Security is our top priority

We do the hard work so you don't have to worry.

Our responsibility is to make sure that data is kept in a system using the highest security standards.
Xoba adheres to industry-accepted best practices and standards defined by NIST 800-53, SANS and OWASP, ensuring your data is safe at all times.
security-readonly

Least privileged access

Xoba requests only the 'must-have' permissions, which in most cases is read-only. We cannot modify or delete your data.

Learn More
security-no-store

We don't store your files

Xoba does not download your files, documents, tasks, or messaging to our servers.

Learn More
encryption

Encryption

All data is encrypted end-to-end using industry standard methods like AES-256 and TLS1.2. It is encrypted in transit and at rest.

Learn More
no-password

No passwords

OAuth is used to connect all your applications. We will never ask for your credentials to these applications and securely store the authentication token.

Learn More

Our promise

Security & Privacy are fundamental to Xoba. We always put ourselves in our customer's shoes to ensure we do what is in their best interest.

Security Details

Cloud providers

keyboard_arrow_down

Xoba is hosted on Google Cloud Platform. All datacenters are located in the United States.

Creation of Xoba accounts

keyboard_arrow_down

Individuals are able to create a Xoba account using Google or via passwordless login. Xoba uses Google authentication services.

Third-Party application authentication

keyboard_arrow_down

Xoba users connect their third-party applications (e.g. Google Drive, Asana, Slack, etc.) using OAuth 2.0, an industry standard for authorizing secure access to external applications. Xoba does not have access or store any application passwords. Users are able to remove an application at any time and Xoba immediately deletes all authentication and authorization data from our servers.

Data encryption

keyboard_arrow_down

Xoba exclusively sends data over HTTPS transport layer security (TLS) encrypted connections for additional security as data transits to and from the application. All data on Xoba servers is encrypted at rest. Google Cloud Platform stores and manages data cryptography keys in its redundant and globally distributed Key Management Service (KMS). Xoba has complete control over access to the KMS and has restricted access within Xoba.

Access and authentication tokens

keyboard_arrow_down

All applications connected to Xoba use OAuth 2.0. Users’ access tokens (token used to grant access to information based on the user requesting it) and refresh tokens (token used to request a new access token) are stored in separate databases. The refresh tokens are encrypted using AES-256 encryption. Access to the refresh tokens is tightly controlled to a single service (token refresher). The key for this service is protected with Google Secrets Manager and has restricted access within Xoba. 

The access tokens are accessible to the Xoba’s backend refresher service and the user who owns them. The user’s private key (generated by Google’s Authentication Service) is verified before the user can touch any access tokens to the user is only reading/writing their own token(s). These access tokens have a limited lifespan (typically an hour) and are periodically refreshed. 

The browser (client) itself does not have direct access to any sensitive data such as access and refresher tokens.  Therefore, the browser must go through Xoba’s backend services to gain access decreasing risk of vulnerabilities.

Least privileged access

keyboard_arrow_down

Xoba requests only the ‘must-’have’ permissions from your applications. In most cases, this is read-only access. This means we do not have the ability to modify or delete any of the data that is connected. These permission scopes are defined within the third-party application itself and Xoba cannot bypass these permissions. For example, if a user searches for Slack messages, Xoba only asks slack for read-access to messages, but not for items such as user profiles.

Data storage/download

keyboard_arrow_down

Xoba does not download or store emails, files, documents, etc. on Xoba servers. Once a result is sent to the browser, Xoba automatically purges any related information from their servers. User’s Google Drive docs stay on Google servers, Asana tasks stay on Asana servers, etc. We only access the information when a user takes a specific action within Xoba (e.g. performs a search). For more information about data we do collect, refer to our Privacy Policy.

Employee & contractor security

keyboard_arrow_down

Xoba practices ‘Principle of least privilege’. This means that any individual, application, server, etc. only has the bare minimum privileges necessary to perform their function. In addition, below are a few items we implement for all Xoba employees and contractors. 

  • 2FA for all accounts and applications 
  • 1password for strong password protection (minimum 30 characters or maximum allowed by service)
  • Distinct passwords across accounts (no account has the same password)
  • Security best practices, training, and education for all members of Xoba

Secure Application Development (Application Development Lifecycle)

keyboard_arrow_down

Xoba practices continuous delivery, which means all code changes are committed, tested, shipped, and iterated on in a rapid sequence. A continuous delivery methodology, complemented by pull request, continuous integration (CI), and automated error tracking, significantly decreases the likelihood of a security issue and improves the response time to and the effective eradication of bugs and vulnerabilities. In addition, we have a policy in place to keep all third-party packages and libraries as up-to-date as possible, to ensure the latest security patches and code are integrated as soon as they’re available.

Compliance

keyboard_arrow_down

Xoba is hosted on Google Cloud Platform. Google Cloud Platform undergoes various third-party independent audits regularly and can provide verification of compliance controls for its data centers, infrastructure, and operations. This includes, but is not limited to, SSAE 18-compliant SOC 2 certification and ISO 27001 certification.

Data collected

keyboard_arrow_down

Xoba collects usage, analytics, and error logs in order to provide their service. For example, Xoba knows that a user clicked on a Google Drive search result, but we don’t know anything specific about that file (e.g. the name, contents, etc.). This information is not sold to any third-parties. If a user wishes to have all their information deleted, they can send a request to privacy@xobalabs.com.

Partners

keyboard_arrow_down

Xoba is an approved Box and Google Cloud partner.

Privacy Policy & Terms of Service

keyboard_arrow_down

Contact

keyboard_arrow_down

For more information or questions, please reach out to security@xobalabs.com.

FAQ

What information does Xoba store?

keyboard_arrow_down

Xoba does store information about your account, the applications that you connect to Xoba, searches, Cards created, and other actions you perform. For example, we store an event when you perform a search and click on a result. We don't know what document or file you've selected, but we do store that the result you clicked on was a Dropbox result. For more information about the information we store, please refer to our Privacy Policy.

Why am I requested to enter my password when connecting an application to Xoba?

keyboard_arrow_down

Xoba uses industry standard OAuth to connect your applications. Depending on the application you connect, that application may ask you to enter your password to verify your identity. This is purely for security purposes and Xoba does not receive your password from these applications.

What happens when I remove an application from Xoba?

keyboard_arrow_down

When you remove an application from Xoba, we automatically remove the backend information from our systems. This is typically done within 1-3 minutes of you removing the application. If you want to re-connect the application, Xoba requires you to reauthenticate the application for security purposes.

Can I delete my account and data?

keyboard_arrow_down

Yes. You are able to delete your Xoba account via the 'Account' page. Once you delete your account, Xoba will remove your account, associated applications, etc. from our systems. No further action is needed from you.

Do you sell my data to 3rd parties?

keyboard_arrow_down

No. All data stays within Xoba systems and is not sold to 3rd parties. We do not intend to ever sell your data to 3rd parties.

If I have more questions, who can I talk to at Xoba?

keyboard_arrow_down

If you have more questions or concerns about security and data, please reach out to security@xobalabs.com. We're more than happy to discuss!

Still have questions? Email us at security@xobalabs.com
Are You Ready?

Boost your team's productivity today

Join Xoba today!

Get Xoba FREE