Privacy, Trust and Security
A secure growth oriented coaching platform
Privacy and your data security of our top priority. We understand how vital it is for you to trust the tools you use, especially when it comes to the safety and confidentiality of your employees’ data.
We believe in sharing details of our security processes and policies by being transparent about the security measures. We intend to demystify the intricacies of our security infrastructure and provide our clients with the knowledge they need to trust in the safety and integrity of their employees’ data.
The purpose is give you clear and thorough understanding of the security processes and policies we’ve put in place for our applications.
We place the utmost emphasis on security and privacy, considering them fundamental pillars that underpin our commitment to establishing and reinforcing customer confidence.
Keeping your data secure and private is a top priority at XCalibrate. We follow global security and privacy principles in the design of our products that safeguard your data.
XCalibrate uses secure coding standards and practices that supports the principles of agile development.
Monitoring mechanisms and response procedures are managed to enable awareness and resilience in the face of security threats.
Independent penetration testing is conducted to enable the identification and mitigation of vulnerabilities.
Processes and policies are in place to ensure the security of our personnel throughout their XCalibrate journey.
The purpose is give you clear and thorough understanding of the security processes and policies we’ve put in place for our applications. We understand how vital it is for you to trust the tools you use, especially when it comes to the safety and confidentiality of your employees’ data. That’s why we’ve detailed our security processes and policies for you. By being transparent about these measures, to demystify the intricacies of our security infrastructure and provide our clients with the knowledge they need to trust in the safety and integrity of their employees’ data.
Commitment to provide Enterprise Grade Security
We maintain an active Information Security Review Board (ISRB) as a cornerstone of our security strategy. This board plays a pivotal role in fostering a culture of security throughout the organization. Regular updates on the evolving landscape of security threats, hygiene standards, and the ongoing progress of our Information Security Program are provided not only to our executive leadership but also to our executive board. This commitment ensures that our security mindset permeates the entire team, from top management to every individual within our organization.
We use AWS, MongoDB and OpenAI in US regions with multiple availability zones which ensures security of the Cloud. To Protect what is in the cloud, we follow multi-layer security policies with segregated VPCs, Private Subnets, Private Load Balancers, Security Groups and WAF (Web Access Firewall) level protection. AWS is responsible for security of the cloud and has several security and privacy certifications including SOC 2 Type II and ISO 27001. MongoDB leverage AWS as backend Infrastructure and thus covered by same security provisions. Similarly, OpenAI is also has SOC 2 Type 2, GDPR and CCA compliances.
Our foremost commitment is safeguarding your company’s and employees’ data. We work diligently every day to build and maintain our customers’ trust, adhering to global standards for privacy, security, and confidentiality. Our ongoing efforts are focused on enhancing our industry certifications and achieving robust accreditations and in that regards we are actively working towards achieving compliance with the California Consumer Privacy Act, SOC 2, and GDPR.
We maintain a comprehensive suite of information security policies as given below. These policies are regularly reviewed, updated, and approved on a predefined schedule.
- Xcalibrate HR Security Policy
- Xcalibrate Access Policy
- Security Management Policy
- Secure Coding Practice
- Xcalibrate Information Security Policy
- Xcalibrate Incident Response Policy
- Disaster Recovery Policy
- Xcalibrate Change Management Policy
Data Security and Privacy Measures
Data Protection in Transit
XCalibrate employs robust encryption mechanisms to safeguard data in transit. Our use of industry-standard TLS (Transport Layer Security) encryption ensures that data transmitted between your devices and our platform is secure. We utilize strong TLS encryption ciphers to enhance the security of data transmission.
Secure Encryption Key Management
Encryption keys used for data protection are securely stored with restricted access. This stringent control ensures that only authorized personnel can manage encryption keys, enhancing the overall security of your data.
Advanced Encryption for Sensitive Data
Sensitive information such as passwords and refresh tokens are subject to advanced encryption protocols. This encryption not only secures data during transit but also protects it when at rest, adding an extra layer of security to your valuable information.
XCalibrate’s Access Control Mechanisms
We provide a comprehensive suite of access control mechanisms to ensure data security and regulate access effectively. Our access controls are designed following the principle of least privilege, ensuring that users have precisely the access they need and nothing more. We also maintain updated copy of onboarding and offboarding checklist to ensure access are granted and revoked at right time.
Security Event Monitoring
To continuously reinforce security, we collect and monitor security event and audit logs (Cloud Trail). This ongoing surveillance allows us to promptly detect and respond to any unusual or suspicious activities, helping to maintain the integrity and security of your data.
By implementing these stringent security measures, XCalibrate is dedicated to upholding the highest standards of data security and privacy to protect your sensitive information.
The XCalibrate platform is built on isolated, private networks using security groups and firewalls within virtual private clouds (VPC). All inbound and internal traffic is restricted to specific ports across a limited group of machines. All traffic rates, sources, and types are actively monitored at various points in the network beyond ingress and firewalls. XCalibrate logically isolates customer data using framework layer entitlements and unique identifiers, which assures that access to customer data is limited to only that customer.
Customer data will be deleted upon written request. Data is retained as needed to satisfy data classification and/or external requirements.
Secure Development Lifecycle
At XCalibrate, we’ve established a dedicated cross-functional team to champion the Secure Development Lifecycle (SDL) while aligning with the core principles of agile development. This team plays a pivotal role in orchestrating, communicating, refining, and developing security controls within our processes. Their primary responsibility is to ensure strict adherence to security standards and practices.
To deliver secure, high-quality products swiftly, XCalibrate seamlessly integrates various tools into our development pipeline. These tools are instrumental in conducting rigorous security testing and identifying potential vulnerabilities within source code, dependencies, and the underlying infrastructure. This proactive approach ensures that we address security concerns before our products reach our valued customers.”
XCalibrate analyses the application source code to determine bugs, technical debt, and security vulnerabilities. A strict scoring criterion is adhered to by the Engineering teams to ensure not only the security of code in our products but quality as well.
XCalibrate conducts regular API security testing on our platform. This proactive approach enables us to detect and address bugs, common exploits, security vulnerabilities, and issues early in the development process. By integrating this practice into our development lifecycle, XCalibrate enhances the quality and security of our platform to benefit our customers.
XCalibrate leverages AWS Inspector to perform vulnerability assessment on all container images to detect any vulnerable software running on a given container. Strict scoring criteria prevent the shipment of a vulnerable container until it is resolved by Engineering teams.
In alignment with industry best practices, XCalibrate has developed a baseline of source code control standards to provide proper hygiene around code repositories supporting our platform. Standards automatically being enforced include role-based access control, least privilege, repository ownership, branch protections rules, and centralized secrets management.
Security Monitoring & Response
XCalibrate leverages industry’s best practices to collect and monitor logs. These logs and stats are constantly monitored, and alerts are configured for high critical items. Log protection mechanisms are in place to ensure the integrity of the logs generated. XCalibrate also leverages various AWS Services like CloudWatch Alarms, CloudWatch Insight, CloudTrail, AWS Inspector and Grafana to give us real time insight on the application behaviours and security issues.
XCalibrate has security incident response procedures in place to be followed in the event of any security breach. These procedures include areas that cover roles and responsibilities, investigation, communication, event logging, and remediation actions to be taken.
Availability of data is protected through use of data replication and backup services provided by AWS and MongoDB. Data backups are captured on a periodic basis according to a defined schedule. Backups are stored across multiple high availability zones. XCalibrate leverages automated scaling to replace failed instances and scale up/down as per the resource utilization.
Business continuity and disaster recovery plans and processes are maintained for responding to an emergency or adverse event that could damage Customer Data or production systems that contain Customer Data. Data restore testing exercises are completed annually employing methodologies based on best practices and various scenarios. Test results enable XCalibrate to verify the integrity of backup data and assurance in achieving recovery point and time objectives (RPO/RTO).
XCalibrate leverages third parties for independent penetration tests of our applications. These have resulted in continuous updates to our products and processes for improving security and reliability. These assessments are part of ongoing compliance and security requirements to keep XCalibrate as a trusted provider of application.
A customer-facing redacted executive summary is made available to customers under mutual non-disclosure agreement.
XCalibrate maintains established policies and procedures designed to standardize employee onboarding and offboarding processes, enabled by using identity and access management (IAM) solutions. Confidentiality agreements and terms of acceptable use are in place for each party respective of their classification.
In order to promote a culture that enables members of XCalibrate’s workforce to safeguard data and information in a secure manner, XCalibrate maintains a comprehensive Security Awareness Training program to address general and role-based security training.
Security policies are communicated internally and available for reference in a centralized location. Known violations of policies follow an established disciplinary and enforcement process.
XCalibrate, through its Sherlock app, gathers only the minimal information required to serve each user effectively. Below is a list of the data captured as part of this process:
- Thinking preferences of users
- Organization name, user first name and last name, and organization email address
- User’s conversation with AI Coach and agreed-upon actions.
- Insights derived by users from their conversations with AI Coach
- User’s progress on the actions as part of check-ins
- Feedback survey on user actions from self, manager, and peers
We leverage the data for following purposes:
- Generate response text in chat conversation
- SOS word identification
- ROI (Productivity, Engagement and Well-being) measure calculations
- Gamification (Leader board)
- Contextualize nudges/notifications to users
- Continuous improvement of the product
No, XCalibrate will not utilize user data for marketing purposes.
No, XCalibrate will not sell data to any third party.
The Sherlock Acumen application is designed to provide organizations with valuable insights into the activities of teams using the Sherlock application. Analytics data will be shared with employers while safeguarding sensitive information. Here are examples of the data shared:
- Actions, coaching Journey and Conversations insights and traction
- Experience with Sherlock’s coaching conversations in terms of relevance, engagement etc.
- Trends & insights on tools, assessments
- Mood trends and analysis and factors influencing
- Engagement stats on time spent , weekly engagement on chats, tools and topics
- Cohort-level aggregated data on ROI (Productivity, Engagement, and Well-being), application engagement, effectiveness, moods, and outcomes.
- Whole brain thinking preferences of individual users.
- SOS Callouts (Terms like self-harm/suicide etc.)
Can employer/organization access to user specific data and tie information back to a specific person?
No, the conversations between users and the app are confidential and will not be shared with employers. However, there is a mechanism for identifying SOS situations, including terms like self-harm or suicide, which will be shared with the employer’s designated point of contact in compliance with applicable laws or as permitted by law.
XCalibrate employs robust encryption mechanisms to safeguard data in transit. Our use of industry-standard TLS (Transport Layer Security) encryption ensures that data transmitted between your devices and our platform is secure. We utilize strong TLS encryption ciphers to enhance the security of data transmission. We also use additional encryption for sensitive data.
Our production systems including the Database, MongoDB and S3 buckets are currently hosted on AWS us-east-1 region.
XCalibrate follows a multi-tenant architecture and hosts data from multiple customers on its database. However, all data is logically separated using various mechanisms like entitlements, secure identifiers, and role-based access control mechanisms.
No, as of the writing of this document, we do not support integration with Organizations’ IDP.
We use BCrypt password hashing algorithm to store the password in database. This provides one way hashing algorithm and ensures that user’s original password cannot be extracted by anyone including support members of the XCalibrate
We currently have two roles for organization:
- USER_ROLE: Users with this role can only access data that belongs to them. This is protected by industry-tested frameworks like Spring Security and JWT. XCalibrate also has its custom-built entitlement layer that conforms the user in JWT token with the user in the payload.
- LEAD_ROLE: Users with this role can access cohort-level aggregated data but not user-specific data. Lead users also have access to thinking preferences of the users in the cohort they lead. Additional custom protections ensure that a lead can only view their own cohort’s data.
Large Language Models
Yes, we are using OpenAI’s GPT models (3.5 and 4) through licensed APIs for various purposes, such as generating empathetic responses, asking thought-provoking questions, and sharing famous quotes.
“OpenAI uses data from different places including public sources, licensed third-party data, and information created by human reviewers. We also use data from versions of ChatGPT and DALL-E for individuals. Data from ChatGPT Enterprise and the API Platform (after March 1, 2023) isn’t used for training our models.”
Yes, OpenAI has various security measures in place to protect customer data, along with certifications like SOC 2 Type 2, GDPR, and California Consumer Privacy Act. For more details, visit their website.
In addition, XCalibrate follows a least exposure policy and shares only the minimum data required for generative capability with OpenAI using licensed APIs.
Primarily, the text which user enters while having conversation with AI Coach and the actions user identify for themselves.
Business continuity management
Data is backed up according to the RPO (Recovery Point Objective) requirements defined in the Disaster Recovery Plan:
- Sherlock app, data is backed up every 6 hours.
- Sherlock Acumen data is backed every day.
Mobile Application Security
No, we don’t store password on mobile device we use combination of JWT token and Refresh Token to keep user session active.
Yes, anyone with access to iOS’s AppStore or Android’s Playstore can download the app. However, at this time, login is allowed only with an access key sent via invitation.