Advanced Structures India Private Limited

xcPEP Trust Center

Welcome to the Advanced Structures India Private Limited Trust Center, your comprehensive resource for understanding our unwavering commitment to security, privacy, compliance, and operational excellence for our xcPEP SaaS offerings. We believe in complete transparency, providing you with the assurance you need when partnering with us.

1. General Information & Company Overview

About xcPEP

xcPEP is a leading SaaS platform developed by Advanced Structures India Private Limited, specifically designed to empower businesses with advanced Cost Engineering capabilities. Our solution helps streamline project costing, optimize financial planning, and enhance decision-making through precise cost analysis. We offer a robust, cloud-based platform that can be deployed for various use cases, from initial Proof-of-Concept (PoC) engagements to full-scale enterprise-wide implementations. Our solution is accessible via a secure web url in the format of customercode.xcpep.com where customercode is different for every enterprise customer.

We are dedicated to delivering a high-quality product that aligns with industry best practices. Our solution can be considered an approved corporate standard for organizations seeking secure data handling, scalable cloud infrastructure, and efficient application performance in the realm of cost engineering.

About Advanced Structures India

xcPEP has been developed and is managed by Advanced Structures India Private Limited.

Address-

Advanced Structures India Private Limited,
2B, 4th Phase,
Bommasandra Jigani Link Road,
Bommasandra Industrial Area,
Bengaluru, Karnataka,
India.
PIN – 560099

CIN U74900KA2014PTC073850

2. Security & Compliance

Robust Security Architecture

Our solution is built upon a foundation of industry-leading security practices, integrating comprehensive security measures across all layers of our architecture – from network perimeter to application logic. We continuously employ a multi-layered security approach, utilizing perimeter firewalls, Web Application Firewalls (WAF), Intrusion Detection/Prevention Systems (IDS/IPS), and advanced Anti-Virus solutions to protect against threats. We adhere to the OWASP Top 10 web application vulnerability checklist standards and implement robust prevention mechanisms against common attacks like SQL injections and various bot attacks. This includes strict limitations on failed login attempts, page views, and application sessions to prevent brute-force attacks and abuse.

Data Privacy and Encryption

Your data privacy is paramount. We operate under a strict Data Privacy Policy outlines our commitment to protecting your information. We ensure all critical user information in the database is encrypted using strong algorithms like AES 256 with a secret key and IV. Passwords are securely hashed with a robust algorithm. All critical URLs and information in URL query strings are encrypted. Furthermore, critical information within our logs is either encrypted or removed to maintain privacy. We enforce a strict HTTPS policy, and all communication with third parties and sensitive services utilizes two-way peer-to-peer SSL encryption. Data is encrypted both in transit (using protocols like TLS 1.2 or higher) and at rest.

Identity and Access Management

We provide comprehensive Authentication, Access, and Identity Management solutions, including support for multi-factor authentication (MFA) to provide an additional layer of security for user accounts. Available MFA methods include [list specific methods, e.g., TOTP (Time-based One-Time Password), SMS verification, authenticator apps]. We offer granular control over network access, allowing for restriction by named IPs or IP ranges. Our solution enables the enforcement of custom password policies to align with your organization's security requirements. We provide robust Roles-Based Access Control (RBAC), allowing you to define and manage user permissions based on roles, attributes, or hierarchical structures within the application. User sessions are securely managed at the application level, with configurable active and inactive session timeouts to prevent unauthorized access.

Auditing and Monitoring

All access to customer data is meticulously logged and continuously monitored for traceability. These logs provide a comprehensive audit trail of user accounts and historical activities, which can be exported for your review.

Vulnerability Management & Incident Response

We conduct regular Vulnerability Assessment and Penetration Testing (VAPT) at a frequency of once per quarter. We are committed to notifying customers promptly of any breaches involving their data. Our Data Breach Notification Policy outlines the procedures and timelines for such notifications.

Secure Software Development Lifecycle (SDLC)

Our codebase is securely hosted in a premium version control system (e.g., GitHub Enterprise account), ensuring strict access controls and versioning. We integrate security throughout our Secure Software Development Lifecycle (SDLC), embedding security measures from the design phase through deployment, ensuring the development of secure software.

Employee Access Controls

We implement stringent employee access controls, ensuring that only authorized personnel have access to sensitive systems and customer data, based on the principle of least privilege. All employee access is logged and regularly reviewed.

Compliance and Certifications

We are ISO/IEC 27001:2013 Certified, demonstrating our adherence to global information security management standards

3. Infrastructure & Operations

Cloud Infrastructure Security & Scalability

Our solution is hosted on Amazon Web Services (AWS), a leading global cloud provider. We leverage AWS's robust security features and capabilities to ensure the highest standards of cloud infrastructure security. We can provide deployment options across multiple AWS regions as per customer needs, supporting specific data residency requirements. Our infrastructure is designed for high availability and fault tolerance, capable of recovering from various events within a datacenter, including high load, hardware, software, or network failures. We employ autoscaling mechanisms managed by our operations team and automated AWS services to dynamically adjust infrastructure capacity based on demand, ensuring optimal performance and resource utilization. We also implement cost alerts to manage resource consumption efficiently. Our infrastructure's current compute, storage, and network capacities are robust and designed to handle significant workloads, with detailed benchmarking reports available upon request to demonstrate our sizing methodology.

Data Center Segregation & Environments

We provide clear segregation of infrastructure from other customers and environments within AWS. Our detailed documentation on this segregation is available upon request. In addition to our production environments, we offer dedicated development, testing, and/or staging environments to facilitate smooth deployments and feature testing.

Business Continuity & Disaster Recovery (BCDR)

We maintain a comprehensive Backup and Recovery Policy which includes, at a minimum, full weekly backups and daily incremental backups of your data. Our Business Continuity and Disaster Recovery (BCDR) Policy outlines our strategies for rapid recovery in the event of a disaster. We aim for a fail-over or disaster recovery with a one-hour response time, leveraging alternate recovery sites and cross-region replication within AWS. Our Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) are defined to minimize data loss and downtime, ensuring business continuity even in the face of significant outages.

Service Level & Support

We offer a Service Level Agreement (SLA) of 99.9% and above, ensuring high availability of our services. Our SLA Policy details the specifics of our uptime commitments, including any penalties and credits for non-compliance. We provide 365 x 24 x 7 support with a one-hour response time for critical issues. Our Support Model documentation outlines our support channels, escalation procedures, and response times. We provide advance notification and a schedule of planned maintenance windows where service may be temporarily unavailable. In the event of unscheduled service outages, we provide proactive notification within one hour of service disruption. Our operational history shows minimal unscheduled outages, with proactive notification as per policy.

4. Data Management

Data Processing & Ownership

Our solution is designed to handle various types of enterprise data essential for Cost Engineering. We operate with Data Minimization by Design, ensuring we only collect and process data strictly necessary for the functionality of xcPEP. We recognize and respect your ownership of your data. We provide clear information on our Data Processing & Sub-Processors, including details about our hosting infrastructure on AWS and internal productivity tools. Our solution provides capabilities for you to view, export, and extract your historical data through various methods, including API exports, dashboard downloads, and bulk export tools. We also support bulk loading of data via API or secure file transfer protocols.

Data Retention & Right to Erasure

We provide the ability to enforce Custom Data Retention Policies, allowing you to define and honor customer-specific data retention and deletion timelines. Upon termination of service, our solution provides the ability to retrieve or export all your data. Following successful data retrieval/export, we ensure the complete destruction of all your data from our systems, including backups, in accordance with our Data Retention and Deletion Policy and supporting the customer's Right to Erasure.

Data Residency and Sovereignty

We utilize AWS and support data residency controls, offering deployment in multiple AWS regions globally to help you comply with various privacy regulations and data sovereignty requirements. If any customer data is stored outside of a customer's requested region, this will be clearly communicated and agreed upon.

Data Segregation & Reporting

We ensure robust segregation of customer data through logical separation within our multi-tenant AWS environment, maintaining the privacy and integrity of your information. Our solution offers comprehensive reporting capabilities, providing insights into various aspects of your cost engineering data, usage, and system performance.

5. Integrations

Integration Capabilities

Our solution offers robust integration capabilities with your existing systems, whether cloud-hosted or on-premise. We support various integration methods, including secure Web Services APIs compliant with industry standards like SAML 2.0 for Single Sign-On. We integrate with leading identity providers for seamless user authentication. Detailed API documentation is available. APIs are accessed via secure keys, with key expiration periods customizable by the customer and managed jointly.

6. Application Features

Cloud Characteristics & Accessibility

Our solution provides automatic upgrades for all users, ensuring you always have access to the latest features and security enhancements.

Client Software & Session Management

Our solution is primarily web-based and generally does not require client software to be installed on end-user machines or devices. We provide granular control over both active and inactive session timeouts to enhance security and resource management.

7. Legal and Viability

Legal Framework & Partnership

We ensure a Non-Disclosure Agreement (NDA) is in place with all solution providers and partners to protect your confidential information. Our commitment includes obtaining your authorization for any release of your data or information to any third party. You have the right to request an audit of our infrastructure and services relevant to the scope of services provided to you. As a global SaaS provider using AWS, we can support data storage in multiple AWS regions, and any data stored outside a customer's requested region will be clearly communicated and agreed upon. We also provide remedies for breaches of SLA compliance and other contractual requirements as outlined in our agreements.

Provider Viability

Advanced Structures India Private Limited is committed to long-term viability and stability. We maintain sound financial health and can provide information regarding our past records and projects to prospective customers, demonstrating our proven track record.

List of Policies