Trust starts with transparency
Explore XTM’s Security and Legal Center — your centralized hub for compliance, privacy, and legal documentation. Whether you’re reviewing contract terms, service levels, or regulatory certifications, everything you need to assess our security posture and data safeguards is right here.
XTM
Key Documents
Subscription agreement terms
Definitions schedule
Acceptable use policy
Service level agreement pre Aug 2025
Privacy and cookie policy
GDPR compliance statement
Data processing addendum
UK GDPR addendum
Standard contractual clauses controller to processor
HIPAA privacy policy
Data subject access request
XTM Cloud product data retention notice
AI solutions addendum
Responsible AI principles
Service level agreement 2025
Our approach
Our approach
Data Security
- Encryption
We encrypt all traffic in transit with TLS 1.2/1.3. If you use our Private Cloud solution, your data at rest is encrypted using Amazon EBS encryption with the AES-256 algorithm. Passwords are stored using modern hashes. - Backups
Backups are performed daily and are encrypted at rest. AWS snapshots are performed every 2 hours (3 consecutive versions stored) and every 24 hours (12 versions stored). - Disaster Recovery/Business Continuity
We have formally defined a DR/BC Plan that is tested on an annual basis. - IDS/IPS
We constantly monitor our servers by logging and analyzing all relevant activities to ensure the security of our services.
Product Security
- MFA / SSO support
XTM offers multiple secure authentication and authorization options, such as: Customer-configurable password requirements, MFA, Single Sign On (SSO), LDAP, Active Directory, and Azure AD. - Role Based Access Control
XTM is a role-based system that allows users to define their permissions based on their roles and the rights you grant them. - Penetration tests
An independent third-party penetration-testing specialist company carries out annual testing of the XTM application. Penetration testing includes, but is not limited to, the OWASP Top 10 Vulnerabilities. Each new version of XTM undergoes internal penetration testing as part of the latest release. - SDLC with security focus
We are committed to assessing risk during the entire Software Development Life Cycle including design, implementation, deployment, and maintenance stages.
Network Security
- Firewall
Firewall rules are used to restrict unauthorized traffic. We follow the NIST’s “Guidelines on Firewalls and Firewall Policy”. - MFA
Access to our systems is only possible with MFA. - Security monitoring
We actively monitor activities on our systems and perform automated or manual prevention actions if required. We use centralized logging and monitoring systems and an IDS/IPS solution. - Vulnerability scans
We perform regular vulnerability scans of our systems, libraries and software by using industry leading solutions.
Corporate Security
- Segregation of Duties
We implement a Segregation of Duties (SoD) approach to sustainable risk management and internal controls for a business. The principle of SoD is based on shared responsibilities of a key process that disperses the critical functions of that process to more than one person or department. - Security Awareness Training
XTM conducts security awareness training for all employees on a regular basis. We provide assessments to measure awareness levels in the company. Simulated phishing attacks are part of the training program. - Risk Assessment Committee
XTM has a formal Risk Assessment Committee that meets once a month and proactively acts to identify and mitigate possible risks. - Principle of Least Privilege
The Principle of Least Privilege (PoLP) is used within XTM International, limiting access rights for users to the bare minimum required to fulfill their function.
Endpoint Security
- Disk Encryption
All workstations and laptops have disk encryption enabled by default. - Endpoint protection software
Endpoint protection software’s virus database is updated daily and blocks all suspicious activities. - Centralized management
Our endpoints are centrally managed, which ensures compliance with our policies and standards. - Software whitelisting
We implement software whitelisting that restricts the usage of unapproved applications.
