Trust Center
NIS2
Xelion and the Cybersecurity Act
Xelion belongs to the category of “significant” entities. Back in 2021, we started taking measures against information security risks by adopting an ISO 27001-certified Information Security Management System (ISMS).
Key components of the ISMS include conducting risk assessments, vendor reviews, continuous awareness training, PEN testing, vulnerability management and having a mature incident logging and response process. These components are also a large part of the foundation of the Cybersecurity Act, most of which Xelion already complies with. Nevertheless, we are working hard to be fully compliant with the Cybersecurity Act well before it becomes legislation.
Are you a customer, partner or vendor and do you have any questions or comments in regards to this? Do not hesitate to let us know so we can help or provide you with more information.
Business Continuity
Being prepared for all imaginable risks
The continuity of our service is critical. If a customer cannot make or receive calls due to a technical problem, there are major consequences. In addition to technical risks, there are also organizational risks. Whether technical or strategic, we have the risks identified and prepared roadmaps for when any of these risks become reality. These risks are not only documented on paper, but also simulations of conceivable and unthinkable scenarios are run to confirm that continuity is guaranteed.
Awareness
No security without awareness
Our awareness training goes far beyond simply locking your PC, avoiding USB sticks and using strong passwords with Multi-factor-authentication (MFA). We regularly “hack” ourselves to demonstrate what risks may exist within our organization and products. In addition to education about potential risks, we use an e-learning program. Based on a gap analysis, we know exactly where our knowledge is sufficient and where additional attention is needed.
This e-learning program contains modules that are interesting for every department. Consider, for example, detecting phishing and deepfakes for our support departments.
Privacy Statement
Do what you say, and say what you do
Xelion processes a lot of data through different media, such as our website, mobile apps and desktop apps. In our privacy statement, we transparently explain which data we process and the purpose of this.
As new features are added to our products, we update our privacy statement accordingly so that you know exactly what privacy-sensitive data we process.
Authentication
We protect your valuable communications data
Xelion uses a management tool to manage multiple servers and tenants. This tool provides access to your client's environment or your own environment. In addition to a strong password, two-factor authentication (2FA) is required to log into the management tool. We register exactly who, where and when there was a login. Our mobile apps also require second factor to login securely. In addition, we offer an OpenID link for Microsoft Entra ID if you want to set up 2FA through Microsoft 365.
Password policy
Policies are nice, but measures are better
There is a strict password policy within Xelion. All employees and systems must comply with this policy. We also expect our suppliers to adhere to our policies. However, a policy alone does not offer guarantees. Therefore, we incorporate technological measures to prevent the use of insecure passwords.
Bug Bounty Program
Appreciation for found vulnerabilities
Based on Responsible Disclosure, we have a small-scale Bug Bounty program. This allows ethical hackers to report vulnerabilities to us. An appropriate reward is awarded based on opportunity and impact.
Certifications
NEN-EN-ISO/IEC 27001:2023 nl
Xelion has a NEN- and ISO 27001-certified Information Security Management System (ISMS). In our Statement of Applicability, we indicate which risks we are mitigating and with which measurements.
Important ISMS processes include:
- Incident Management
- Risk management
- Internal audits
- Asset management
Vulnerability management
Daily vulnerability scanning
We scan our most important assets daily for vulnerabilities. As soon as vulnerabilities are found, we are informed instantly and take the necessary measures to reduce risks.
Phishing Simulation
Recognizing fake emails
Phishing remains a major cause of data breaches. Despite measures such as detection and alerting, phishing remains a challenge for any organization. That is why we regularly conduct phishing simulations to make employees aware of the dangers.
Secret Share
Encrypted information transfer
Sending sensitive information, such as access data, should never be done unencrypted. For such data, we use our Secret Share tool, where data has a shelf life between 5 minutes and 1 week. After being read once, the data can be destroyed and can be protected with an additional password. Our Secret Share tool is also available to remote users via secretshare.xelion.com.
PEN Testing
Digital hacking for the advanced
We regularly conduct PEN tests to identify vulnerabilities in products or services. These tests confirm our security-by-default and privacy-by-default methods. We encourage customers and partners to also perform PEN tests amoungst themselves. However, this should be done in consultation so that we can facilitate where necessary.
AVG / GDPR
General Data Protection Regulation
Xelion strictly adheres to the AVG. We provide transparent information about data processing, its basis and comply with the rights of data subjects. We take technical and organizational measures to limit risks, such as risk analyses and privacy training for our employees.
Sub-processors
Xelion uses carefully selected sub-processors to deliver its services. A data processing agreement has been concluded with each sub-processor that complies with the requirements of the General Data Protection Regulation (GDPR). As described in the data processing agreement that Xelion enters into with its resellers, sub-processors are engaged to support the provision of services.
Two categories are distinguished:
Standard sub-processors
Parties that form part of the core of the Xelion solution.
| Name of sub-processor | Location | Purpose of processing | Data processing agreement |
|---|---|---|---|
| CM.com | Netherlands | Hosting and storage of application data | Yes |
| ReadSpeaker | Netherlands | Generation of text-to-speech audio | Yes |
| Bumicom | Netherlands | Transcription and audio analysis | Yes |
Optional sub-processors
Parties that are used for additional optional functionalities, add-ons or extensions.
| Name of sub-processor | Location | Purpose of processing | Data processing agreement |
|---|---|---|---|
| Plainwise | Netherlands | Integration with queue optimisation software | Yes |
| Microspace | Netherlands | Integration with a platform for modern customer communications |
Yes |
| Kollie | Netherlands | Automatically handling and analysing telephone conversations for the purpose of Xelion’s AI bot services | Yes |
| Ipster | Netherlands | Automatically handling and analysing telephone conversations, including the processing of data for AI monitoring purposes for Xelion’s AI bot services | Pending |
| COTU | United Kingdom | Automatically handling and analysing conversations for the purpose of Xelion’s AI bot service | Pending |
Requirements for sub-processors
Xelion applies clear requirements when selecting and engaging sub-processors. These requirements are aligned with the General Data Protection Regulation (GDPR) and with the security standards applicable to our services, including relevant ISO standards.
Specifically, this means that:
-
A data processing agreement is concluded with each sub-processor
-
Sub-processors implement appropriate technical and organisational measures to protect personal data
-
Sub-processors act solely on the instructions of and for the benefit of Xelion and its customers
-
Sub-processors are periodically evaluated for compliance with privacy and security agreements
For reporting incidents, we are available 24/7 via the contact details provided in our security.txt file.
Do you have any questions or comments about our technological measures, privacy, or other security-related matters? Please feel free to contact us.
E-mail: securityofficer@xelion.com
Telephone / WhatsApp: +31 152 511 411