Security Overview

Xactly understands that the confidentiality, integrity, and availability of our customers’ information are vital to their business operations and therefore to our success. We use a multi-layered approach to protect that key information, constantly monitoring and improving our applications, systems, and processes to meet the changing demands and challenges of security.

InfoSec Update:

October 31, 2022: Xactly is aware of the evolving situation with the OpenSSL 3.x vulnerability. At this point our scans show that we are not affected by this vulnerability but will continue to monitor the situation closely.

April 1, 2022: Xactly is aware of the Spring4Shell 0-day vulnerability. After further investigation across all Xactly environments, we have determined there is no impact to our systems.

CVE-2021-44228 Log4J Vulnerability:
Xactly has performed a detailed analysis of all environments and has applied industry recommended remediation steps to the affected services.

Secure Data Centers

Our service is collocated in dedicated secure cages in top-tier data centers. These facilities provide carrier-level support, including:

Security

24×7 monitoring by closed-circuit cameras and onsite guards
Data center space is physically isolated and accessible only by specified administrators
Access is restricted to authorized personnel through biometric two-factor authentication
Fully-managed, hardened, stateful inspection firewall technology
Fully-managed Intrusion Detection System (IDS)
Edge-to-edge security, visibility and carrier-class threat management and remediation utilizing Arbor Networks Peakflow to compare real-time network traffic, immediately flagging anomalies such as:
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks, worms or botnets
- Network issues such as traffic and routing instability, equipment failures, or misconfigurations
- 24x7x365 Firewall, VPN, and IDS support and maintenance
Security Incident Response Team (SIRT) to handle reports of security incidents

Power and Environment

Fire Detection and Suppression

Flood Control and Earthquake

Secure Transmission and Sessions

Network Protection

Disaster Recovery

Backups

All data is backed up at each data center, on a rotating schedule of incremental and full backups. The backups are then replicated over secure links to a secure archive.

Internal and Third-party Testing and Assessments

Xactly tests all code for security vulnerabilities before release, and regularly scans our network and systems for vulnerabilities. Third-party assessments are also conducted regularly, including:

Web application vulnerability assessments
Network vulnerability assessments
Selected penetration testing and code reviews
Security control framework review and testing

Security Monitoring

Security Notice

Xactly uses the most advanced Internet security available today to ensure the security of customer information. Whenever a user accesses Xactly Incent, a secure HTTP connection is established leveraging Secure Socket Layer/Transport Layer Security (SSL/TLS) technology. This technology enables Xactly to ensure that customer information is safe, secure, and only available to registered users.

All Xactly Incent users have a unique user name and password that is enforced with strict rules regarding password length, reuse, and more. Additionally, since a limited number of users, typically compensation analysts, enter company data, Xactly offers an optional feature to lock their access to specific IP addresses.

The Xactly hosted environment is secured in Tier IV data center facilities managed by a world-class Managed Services Provider. Security at these facilities is guided by a “defense-in-depth” security strategy using layers of integrated and redundant security measures.

Threats

Users of online services are potential targets for attempts to steal login credentials and other sensitive information. These threats include scam emails (phishing and malware) and phone calls (or other social engineering techniques) attempting to gather information that can be used to gain unauthorized access or privileged knowledge.

Xactly does not require the use of Java running within a user’s browser. Information regarding risks related to Java running within a user’s browser can be found at: www.kb.cert.org/vuls/id/625617

Username and Password Reuse Across Multiple Sites

At Xactly, we recognize that having a trusted relationship with our customers is a continuous and on-going process. When creating your username and password for the Xactly Incent suite, please keep in mind best practices for access credentials:

Don’t use the same username and password for all (or even many) of your online accounts.
Don’t share your passwords with anybody; don’t write them down or send them via email. Xactly support personnel will never ask you for your password.
Configure strong password policies such as password strength, aging, and re-use.
For more information about passwords and your Xactly Incent configuration, see the Security Best Practices section of our Trust site at: https://www.xactlycorp.com/company/xactly-trust/best-practices/

Wireless Connection Sniffing and Hijacking

Xactly provides SSL 3.0/TLS 1.2 encryption (https) for login and communications between the Incent application and a user’s web browser. This means that even when logging in to Incent over an unsecured wireless network, your login credentials and business data are protected from hijacking. Along with encrypted connections, Xactly offers a suite of security features that customers can configure to their needs. For more information, see the Security Best Practices section of our Trust site at: https://www.xactlycorp.com/company/xactly-trust/best-practices/

Phishing and Malware

“Phishing” is an attack technique whereby Internet criminals set up a web site that mimics a legitimate site, such as login.www.xactlycorp.com. By following the tips below, you can reduce the potential for becoming a victim:

Always look for the “lock” icon in the bottom-right corner of your browser
Be suspicious of emails that include links to login.www.xactlycorp.com. Don’t click on such links—instead, always log in to Incent in one of the following ways:
- Enter “https://login.xactlycorp.com ” in the browser address field for the Incent production environment.
- Enter “https://sandbox.xactlycorp.com/login.php” in the browser address field for the Incent sandbox environment.
- Click the Customer Login tab on the www.xactlycorp.com home page (www.xactlycorp.com) .

Suspicious Emails

Phishing emails try to trick you into revealing information, often by asking you to “verify” or “update” information. Such emails may use the logos of the companies or government agencies they are impersonating to look legitimate. One clue is that these messages often contain poor spelling and grammar. However, as technology criminals become more sophisticated, their approaches are becoming more varied and their attempts are getting better. Another sign to check is a link (or links) that don’t match the URLs of the companies from which they claim to come. Legitimate businesses, such as Xactly, will never ask you for sensitive information via email. If you receive such an email, do not respond or click any links in the email; instead contact Xactly Support to report the issue.

Look out for Suspicious Links and Attachments

Malicious software attacks can also come via email, using many of the same tactics as phishing. These emails include links or attachments that install malicious code—including programs that capture keystrokes—on your computer. As users have become wary of attachments with “.exe” or unknown extensions, Internet criminals are now using attachments with seemingly innocuous “.doc” or “.pdf” extensions. To avoid becoming a victim of malicious emails, please adhere to these recommendations:

Beware of unusual links.
Watch out for links that contain URLs that look similar to real ones, for example: “www.xctlycorp.com” or “trust-www.xactlycorp.com ”.
To validate a suspicious link, enter the company’s URL into the browser address field yourself. Phishers can make links look legitimate, even though they take you to a different site.
If you receive a suspicious email that includes the www.xactlycorp.com brand, please contact Xactly Support to report the issue.

Suspicious Phone Calls (Social Engineering)

Criminals may also try to misrepresent themselves as employees or agents of www.xactlycorp.com. Some of these callers are attempting to steal your www.xactlycorp.com credentials—an illegal practice known as “social engineering.” Here’s how it typically works:

A caller identifies companies that use Xactly applications.
The caller contacts the customer’s main switchboard and asks for the person responsible for Xactly or the Xactly administrator. The caller may claim to offer a “new version of the application.”
The caller asks for login credentials to “install improvements” or perform other activities in the customer’s instance of Xactly.

What you need to do:

Remind your users that Xactly employees will never ask for usernames or passwords.
If one of your users betrays his or her login credentials, reset that person’s password immediately and notify Xactly Support.
If a caller identifies him or herself as an Xactly employee and you do not recognize his or her name, ask for a call-back number and email address. After you get the information, contact Xactly Support to verify whether the caller is an Xactly employee.

Best Practices

Administrators – Protect Your Company

Implement IP Restrictions in Xactly Incent

A great tool for protecting your applications is restricting login to those IP addresses that you specifically approve.To restrict IP addresses, click Setup > Users > User Information, and enter the appropriate address in the IP address field. When enabled, the specified user can only log into the Xactly Incent application using the specified IP address.

To notify Xactly about your primary administrative/security contact, contact Xactly Support.

Secure Employee Systems

One of your goals should be to keep email fraud, malware and phishing attempts, from reaching your users. To help do this, secure all computers used by your employees by doing the following:

Update all users to the latest supported browser version.
Deploy email filtering technology. Make sure you white list Xactly Incent IP addresses.
Install and maintain virus and malware protection software on all user machines, and keep all applications and definitions up to date.

Strengthen Password Policies

You can make passwords more secure and harder to break by requiring users to utilize complex passwords, enforcing password expiration on a regular basis, and implementing lockouts based on unsuccessful login attempts. To set password policies, click Preferences > Password Policies, and specify the following values:

Password Expiration

Controls the frequency by which passwords expire for the Xactly Incent suite
Minimum Length

Specifies the minimum required password length to access the Xactly Incent suite
Password Complexity

Establishes the degree of complexity required for a password
Login Attempt Account Lockout Threshold

Locks out a user after the specified number of consecutive unsuccessful login attempts
New Password After Lockout Requirement

Controls whether a user must create a new password after being locked out of the application
Challenge Question Requirement

Requires a challenge question and answer when the user is resetting their password (to better ensure the identity of the user)

Require Secure Sessions

Decrease Session Timeout Thresholds

Users sometimes leave their computers unattended, or they fail to log off. You can protect your applications against unauthorized access by automatically closing sessions when there is no session activity for a period of time. The default timeout is 2 hours; you can set this value from 30 minutes to 2 hours. To change the session timeout, click Setup > Preferences > SESSION_TIMEOUT, and enter the appropriate value. In addition, you can configure a session timeout warning that is issued to users 10 minutes prior to their session automatically timing out. To change the session timeout, click Setup > Preferences > SESSION_TIMEOUT_WARNING, and specify the appropriate warning.

Identify the Primary Business Administrator

Xactly recommends that you identify a person in your company who is to serve as the primary person responsible for application administration and security. This person should have a thorough understanding of your application and security policies. Be sure to make this person your single point of contact for Xactly Incent. To notify Xactly about your primary administrative/security contact, create a case from the Community Portal through the Incent home page.

To notify Xactly about your primary administrative/security contact, contact Xactly Support.

EXPLORE INCENT ENTERPRISE

EXPLORE INCENT

Security Overview

InfoSec Update:

Secure Data Centers

Internal and Third-party Testing and Assessments

Security Notice

Threats

Best Practices

Administrators – Protect Your Company

Password Expiration

Minimum Length

Password Complexity

Login Attempt Account Lockout Threshold

New Password After Lockout Requirement

Challenge Question Requirement