TT Consultants (“US”, “WE”, or “OUR”) operates https://en.xlpat.com (the “SITE”). This page informs the user (“YOU”) of our policy which is designed to help understand how we collect, use and safeguard the personal information you provide to us and to assist you in making informed decisions when using our service.
We use your Personal Information only for providing our services (“XLPAT”); where you perform automated first pass patent searching, analysis and use our tracking tool. By using the site, you agree to the collection, storage and use and disclosure of your Personal Information in accordance with this policy.
What Personal Information does XLPAT collect and why?
Information provided voluntarily
While using our site, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personally, identifiable information may include but is not limited to your name, e-mail address, login ID and other contact or location data in order to register an account with us, to subscribe to marketing communications from us, and/or to submit inquiries to us (“PERSONAL INFORMATION”). The personal information that you are asked to provide, and the reasons why you are asked to provide it, will be made clear to you at the point we ask you to provide your personal information.
Information collected automatically
Like many site operators, we collect information that your browser sends whenever you visit our Site (“LOG DATA”). This Log Data may include information such as your computer’s Internet Protocol (“IP”) address, browser type, browser version, the pages of our Site that you visit, the time and date of your visit, the time spent on those pages and other statistics.
The security of your personal information is important to us. XLPAT uses appropriate technical and organizational measures to protect your personal information from accidental loss and unauthorized access or use, to ensure business continuity and disaster recovery, to restrict access to personal information, to train staff and contractors on data security and to conduct privacy impact assessments in accordance with the law and your business policies. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information.
Data Center and Network Security
(a) Data Centers.
Infrastructure. We store all production data in physically secure data centers.
Redundancy: Infrastructure systems have been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. Dual circuits, switches, networks or other necessary devices help provide this redundancy. The Services are designed to perform certain types of preventative and corrective maintenance without interruption. All environmental equipment and facilities have documented preventative maintenance procedures that detail the process for and frequency of performance in accordance with the manufacturer’s or internal specifications. Preventative and corrective maintenance of the data center equipment is scheduled through a standard change process according to documented procedures.
Power: The data center electrical power systems are designed to be redundant and maintainable without impact to continuous operations, 24 hours a day, 7 days a week. In most cases, a primary as well as an alternate power source, each with equal capacity, is provided for critical infrastructure components in the data center. Backup power is provided by various mechanisms such as uninterruptible power supplies (UPS) batteries, which supply consistently reliable power protection during utility brownouts, blackouts, over-voltage, under voltage, and out-of-tolerance frequency conditions. If utility power is interrupted, backup power is designed to provide transitory power to the data center, at full capacity, for up to 10 minutes until the diesel generator systems take over. The diesel generators are capable of automatically starting up within seconds to provide enough emergency electrical power to run the data center at full capacity typically for a period of days.
Server Operating Systems. Servers use a Linux based implementation customized for the application environment. Data is stored using proprietary algorithms to augment data security and redundancy. A code review process is employed to increase the security of the code used to provide the Services and enhance the security products in production environments.
Businesses Continuity. Data is replicated over multiple systems to help protect against accidental destruction or loss. We have designed and regularly plans and tests its business continuity planning/disaster recovery programs.
(b) Networks and Transmission.
Data Transmission. Data centers are typically connected via high-speed private links to provide secure and fast data transfer between data centers. This is designed to prevent data from being read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media. Data is transferred via Internet standard protocols.
External Attack Surface. We employ multiple layers of network devices and intrusion detection to protect its external attack surface. We consider potential attack vectors and incorporates appropriate purpose built technologies into external facing systems.
Intrusion Detection. Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. Intrusion detection involves: tightly controlling the size and make-up of the system’s attack surface through preventative measures; employing intelligent detection controls at data entry points, and employing technologies that automatically remedy certain dangerous situations.
Incident Response. The system monitors a variety of communication channels for security incidents, and authorized security personnel will react promptly to known incidents. Encryption Technologies. The system makes HTTPS encryption (also referred to as SSL or TLS connection) available. Servers support ephemeral elliptic curve Diffie-Hellman cryptographic key exchange signed with RSA and ECDSA. These perfect forward secrecy (PFS) methods help protect traffic and minimize the impact of a compromised key, or a cryptographic breakthrough.
Access and Site Controls
(a) Site Controls.
On-site Data Center Security Operation. Data centers maintain an on-site security operation responsible for all physical data center security functions 24 hours a day, 7 days a week. The on-site security operation personnel monitor closed-circuit TV (CCTV) cameras and all alarm systems. On-site security operation personnel perform internal and external patrols of the data center regularly.
Data Center Access Procedures. The system maintains formal access procedures for allowing physical access to the data centers. The data centers are housed in facilities that require electronic card key access, with alarms that are linked to the on-site security operation. All entrants to the data center are required to identify themselves as well as show proof of identity to on-site security operations. Only authorized employees, contractors and visitors are allowed entry to the data centers. Only authorized employees and contractors are permitted to request electronic card key access to these facilities. Data center electronic card key access requests must be made through e-mail, and require the approval of the requestor’s manager and the data center director. All other entrants requiring temporary data center access must: (i) obtain approval in advance from the data center managers for the specific data center and internal areas they wish to visit; (ii) sign in at on-site security operations; and (iii) reference an approved data center access record identifying the individual as approved.
On-site Data Center Security Devices. Data centers employ an electronic card key and biometric access control system that is linked to a system alarm. The access control system monitors and records each individual’s electronic card key and when they access perimeter doors, shipping and receiving, and other critical areas. Unauthorized activity and failed access attempts are logged by the access control system and investigated, as appropriate. Authorized access throughout the business operations and data centers is restricted based on zones and the individual’s job responsibilities. The fire doors at the data centers are alarmed. CCTV cameras are in operation both inside and outside the data centers. The positioning of the cameras has been designed to cover strategic areas including, among others, the perimeter, doors to the data center building, and shipping/receiving. On-site security operations personnel manage the CCTV monitoring, recording and control equipment. Secure cables throughout the data centers connect the CCTV equipment. Cameras record on site via digital video recorders 24 hours a day, 7 days a week. The surveillance records are retained for up to 30 days based on activity.
(b) Access Control.
Infrastructure Security Personnel. A security policy for its personnel is applicable, and requires security training as part of the training package for its personnel. Security personnel are responsible for the ongoing monitoring of security infrastructure, the review of the Services, and responding to security incidents.
Access Control and Privilege Management. Customer’s administrators must authenticate themselves via a central authentication system or via a single sign on system in order to administer the Services.
Internal Data Access Processes and Policies – Access Policy. Internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data. System is designed to (i) only allow authorized persons to access data they are authorized to access; and (ii) ensure that personal data cannot be read, copied, altered or removed without authorization during processing, use and after recording. The systems are designed to detect any inappropriate access. A centralized access management system to control personnel access to production servers, and only provides access to a limited number of authorized personnel. LDAP, Kerberos and a proprietary system utilizing SSH certificates are designed to provide secure and flexible access mechanisms. These mechanisms are designed to grant only approved access rights to site hosts, logs, data and configuration information. It requires the use of unique user IDs, strong passwords, two factor authentication and carefully monitored access lists to minimize the potential for unauthorized account use. The granting or modification of access rights is based on: the authorized personnel’s job responsibilities; job duty requirements necessary to perform authorized tasks; and a need to know basis. The granting or modification of access rights must also be in accordance with internal data access policies and training. Approvals are managed by workflow tools that maintain audit records of all changes. Access to systems is logged to create an audit trail for accountability. Where passwords are employed for authentication (e.g., login to workstations), password policies that follow at least industry standard practices are implemented. These standards include restrictions on password reuse and sufficient password strength. For access to extremely sensitive information (e.g. credit card data), we use hardware tokens.
(a) Data Storage, Isolation and Logging. We store data in a multi-tenant environment on privately-owned servers. The data and file system architecture are replicated between multiple geographically dispersed data centers. We also logically isolate the Customer’s data. Customer will be given control over specific data sharing policies. Those policies, in accordance with the functionality of the Services, will enable customers to determine the product sharing settings applicable to Customer End Users for specific purposes. Customer may choose to make use of certain logging capability that we may make available via the Services.
(b) Decommissioned Disks and Disk Erase Policy. Disks containing data may experience performance issues, errors or hardware failure that lead them to be decommissioned (“Decommissioned Disk”). Every Decommissioned Disk is subject to a series of data destruction processes (the “Disk Erase Policy”) before leaving company premises either for reuse or destruction. Decommissioned Disks are erased in a multi-step process and verified complete by at least two independent validators. The erase results are logged by the Decommissioned Disk’s serial number for tracking. Finally, the erased Decommissioned Disk is released to inventory for reuse and redeployment. If, due to hardware failure, the Decommissioned Disk cannot be erased, it is securely stored until it can be destroyed. Each facility is audited regularly to monitor compliance with the Disk Erase Policy.
Security personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. We also conduct reasonably appropriate background checks to the extent legally permissible and in accordance with applicable local labour law and statutory regulations.
Xlpat is hosted with the world’s leading cloud providers whose data centers are strictly controlled and monitored by 24×7 on-site security staff, biometric scanning and video surveillance. The below certifications apply to our data-center partner:
ISO 27001 Managing information risks
The ISO/IEC 27000 family of standards helps organizations keep information assets secure. ISO/IEC 27001 is a security standard that outlinesand provides the requirements for an information security management system (ISMS).It specifies a set of best practices and details a list of security controls concerning the management of information risks.
ISO 27017 Controlling cloud-based information security
The ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing: Additional implementation guidance for relevant controls specified in ISO/IEC 27002, Additional controls with implementation guidance that specifically relate to cloud services.
ISO 27018 Protecting personal data
Relates to the protection of personally identifiable information (PII), and as such, deals with one of the most critical components of the cloud—privacy. This standard is primarily focused on security controls for public-cloud service providers acting as PII processors. ISO 27018 works in two ways: Builds off of existing ISO 27002 controls with specific items for cloud privacy, Provides completely new security controls for personal data.
SOC 2 Controls over security, availability, and confidentiality
SOC 2 is a report based on AICPA’s existing Trust Services principles and criteria. The purpose of the SOC 2 report is to evaluate an organization’s information systems relevant to security, availability, processing integrity, and confidentiality or privacy.
SOC 3 Public report of controls over security, availability, and confidentiality
SOC 3 is based on the existing SysTrust and WebTrust principles.
CSA STAR Securing cloud computing environments
The CSA’s Security, Trust & Assurance Registry Program (STAR) is a three-tiered cloud provider assurance program that consists of a self-assessment, third-party audit, and continuous monitoring, designed to aid customers with their assessment of cloud service providers.
PCI DSS Protecting customers’ card information
PCI DSS is a set of network security and business best practices guidelines adopted by the PCI Security Standards Council to establish a “minimum security standard” to protect customers’ payment card information.
XLPAT – TT Consultants :
USA – Sunnyvale
440 N Wolfe Rd Sunnyvale, CA 94085, USA