GRC and Due Diligence
The IXOPAY GRC and security programs operate in compliance with a range of well-known standards and regulations, and our compliance reports are available to clients upon request. Additionally, IXOPAY regularly performs due diligence on the security controls we have in place.
Audit Documentation
Certifications and Compliance
Organizational Security
Data is only as secure as the platform protecting it. That’s why the IXOPAY platform is built for maximum security and reliability.
Security and Controls
Keeping our customers’ data safe is our highest priority, so we exercise rigorous security measures throughout all levels of our organization and our processes. That security starts with our people. Throughout our Human Resources lifecycle, IXOPAY ensures that:
- Background checks are carried out on all new employees. 
- Nondisclosure agreements are in place with employees and critical vendors. 
- Security awareness training is administered to employees upon hire and regularly throughout the year. 
Governance, Risk, and Management
Policies, processes, and procedures are in place throughout the organization to manage risk and to ensure the security and availability of IXOPAY services.
- Formal governance structures are in place to oversee the security, compliance, and privacy of the organization. 
- Management and technical risk assessments are performed to continuously monitor risks to the environment. 
- IXOPAY has a vendor management program to assess vendors prior to implementation and periodically throughout the year. 
Data Encryption
IXOPAY encrypts all customer data in transit and at rest using industry standards and best practices.
Logical Security
Access to the IXOPAY environment requires multifactor authentication, and the use of strict password controls is enforced. Audit logging is enabled to capture logon attempts and activity. Inactive user sessions are automatically timed out. Access is granted on the premise of least privilege. A privileged access management system is in place to provide role-based access and session recordings of all admin activity.
Network Security
IXOPAY has established detailed operating policies, procedures, and processes designed to help manage the overall quality and integrity of our environment. Proactive security procedures, such as perimeter defense and intrusion-detection systems, have been implemented.
Extensive monitoring and logging are in place, and so are processes for detecting, reporting, and responding to any incidents. Clients can access the portal to monitor and manage their IXOPAY vaults, as well as securely communicate with IXOPAY client services.
Vulnerability Management
System security is maintained through the IXOPAY vulnerability management program, which includes anti-malware and patch management. Assets are maintained throughout the lifecycle to ensure the security of all IXOPAY systems.
Vulnerability scans and penetration tests of IXOPAY networks and systems are performed regularly and after significant changes. Any exploitable findings are promptly remediated and retested.
Penetration Testing
IXOPAY contracts with a third-party security firm to perform application, internal network, and external network penetration testing.
Automated vulnerability management toolsets and manual processes are used to identify and verify known vulnerabilities and misconfigurations. Common attack techniques such as those listed in the SANS Top 20 and the OWASP Top 10 are verified. Any findings are reviewed, and a risk profile with impact and likelihood metrics is determined.
Vulnerability Scans
External vulnerability assessments scan all internet-facing assets, including firewalls, routers, and web servers for potential weaknesses that could allow unauthorized access to the network. In addition, authenticated internal vulnerability network and system scans are performed to identify potential weaknesses and inconsistencies with general system security policies.
Application Security and Change Management
IXOPAY has formal change-management and system-development processes that document, test, and approve changes prior to implementation. Particular focus is paid to the OWASP Top 10. The SDLC process includes an in-depth security risk assessment and review. Static source code analysis is performed to help integrate security into the development lifecycle. The development process is further enhanced by application security training for developers and penetration testing of the application.
IXOPAY follows a rigorous change-management process. Prior to implementation, changes are tested in the test environment, documented in our system of record with implementation and rollback plans, and then reviewed and approved. Clients are notified via the portal as well as via email of updates to the platform. Releases that might directly impact client usage of the platform are communicated directly to the affected clients by the IXOPAY Client Success team.
Business Continuity
IXOPAY employs redundancy at every layer possible in our infrastructure, and our platform is designed to accommodate operating failures to ensure availability.
- IXOPAY replicates data between geographically diverse locations. Monitoring is in place to detect issues with the replication process. Failover testing is conducted regularly. 
- IXOPAY has a documented business-continuity and disaster-recovery plan, which is reviewed, updated, and tested regularly. 
Physical Security & Environmental Controls
The IXOPAY platform is hosted in fully redundant, high-performance data center facilities across the world. Secure access controls and monitoring, redundant power and connectivity, generators, UPS, and fire suppression are in place at all data centers used by IXOPAY. All access to data centers is highly restricted and regulated.
 
                        
                     
                        
                     
                        
                     
                        
                     
                        
                     
                        
                    