Security is our top priority

Xoba is hosted on Google Cloud Platform. All datacenters are located in the United States.

Individuals are able to create a Xoba account using Google or via passwordless login. Xoba uses Google authentication services.

Xoba users connect their third-party applications (e.g. Google Drive, Asana, Slack, etc.) using OAuth 2.0, an industry standard for authorizing secure access to external applications. Xoba does not have access or store any application passwords. Users are able to remove an application at any time and Xoba immediately deletes all authentication and authorization data from our servers.

Xoba exclusively sends data over HTTPS transport layer security (TLS) encrypted connections for additional security as data transits to and from the application. All data on Xoba servers is encrypted at rest. Google Cloud Platform stores and manages data cryptography keys in its redundant and globally distributed Key Management Service (KMS). Xoba has complete control over access to the KMS and has restricted access within Xoba.

All applications connected to Xoba use OAuth 2.0. Users’ access tokens (token used to grant access to information based on the user requesting it) and refresh tokens (token used to request a new access token) are stored in separate databases. The refresh tokens are encrypted using AES-256 encryption. Access to the refresh tokens is tightly controlled to a single service (token refresher). The key for this service is protected with Google Secrets Manager and has restricted access within Xoba. 
‍
The access tokens are accessible to the Xoba’s backend refresher service and the user who owns them. The user’s private key (generated by Google’s Authentication Service) is verified before the user can touch any access tokens to the user is only reading/writing their own token(s). These access tokens have a limited lifespan (typically an hour) and are periodically refreshed. 
‍
The browser (client) itself does not have direct access to any sensitive data such as access and refresher tokens.  Therefore, the browser must go through Xoba’s backend services to gain access decreasing risk of vulnerabilities.

Xoba requests only the ‘must-’have’ permissions from your applications. In most cases, this is read-only access. This means we do not have the ability to modify or delete any of the data that is connected. These permission scopes are defined within the third-party application itself and Xoba cannot bypass these permissions. For example, if a user searches for Slack messages, Xoba only asks slack for read-access to messages, but not for items such as user profiles.

Xoba does not download or store emails, files, documents, etc. on Xoba servers. Once a result is sent to the browser, Xoba automatically purges any related information from their servers. User’s Google Drive docs stay on Google servers, Asana tasks stay on Asana servers, etc. We only access the information when a user takes a specific action within Xoba (e.g. performs a search). For more information about data we do collect, refer to our Privacy Policy.

Xoba practices ‘Principle of least privilege’. This means that any individual, application, server, etc. only has the bare minimum privileges necessary to perform their function. In addition, below are a few items we implement for all Xoba employees and contractors. 

• 2FA for all accounts and applications 
• 1password for strong password protection (minimum 30 characters or maximum allowed by service)
• Distinct passwords across accounts (no account has the same password)
• Security best practices, training, and education for all members of Xoba

Xoba practices continuous delivery, which means all code changes are committed, tested, shipped, and iterated on in a rapid sequence. A continuous delivery methodology, complemented by pull request, continuous integration (CI), and automated error tracking, significantly decreases the likelihood of a security issue and improves the response time to and the effective eradication of bugs and vulnerabilities. In addition, we have a policy in place to keep all third-party packages and libraries as up-to-date as possible, to ensure the latest security patches and code are integrated as soon as they’re available.

Xoba is hosted on Google Cloud Platform. Google Cloud Platform undergoes various third-party independent audits regularly and can provide verification of compliance controls for its data centers, infrastructure, and operations. This includes, but is not limited to, SSAE 18-compliant SOC 2 certification and ISO 27001 certification.

Xoba collects usage, analytics, and error logs in order to provide their service. For example, Xoba knows that a user clicked on a Google Drive search result, but we don’t know anything specific about that file (e.g. the name, contents, etc.). This information is not sold to any third-parties. If a user wishes to have all their information deleted, they can send a request to privacy@xobalabs.com.

Xoba is an approved Box and Google Cloud partner.

Xoba Privacy Policy
‍Xoba Terms of Service

For more information or questions, please reach out to security@xobalabs.com.