Xactly is aware of the Zero Day Vulnerability, Spring4Shell and through our investigations to our environments, we are not impacted by this vulnerability.

Security Overview


Xactly understands that the confidentiality, integrity, and availability of our customers’ information are vital to their business operations and therefore to our success. We use a multi-layered approach to protect that key information, constantly monitoring and improving our applications, systems, and processes to meet the changing demands and challenges of security.

InfoSec Update:

October 31, 2022: Xactly is aware of the evolving situation with the OpenSSL 3.x vulnerability. At this point our scans show that we are not affected by this vulnerability but will continue to monitor the situation closely.

April 1, 2022: Xactly is aware of the Spring4Shell 0-day vulnerability. After further investigation across all Xactly environments, we have determined there is no impact to our systems.

CVE-2021-44228 Log4J Vulnerability:
Xactly has performed a detailed analysis of all environments and has applied industry recommended remediation steps to the affected services.

Secure Data Centers

Our service is collocated in dedicated secure cages in top-tier data centers. These facilities provide carrier-level support, including:

Security Notice

Xactly uses the most advanced Internet security available today to ensure the security of customer information. Whenever a user accesses Xactly Incent, a secure HTTP connection is established leveraging Secure Socket Layer/Transport Layer Security (SSL/TLS) technology. This technology enables Xactly to ensure that customer information is safe, secure, and only available to registered users.

All Xactly Incent users have a unique user name and password that is enforced with strict rules regarding password length, reuse, and more. Additionally, since a limited number of users, typically compensation analysts, enter company data, Xactly offers an optional feature to lock their access to specific IP addresses.

The Xactly hosted environment is secured in Tier IV data center facilities managed by a world-class Managed Services Provider. Security at these facilities is guided by a “defense-in-depth” security strategy using layers of integrated and redundant security measures.


Users of online services are potential targets for attempts to steal login credentials and other sensitive information. These threats include scam emails (phishing and malware) and phone calls (or other social engineering techniques) attempting to gather information that can be used to gain unauthorized access or privileged knowledge.

Xactly does not require the use of Java running within a user’s browser. Information regarding risks related to Java running within a user’s browser can be found at: www.kb.cert.org/vuls/id/625617

Best Practices

Administrators – Protect Your Company

Implement IP Restrictions in Xactly Incent

A great tool for protecting your applications is restricting login to those IP addresses that you specifically approve.To restrict IP addresses, click Setup > Users > User Information, and enter the appropriate address in the IP address field. When enabled, the specified user can only log into the Xactly Incent application using the specified IP address.

To notify Xactly about your primary administrative/security contact, contact Xactly Support.

To notify Xactly about your primary administrative/security contact, contact Xactly Support.

accordion togglechevrongearslockmonitornew-tabshield_1status_information_available_outlinestatus_information_available_solidstatus_online_outlinestatus_online_solidstatus_service_disruption_outlinestatus_service_disruption_solidmaintenance_outlinemaintenance_solidXTY17632 - Trust UX Icons @x2 v1warning_outlinewarning_solid