robust encryption mechanisms to safeguard data in transit. Our use of industry-standard TLS (Transport Layer Security) encryption ensures that data transmitted between your devices and our platform is secure. We utilize strong TLS encryption ciphers to enhance the security of data transmission.

Secure Encryption Key Management
Encryption keys used for data protection are securely stored with restricted access. This stringent control ensures that only authorized personnel can manage encryption keys, enhancing the overall security of your data.

Advanced Encryption for Sensitive Data
Sensitive information such as passwords and refresh tokens are subject to advanced encryption protocols. This encryption not only secures data during transit but also protects it when at rest, adding an extra layer of security to your valuable information.

XCalibrate’s Access Control Mechanisms
We provide a comprehensive suite of access control mechanisms to ensure data security and regulate access effectively. Our access controls are designed following the principle of least privilege, ensuring that users have precisely the access they need and nothing more. We also maintain updated copy of onboarding and offboarding checklist to ensure access are granted and revoked at right time.

Security Event Monitoring
To continuously reinforce security, we collect and monitor security event and audit logs (Cloud Trail). This ongoing surveillance allows us to promptly detect and respond to any unusual or suspicious activities, helping to maintain the integrity and security of your data.
By implementing these stringent security measures, XCalibrate is dedicated to upholding the highest standards of data security and privacy to protect your sensitive information.

At XCalibrate, we’ve established a dedicated cross-functional team to champion the Secure Development Lifecycle (SDL) while aligning with the core principles of agile development. This team plays a pivotal role in orchestrating, communicating, refining, and developing security controls within our processes. Their primary responsibility is to ensure strict adherence to security standards and practices.

To deliver secure, high-quality products swiftly, XCalibrate seamlessly integrates various tools into our development pipeline. These tools are instrumental in conducting rigorous security testing and identifying potential vulnerabilities within source code, dependencies, and the underlying infrastructure. This proactive approach ensures that we address security concerns before our products reach our valued customers.”

XCalibrate analyses the application source code to determine bugs, technical debt, and security vulnerabilities. A strict scoring criterion is adhered to by the Engineering teams to ensure not only the security of code in our products but quality as well.

XCalibrate leverages industry’s best practices to collect and monitor logs. These logs and stats are constantly monitored, and alerts are configured for high critical items. Log protection mechanisms are in place to ensure the integrity of the logs generated. XCalibrate also leverages various AWS Services like CloudWatch Alarms, CloudWatch Insight, CloudTrail, AWS Inspector and Grafana to give us real time insight on the application behaviours and security issues.

XCalibrate has security incident response procedures in place to be followed in the event of any security breach. These procedures include areas that cover roles and responsibilities, investigation, communication, event logging, and remediation actions to be taken.

XCalibrate leverages third parties for independent penetration tests of our applications. These have resulted in continuous updates to our products and processes for improving security and reliability. These assessments are part of ongoing compliance and security requirements to keep XCalibrate as a trusted provider of application.

A customer-facing redacted executive summary is made available to customers under mutual non-disclosure agreement.

XCalibrate maintains established policies and procedures designed to standardize employee onboarding and offboarding processes, enabled by using identity and access management (IAM) solutions. Confidentiality agreements and terms of acceptable use are in place for each party respective of their classification.

In order to promote a culture that enables members of XCalibrate’s workforce to safeguard data and information in a secure manner, XCalibrate maintains a comprehensive Security Awareness Training program to address general and role-based security training.

Security policies are communicated internally and available for reference in a centralized location. Known violations of policies follow an established disciplinary and enforcement process.

XCalibrate, through its Sherlock app, gathers only the minimal information required to serve each user effectively. Below is a list of the data captured as part of this process:

• Thinking preferences of users
• Organization name, user first name and last name, and organization email address
• User’s conversation with AI Coach and agreed-upon actions.
• Insights derived by users from their conversations with AI Coach
• User’s progress on the actions as part of check-ins
• Feedback survey on user actions from self, manager, and peers

We leverage the data for following purposes:

• Generate response text in chat conversation
• SOS word identification
• ROI (Productivity, Engagement and Well-being) measure calculations
• Gamification (Leader board)
• Contextualize nudges/notifications to users
• Continuous improvement of the product

No, XCalibrate will not utilize user data for marketing purposes.

No, XCalibrate will not sell data to any third party.

The Sherlock Acumen application is designed to provide organizations with valuable insights into the activities of teams using the Sherlock application. Analytics data will be shared with employers while safeguarding sensitive information. Here are examples of the data shared:

• Actions, coaching Journey and Conversations insights and traction
• Experience with Sherlock’s coaching conversations in terms of relevance, engagement etc.
• Trends & insights on tools, assessments
• Mood trends and analysis and factors influencing
• Engagement stats on time spent , weekly engagement on chats, tools and topics
• Cohort-level aggregated data on ROI (Productivity, Engagement, and Well-being), application engagement, effectiveness, moods, and outcomes.
• Whole brain thinking preferences of individual users.
• SOS Callouts (Terms like self-harm/suicide etc.)

No, the conversations between users and the app are confidential and will not be shared with employers. However, there is a mechanism for identifying SOS situations, including terms like self-harm or suicide, which will be shared with the employer’s designated point of contact in compliance with applicable laws or as permitted by law.

XCalibrate employs robust encryption mechanisms to safeguard data in transit. Our use of industry-standard TLS (Transport Layer Security) encryption ensures that data transmitted between your devices and our platform is secure. We utilize strong TLS encryption ciphers to enhance the security of data transmission. We also use additional encryption for sensitive data.

Our production systems including the Database, MongoDB and S3 buckets are currently hosted on AWS us-east-1 region.

XCalibrate follows a multi-tenant architecture and hosts data from multiple customers on its database. However, all data is logically separated using various mechanisms like entitlements, secure identifiers, and role-based access control mechanisms.

No, as of the writing of this document, we do not support integration with Organizations’ IDP.

We use BCrypt password hashing algorithm to store the password in database. This provides one way hashing algorithm and ensures that user’s original password cannot be extracted by anyone including support members of the XCalibrate

We currently have two roles for organization:

• USER_ROLE: Users with this role can only access data that belongs to them. This is protected by industry-tested frameworks like Spring Security and JWT. XCalibrate also has its custom-built entitlement layer that conforms the user in JWT token with the user in the payload.
• LEAD_ROLE: Users with this role can access cohort-level aggregated data but not user-specific data. Lead users also have access to thinking preferences of the users in the cohort they lead. Additional custom protections ensure that a lead can only view their own cohort’s data.

Yes, we are using OpenAI’s GPT models (3.5 and 4) through licensed APIs for various purposes, such as generating empathetic responses, asking thought-provoking questions, and sharing famous quotes.

No, as mentioned on OpenAI’s enterprise privacy policy page, they do not use enterprise API data for training their models. See below.

“OpenAI uses data from different places including public sources, licensed third-party data, and information created by human reviewers. We also use data from versions of ChatGPT and DALL-E for individuals. Data from ChatGPT Enterprise and the API Platform (after March 1, 2023) isn’t used for training our models.”

Yes, OpenAI has various security measures in place to protect customer data, along with certifications like SOC 2 Type 2, GDPR, and California Consumer Privacy Act. For more details, visit their website.

In addition, XCalibrate follows a least exposure policy and shares only the minimum data required for generative capability with OpenAI using licensed APIs.

Primarily, the text which user enters while having conversation with AI Coach and the actions user identify for themselves.

Data is backed up according to the RPO (Recovery Point Objective) requirements defined in the Disaster Recovery Plan:

• Sherlock app, data is backed up every 6 hours.
• Sherlock Acumen data is backed every day.

No, we don’t store password on mobile device we use combination of JWT token and Refresh Token to keep user session active.

Yes, anyone with access to iOS’s AppStore or Android’s Playstore can download the app. However, at this time, login is allowed only with an access key sent via invitation.