Trust Center
NIS2
Xelion and the Cybersecurity Act
Xelion belongs to the category of “significant” entities. Back in 2021, we started taking measures against information security risks by adopting an ISO 27001-certified Information Security Management System (ISMS).
Key components of the ISMS include conducting risk assessments, vendor reviews, continuous awareness training, PEN testing, vulnerability management and having a mature incident logging and response process. These components are also a large part of the foundation of the Cybersecurity Act, most of which Xelion already complies with. Nevertheless, we are working hard to be fully compliant with the Cybersecurity Act well before it becomes legislation.
Are you a customer, partner or vendor and do you have any questions or comments in regards to this? Do not hesitate to let us know so we can help or provide you with more information.
Business Continuity
Being prepared for all imaginable risks
The continuity of our service is critical. If a customer cannot make or receive calls due to a technical problem, there are major consequences. In addition to technical risks, there are also organizational risks. Whether technical or strategic, we have the risks identified and prepared roadmaps for when any of these risks become reality. These risks are not only documented on paper, but also simulations of conceivable and unthinkable scenarios are run to confirm that continuity is guaranteed.
Awareness
No security without awareness
Our awareness training goes far beyond simply locking your PC, avoiding USB sticks and using strong passwords with Multi-factor-authentication (MFA). We regularly “hack” ourselves to demonstrate what risks may exist within our organization and products. In addition to education about potential risks, we use an e-learning program. Based on a gap analysis, we know exactly where our knowledge is sufficient and where additional attention is needed.
This e-learning program contains modules that are interesting for every department. Consider, for example, detecting phishing and deepfakes for our support departments.
Privacy Statement
Do what you say, and say what you do
Xelion processes a lot of data through different media, such as our website, mobile apps and desktop apps. In our privacy statement, we transparently explain which data we process and the purpose of this.
As new features are added to our products, we update our privacy statement accordingly so that you know exactly what privacy-sensitive data we process.
Use of our software
In addition to our Privacy Statement, the Terms of Use apply when you use the Xelion software and associated services. These terms describe the conditions under which our software may be used, as well as the rights and responsibilities that apply to users.
The full Terms of Use and licence conditions are set out in the Xelion End User Licence Agreement (EULA), which provides more detailed information about the use of our software and services.
Authentication
We protect your valuable communications data
Xelion uses a management tool to manage multiple servers and tenants. This tool provides access to your client's environment or your own environment. In addition to a strong password, two-factor authentication (2FA) is required to log into the management tool. We register exactly who, where and when there was a login. Our mobile apps also require second factor to login securely. In addition, we offer an OpenID link for Microsoft Entra ID if you want to set up 2FA through Microsoft 365.
Password policy
Policies are nice, but measures are better
There is a strict password policy within Xelion. All employees and systems must comply with this policy. We also expect our suppliers to adhere to our policies. However, a policy alone does not offer guarantees. Therefore, we incorporate technological measures to prevent the use of insecure passwords.
Bug Bounty Program
Appreciation for found vulnerabilities
Based on Responsible Disclosure, we have a small-scale Bug Bounty program. This allows ethical hackers to report vulnerabilities to us. An appropriate reward is awarded based on opportunity and impact.
Certifications
NEN-EN-ISO/IEC 27001:2023 nl
Xelion has a NEN- and ISO 27001-certified Information Security Management System (ISMS). In our Statement of Applicability, we indicate which risks we are mitigating and with which measurements.
Important ISMS processes include:
- Incident Management
- Risk management
- Internal audits
- Asset management
Vulnerability management
Daily vulnerability scanning
We scan our most important assets daily for vulnerabilities. As soon as vulnerabilities are found, we are informed instantly and take the necessary measures to reduce risks.
Phishing Simulation
Recognizing fake emails
Phishing remains a major cause of data breaches. Despite measures such as detection and alerting, phishing remains a challenge for any organization. That is why we regularly conduct phishing simulations to make employees aware of the dangers.
Secret Share
Encrypted information transfer
Sending sensitive information, such as access data, should never be done unencrypted. For such data, we use our Secret Share tool, where data has a shelf life between 5 minutes and 1 week. After being read once, the data can be destroyed and can be protected with an additional password. Our Secret Share tool is also available to remote users via secretshare.xelion.com.
PEN Testing
Digital hacking for the advanced
We regularly conduct PEN tests to identify vulnerabilities in products or services. These tests confirm our security-by-default and privacy-by-default methods. We encourage customers and partners to also perform PEN tests amoungst themselves. However, this should be done in consultation so that we can facilitate where necessary.
AVG / GDPR
General Data Protection Regulation
Xelion strictly adheres to the AVG. We provide transparent information about data processing, its basis and comply with the rights of data subjects. We take technical and organizational measures to limit risks, such as risk analyses and privacy training for our employees.
AI and Data Processing
Within the Xelion platform, optional functionalities may be used that operate with artificial intelligence (AI). These functionalities are executed exclusively on the instruction of the reseller and within the agreements set out in the applicable data processing agreement.
Application of AI within Xelion
AI is used to analyse and structure communication. This includes, among other things:
Transcription
Call recordings are converted into text via processor Bumicom. The processing takes place based on the call recording. After processing, the transcription is stored within the Xelion environment.
Analysis of Transcriptions
Transcriptions can be analysed automatically via Ipster. The analysis follows a fixed methodology in which each transcription is processed, assessed and structured in the same way based on uniform criteria and predefined analysis categories. The process does not depend on individual interpretation per conversation or per user. The analysis is also anonymised in nature and is used to structure and provide insight into the content of conversations.
AI Assistants
AI assistants can conduct conversations via SIP when configured as a user. As part of this process, the caller’s telephone number is processed to enable the interaction. All processing activities mentioned above take place within the Netherlands.
Which data is processed?
Depending on the activated functionality, the following data may be processed:
- Audio recordings
- Call metadata
- Transcriptions
- Callers’ telephone numbers
- Configuration settings and textual instructions within the portal
No additional personal data is processed beyond the functionality enabled by the reseller.
Use of data for training
Personal data processed through the Xelion platform is not used to train or improve general AI models of Xelion or third parties, unless this has been explicitly agreed in writing.
If AI technology from a third party is used, it is contractually established that the data will only be used for delivering the agreed service.
Retention periods
AI output, including transcriptions and analysis data, is stored within the Xelion environment. The retention period is currently set at one year. In a future release this period will become configurable. Xelion does not apply different or additional retention periods for AI processing.
Automated decision-making
The AI functionalities within Xelion are supportive in nature. No fully automated decisions with legal effects or similarly significant consequences for individuals are made without human intervention.
Security
AI processing is subject to the same technical and organisational security measures as the rest of the platform. This includes, among other things, data encryption during transport, access control, logging and monitoring.
International data transfers
AI processing takes place within the Netherlands. If sub-processors outside the European Economic Area are used in the future, this will be listed in the sub-processor overview and appropriate safeguards will be applied in accordance with the GDPR.
Data separation
Data is not shared between customers. Processing takes place within the isolated environment of the relevant reseller or end customer.
Responsibility
The reseller remains responsible as the data controller for informing data subjects about the use of AI within their services. Xelion will provide additional information upon request to support resellers in meeting their transparency obligations.
Sub-processors
Xelion uses carefully selected sub-processors to deliver its services. A data processing agreement has been concluded with each sub-processor that complies with the requirements of the General Data Protection Regulation (GDPR). As described in the data processing agreement that Xelion enters into with its resellers, sub-processors are engaged to support the provision of services.
Two categories are distinguished:
Standard sub-processors
Parties that form part of the core of the Xelion solution.
| Name of sub-processor | Location | Purpose of processing | Data processing agreement |
|---|---|---|---|
| CM.com | Netherlands | Hosting and storage of application data | Yes |
| ReadSpeaker | Netherlands | Generation of text-to-speech audio | Yes |
| Bumicom | Netherlands | Transcription and audio analysis | Yes |
Optional sub-processors
Parties that are used for additional optional functionalities, add-ons or extensions.
| Name of sub-processor | Location | Purpose of processing | Data processing agreement |
|---|---|---|---|
| Plainwise | Netherlands | Integration with queue optimisation software | Yes |
| Microspace | Netherlands | Integration with a platform for modern customer communications |
Yes |
| Kollie | Netherlands | Automatically handling and analysing telephone conversations for the purpose of Xelion’s AI bot services | Yes |
| Ipster | Netherlands | Automatically handling and analysing telephone conversations, including the processing of data for AI monitoring purposes for Xelion’s AI bot services | Yes |
| COTU | United Kingdom | Automatically handling and analysing conversations for the purpose of Xelion’s AI bot service | Yes |
COTU Data processing agreement
COTU provides the AI voice bot service within Xelion. When a caller interacts with an AI assistant, the audio is processed directly using a speech-to-speech model. After the call, a transcript is made available in the portal for reference. This transcript is not analysed, classified, or scored. It is stored with standard call metadata such as call ID, caller phone number, date, and time.
No anonymisation or pseudonymisation is applied to the transcript. It is a record of the conversation and is not processed further by COTU or its suppliers.
Customer data is never used to train or improve AI models by COTU or any of its sub-processors. All processing takes place strictly on behalf of Xelion and its resellers, under a Data Processing Agreement that meets GDPR requirements.
Customer configuration, knowledge bases, and transcripts are hosted on UK infrastructure. The underlying language model is hosted in the United States. COTU has contracts and Data Processing Agreements in place with the LLM provider that include the safeguards required for use by UK and EU customers under GDPR.
Requirements for sub-processors
Xelion applies clear requirements when selecting and engaging sub-processors. These requirements are aligned with the General Data Protection Regulation (GDPR) and with the security standards applicable to our services, including relevant ISO standards.
Specifically, this means that:
- A data processing agreement is concluded with each sub-processor
- Sub-processors implement appropriate technical and organisational measures to protect personal data
- Sub-processors act solely on the instructions of and for the benefit of Xelion and its customers
- Sub-processors are periodically evaluated for compliance with privacy and security agreements
For reporting incidents, we are available 24/7 via the contact details provided in our security.txt file.
Do you have any questions or comments about our technological measures, privacy, or other security-related matters? Please feel free to contact us.
E-mail: securityofficer@xelion.com
Telephone / WhatsApp: +31 152 511 411