What is X-CD's IT Structure and Data Security Policies?
Server and storage hardware
To host client data X-CD utilizes Dell servers and Dell Compellent storage arrays.
Server virtualization with high availability
Our web servers are virtualized utilizing VMWare vSphere. With VMWare High Availability, should a physical server fail, any virtual machine will be automatically migrated to another physical server and powered on, and resume normal operations. This operation can be completed with the affected virtual machines back in service often in 3-5 minutes! This is an amazingly short time frame to recover from a failed physical server.
Another added benefit to virtualization is that resources such as CPU, RAM, and disk space, can be quickly allocated based on utilization patterns. This ensures optimal performance for your site or mail server with minimal down time.
Electricity is provided from two separate power feeds. In addition, our equipment is protected with UPS systems and diesel generators. Servers and storage devices have redundant power supplies, each on separate feeds to help prevent loss of data due to power failures.
Virtual machines, along with their data (i.e. your web site files, email, etc.) reside on enterprise SAN arrays. These arrays have the following features:
- Disks configured in high performance RAID configurations for redundancy
- Redundant storage controllers
- Redundant network adapters
- Redundant storage networking switches
- Redundant power supplies connected to redundant power feeds
- All servers are connected to the storage network via multiple paths for performance and redundancy
All SAN volumes are cross replicated to disparate SAN each day. In the event of failure on one SAN array, replicated data can be access on the second SAN array and vice versa.
- Note This section is not a comprehensive guide to our IT security. This just serves to highlight some of the general points.
Firewall & IPS
Perimeter firewall and Intrusion Prevention System (IPS) with the following features:
- Highly available for redundancy
- Stateful packet inspection
- Deep packet inspection for known malicious attack patterns
- DDoS (Distributed Denial of Service) protection mechanisms
All inbound email is filtered using multiple real-time RBL and content inspection technologies.
Additionally, outbound mail from our Windows web servers are checked with anti-SPAM content filters to prevent delivery of mail from your site from being disrupted by compromised mail submission forms from other tenants on the server your site resides on.
Our servers run AVG CloudCare Anti-Virus.
We perform daily backups of all web, email, and database servers. We also backup databases 6 times daily.
Backups are stored off-site in a location that is in a different geographical area than the primary site. This means that should a major disaster occur in the area where the servers is running your data is safe in another location.
We offer a failover backup server in case of a server failure. Our primary server is located in St. Louis MO with a secondary server in Ashburn NC.
Restricted access to premises
The buildings housing our datacenter have a comprehensive security system which include but not limited to the following:
- 24x7 on-site security
- Access codes
- Biometric hand scanners
- Electronic proximity readers
- Security surveillance system
Fire suppression system
Our equipment is protected by a pre-action, dry pipe fire suppression system.
X-CD Obligations in Each Client Agreement
X-CD will implement and maintain appropriate technical and organizational measures to protect all client data against any breach of security leading to accidental or unlawful destruction, loss, alteration or unauthorized disclosure (a “Data Breach”). Such measures shall be consistent with industry standards. If X-CD becomes aware of a Data Breach, X-CD will notify the Client within 72 hours.
In addition, X‐CD will create daily backups of the database (6 times per day) and daily backups of the entire server. All backups will be held off-site. Additionally, X-CD will provide regular server maintenance and software upgrades in order to minimize service interruptions and downtimes.
Furthermore, X-CD will at all times maintain a cyber insurance and business interruption insurance policy to cover a maximum of $100,000.00 of all potential claims, in aggregate, for alleged or actual Data Breach occurring within its server or caused as a result of an action of an X-CD employee, for loss of server use, or any business interruption incurred by Client or any users of the Client's, including without limitation, email delays or non‐delivery, loss of business profits, loss of business information, or other pecuniary loss arising out of the use of or inability to use the Licensed Software, Custom Software, or Products or Services arising out of this Agreement. Such insurance will not cover breaches from Client servers, Client employee local computers, or any other sources.
Other than the potential claims and the maximum amount noted above, in no event will X‐CD’s officers, directors or employees be liable for any damages whatsoever, whether direct, indirect, special, incidental, or consequential damages, whether arising under contract, tort (including negligence), strict liability, breach of warranty, misrepresentation, or otherwise, including without limitation, damages for Data Breach, email delays or non‐delivery, loss of business profits, business interruption, loss of business information, or other pecuniary loss, arising out of the use of or inability to use the Licensed Software, Custom Software, Products or Services arising out of this Agreement.
As data is uploaded and stored in the X-CD server and can at any time be downloaded by Client to its local server and/or copied to personal computers within Client's’ organization for their staff use, copied to other digital media (e.g. USB’s, CD-ROM’s) or printed and photocopied, it is acknowledged that there are multiple sources for Data Breaches to occur outside of the responsibility of X-CD. As such, Client also agrees to take all reasonable measures consistent with industry standards to protect the personal information of all contacts in the system database.
In order to satisfy the EU General Data Protection Regulation (GDPR) all contacts, prior to submitting personal information must agree to the system use terms and conditions (which may change from time to time to keep up with legislation that governs personal information provided on the internet). At a minimum, each contact will acknowledge that they are submitting personal information, including abstracts, papers, PPTs, videos, handouts and other data, in order to participate in Client conference and/or submitting personal information for registering to attend a Client conference. They do so of their own free will and they agree that they will not enter into any legal action against X-CD (the Data Processor as defined in the GDPR) or Client (the Data Controller as defined in the GDPR) for any accidental or unlawful destruction, loss, alteration or unauthorized disclosure of their personal information, abstract, papers, PowerPoints or any other data.