XMPie Circle Security

Summary: This article describes the security measures implemented in Circle.

The following security measures have been taken:

Security audit and procedures

  • Circle is part of XMPie's SOC 2 adoption over ISO27001. For more details, see SOC 2 and ISO 27001.

  • XMPie maintains a risk-based assessment security program. The Secure Software Development Life Cycle (Secure SDLC) process is one of the cornerstones of XMPie security program. For more details, see Security by Design.

  • The cloud solution has undergone security audits (2017, 2013), including design review, code review and penetration testing by a leading security company, Comsec Global.

  • Circle is based on Amazon Web Services (AWS) infrastructure and services, which are PCI Level1 compliant. For further information, see https://aws.amazon.com/security/.

  • All communication is done using Transport Layer Security (TLS 1.2 is the successor of SSL).

  • XMPie has restricted access to the AWS servers to several exclusive employees; access can be given only by XMPie.

  • The system is monitored 24/7 by the XMPie IT group.

Personal Identifiable Information (PII) and privacy

  • Circle is fully compliant with General Data Protection Regulations (GDPR). For more details, refer to GDPR Guidelines for XMPie Products.

  • Personal Identifiable Information (PII) contained in the data source is passed to the cloud in several cases:

    • Production and processing purposes. All information is deleted shortly after usage, according to GDPR requirements. Examples: Circle Analytics list reports and email mass production.

    • User-selected sample recipients, used for preview options. Since the details of sample recipients are stored on the cloud, for security reasons fake sample recipients only should be used.

  • Cloud Tracking events are distributed to the Circle Cloud for event-filtering and analytic purposes, but do not contain any recipient information short of the recipient key.

  • In all other cases, all ADOR information is stripped out before leaving the LAN.

  • A multi-tenant security methodology that isolates customers is used, enforced by our Data Access Layer (DAL) and database structure.

  • Each of the cloud servers is isolated in separate security groups, virtually creating a firewall between each component of the system.

Architecture and system policies

  • The on-premises administrator selectively picks which Circle subscription should have access to uProduce, others are firewalled out. 

  • Uninstalling the Circle Agent (located on the premises) blocks all communication between the Circle cloud and uProduce.

  • No inbound communication port needs to be opened in the on-premise firewall. Only outbound port 443 is used, which is commonly open in firewalls.

    If you wish to open outbound port 443 to specific hosts only, use these addresses:

    • eu.xmcircle.com

    • eu-west-1.queue.amazonaws.com

    • swf.eu-west-1.amazonaws.com

  • Role-based security is used for subscription users as well as for internal XMPie cloud administrators.

  • Passwords are enforced by password policy.

  • Sessions and tokens are time bound.

 

Created by: Yaron Tomer, updated by Mohammad Mansour on February, 2025