Section 1: General Security Overview

How does XOGO ensure that it’s secure for enterprise use?

XOGO Decision Signage is built on Microsoft Azure’s Platform-as-a-Service (PaaS) and serverless architecture, leveraging Azure’s robust security infrastructure. Our closed-system design eliminates open APIs, reducing attack surfaces. Security is enhanced through encrypted communications, role-based access controls, and continuous monitoring via Azure tools.

What role does Azure play in XOGO’s security strategy?

Azure provides the backbone of XOGO’s infrastructure, delivering ISO27001-certified security, DDoS protection, and encrypted storage. XOGO inherits these best-in-class measures while implementing additional controls like strict access policies and a locked-down application ecosystem.

Why is XOGO designed as a closed system, and what are the benefits to enterprise customers?

Our closed system restricts backend access to XOGO-developed applications only, preventing third-party interference. This enhances security by minimizing vulnerabilities, ensuring a controlled environment, and simplifying compliance for customers.

How does XOGO’s size and structure enhance its security?

With a lean team of 17 people, XOGO maintains tight control over operations. All development is done in-house (except for Azure reliance), reducing third-party risks. Our small, senior team ensures accountability and rapid response to security concerns.

What makes XOGO’s cloud-based signage solution reliable?

Reliability stems from Azure’s global redundancy, XOGO’s use of Azure Resource Management (ARM) templates for quick recovery, and partnerships with trusted vendors like NEC and SignageOS for hardware support.

Section 2: Personnel Security & Training

What measures are in place to verify employee trustworthiness?

XOGO conducts standard background checks, including reference verification, for all employees. Sensitive roles with privileged access undergo additional scrutiny to ensure trustworthiness and protect customer assets.

How are employees trained on infosec practices?

Employees receive general security awareness training, covering threats, risks, and best practices. Training programs are periodically reviewed to align with evolving security standards and XOGO’s Azure-based environment.

Who has privileged access, and how is it managed?

Privileged access is limited to a small, senior subset of our team. It’s managed through Azure Active Directory (AAD) with role-based access control (RBAC), ensuring that only authorized personnel can access critical systems.

What ongoing education ensures that staff stay current on infosec threats?

Our team participates in periodic policy reviews and leverages external expertise (e.g., cybersecurity consultants) to stay informed on emerging threats, complementing Azure’s built-in security updates.

How does XOGO ensure that a small team doesn’t compromise information security?

A compact, trusted team reduces complexity and risk. All members are hand-picked, senior professionals with clear roles, ensuring accountability and minimizing the chance of internal security lapses.

Section 3: Certifications & Compliance Standards

Does XOGO maintain ISO27001 certification or similar?

XOGO does not hold its own ISO27001 certification but relies on Microsoft Azure’s ISO27001 compliance. We align our practices with Azure’s certified frameworks to ensure a robust security posture.

What security frameworks or best practices does XOGO follow?

XOGO adheres to Azure’s security best practices, including PaaS/serverless architecture guidelines, TLS encryption, and closed-system principles. Our approach is informed by industry standards like NIST and CIS controls.

Can XOGO provide evidence of its security compliance?

We can provide documentation of our security practices (e.g., RBAC policies, encryption standards) under NDA. Azure’s compliance certificates are available via Microsoft’s Trust Center.

How does XOGO stay aligned with industry security standards?

Regular audits by consultants (e.g., quarterly audits agreed with Microsoft Teams) and adherence to Azure’s evolving standards keep XOGO aligned with industry benchmarks.

Section 4: Access Control Measures

How is access to customer data controlled and monitored?

Access is restricted via Azure RBAC, limiting permissions to authorized personnel based on role. All activity is logged and monitored through Azure’s security tools for accountability.

What access control policies does XOGO enforce?

XOGO enforces strict policies via Azure AAD, including least privilege principles, dual-factor authentication for sensitive access, and regular credential reviews to prevent unauthorized entry.

How does XOGO implement role-based access control (RBAC)?

RBAC is configured in Azure, assigning permissions based on job function. Only necessary access is granted, enforced through AAD groups and policies, with oversight by XOGO management.

What safeguards prevent unauthorized remote access?

Remote access is limited to key personnel, secured with dual-factor authentication and Azure’s network controls (e.g., IP restrictions). Our closed system further blocks external intrusions.

How are credentials managed and audited?

Credentials are stored in Azure Key Vault, with access audited via Azure logs. XOGO reviews these logs regularly to ensure compliance and detect anomalies.

Section 5: Data Protection Practices

What encryption standards protect data at rest and in transit?

Data at rest is encrypted with AES-256 in Azure Blob Storage. Data in transit uses TLS 1.2 or higher, enforced across all XOGO services and customer endpoints.

How is customer data stored and secured?

Customer data resides in Azure’s secure cloud storage, protected by encryption and RBAC. Our closed system ensures only XOGO apps can access it, reducing exposure risks.

Who has access to decryption keys and how are they protected?

Decryption keys are managed by Azure Key Vault, accessible only to authorized XOGO personnel via RBAC. Keys are safeguarded with Azure’s hardware security modules (HSMs).

What measures protect data leaks or unauthorized access?

A closed system, RBAC, encryption, and Azure’s data loss prevention tools collectively minimize leak risks. Customer data isn’t stored beyond what’s needed for signage functionality.

How is data handled during removal or disposal?

Customers manage their own data deletion via XOGO Manager. Azure handles underlying storage disposal per its secure data destruction policies, ensuring no remnants remain.

Section 6: Network & Information Security

How is network security maintained in a serverless environment?

XOGO relies on Azure’s network security, including firewalls, DDoS protection, and access controls. Our serverless design eliminates traditional network vulnerabilities.

What protocols ensure secure data transmission?

All communications use TLS 1.2 or higher, enforced across endpoints like admin.xogo.io and api2.xogo.io. Azure’s encrypted environment secures internal traffic.

How does XOGO protect against network-based attacks like DDoS?

Azure’s DDoS protection shields XOGO services, backed by real-time monitoring and mitigation. Our minimal endpoint exposure further reduces attack surfaces.

What firewall or access controls are in place?

Azure provides managed firewalls and IP restrictions. XOGO limits connectivity to specific URLs (e.g., xogo.blob.core.windows.net), detailed in our firewall documentation.

What protocols ensure secure data transmission?

All communications use TLS 1.2 or higher, enforced across endpoints like admin.xogo.io and api2.xogo.io. Azure’s encrypted environment secures internal traffic.

How are communication endpoints secured?

Endpoints are restricted to XOGO apps, encrypted with TLS, and monitored via Azure Insights. Static IP ranges are available from Microsoft’s Azure IP list.

Section 7: Incident Response Procedures

What is XOGO’s process for notifying customers about a security incident?

Customers are notified promptly per best practices, with timelines based on incident severity. Contact is via email or support channels, coordinated by our product team.

How does XOGO detect and respond to security incidents?

Azure Insights and AppCenter monitor for anomalies. Alerts trigger immediate review by our product team, with remediation leveraging Azure’s incident framework.

What role does Azure play in incident management?

Azure provides detection tools (e.g., real-time logs) and infrastructure-level response. XOGO handles application-layer incidents, ensuring a layered approach.

How are incidents prioritized and resolved?

Incidents are triaged by impact—security issues take top priority. Resolution follows Azure’s framework, with XOGO’s team addressing app-specific concerns swiftly.

What testing ensures XOGO’s incident response is effective?

Response plans are reviewed periodically with Azure’s tools. Key customers (e.g., Microsoft, Compass) conduct scans and quarterly audits refine our processes.

Section 8: Physical Security Controls

How does XOGO ensure physical security without owning infrastructure?

XOGO relies on Azure’s data centers, which feature industry-leading physical security (e.g., biometric access, 24/7 monitoring). We have no on-premises servers.

What physical security measures does Azure provide?

Azure data centers employ secure perimeters, cameras, guards, and restricted access. Details are available in Microsoft’s security documentation.

How are Azure data centers audited for security?

Microsoft conducts regular audits under ISO27001 and SOC 2, ensuring physical security meets global standards. XOGO inherits these assurances.

What protects XOGO-managed devices like the XOGO Mini 2b?

The Mini 2b runs a locked-down Alpine Linux OS, co-managed with NEC and SignageOS. Physical security is the customer’s responsibility if deployed on-site.

Section 9: Supply Chain Security

How does XOGO assess the security of third-party partners?

We evaluate key vendors (e.g., Microsoft, NEC) for compliance with security standards. Most operations are in-house, minimizing third-party reliance.

Which 3rd parties have access to XOGO systems or data?

Only Microsoft Azure has infrastructure-level access. No other third parties interact with XOGO systems or customer data directly.

How are vendor contracts structured to ensure security?

Contracts with Microsoft include priority service agreements, ensuring Azure meets XOGO’s security needs. Other partners (e.g., NEC) align with our standards.

What oversight ensures third-party compliance?

XOGO monitors Azure via service agreements and reviews partner practices (e.g., SignageOS updates) to confirm ongoing security alignment.

Section 10: Privacy & Regulatory compliance

How does XOGO comply with privacy regulations like GDPR?

XOGO adheres to standard privacy practices and Azure’s compliance framework. Our privacy policy outlines data-handling commitments.

What personal information does XOGO collect, if any?

XOGO collects minimal data—typically just account admin contact info for marketing or support. No sensitive personal data (e.g., SSN, health info) is stored.

Where is customer data stored, and can residency be specified?

Data resides in Azure West and Central US data centers by default. Specific residency (e.g., Australia) can be discussed case-by-case with stakeholders.

What is XOGO’s privacy policy, and where can it be reviewed?

Our policy details data use and protection, available at xogo.io/privacy-policy. It aligns with applicable laws and Azure’s privacy standards.

How does XOGO handle cross-border data transfers?

Transfers occur within Azure’s secure environment. Compliance with cross-border regulations can be addressed per customer requirements.

Section 11: Business Continuity & Disaster Recovery

What steps ensure service continuity during a disruption?

XOGO uses Azure’s redundancy and ARM templates to rebuild environments quickly. Our PaaS design ensures minimal downtime.

How does XOGO leverage Azure for disaster recovery?

Azure’s global data centers and backup systems enable rapid recovery. XOGO maintains database backups and service recovery capabilities.

What is the recovery-time objective (RTO) for XOGO services?

RTO is minutes to hours, depending on the issue, thanks to ARM templates and Azure’s failover. Exact times vary by incident scope.

How are recovery plans tested and implemented?

Plans are validated through Azure’s resilience features and updated with lessons from incidents or audits, ensuring continuous improvement.

What resilience features support critical operations?

Azure’s scale-up/scale-out capabilities and XOGO’s serverless design provide resilience, maintaining service under normal or adverse conditions.

Section 12: Customer Responsibilities

What responsibilities do customers have for securing their devices?

Customers managing their own players must secure endpoints (e.g., patching, network security). XOGO Mini 2 devices are co-managed with partners.

Who manages updates for customer-managed devices?

Customers handle updates for their devices using XOGO-provided software (e.g., APPX, APK). XOGO manages XOGO Mini updates directly.

How should customers configure their network for XOGO?

Allow outbound traffic over port 443 to XOGO URLs (e.g., api2.xogo.io). Full firewall details are in our documentation.

Is support available if customers need assistance?

Free support is available 9am-5pm CST (24-hour response time, but typically 90 minutes). Premium support packages can be requested.