Responsibilities
We want to help you to secure and protect your data. A trusted relationship between you (our client or partner) and us is required, and transparancy and clarity in mutual responsibilities is essential. The below shows the separation of responsibilities between you and us, as well as our recommendations for best-practices.
Note: If you are a partner of us, you may be taking over some or all of your client responsibilities in managing XLReporting on behalf of your clients, based on agreed separation of responsibilities with your clients. This is between you and your clients, in which XLReporting is no party.
You are responsible for the following:
- Your data - you are responsible for your own data, reconciliation between your source systems and your reports, and the presentation of information in your reports. We don't have access to your account or data unless you request Assisted Setup or support, in which case you may need to create a temporary user account for us. For more details, please refer to the Service Agreement.
- User access - you are responsible for who you give access to your
information. We recommend the following:
- Create a named user for each individual (real) person.
- Do not create generic users that are shared by multiple team members.
- Do not share user credentials within your team.
- Do not use private email addresses such as gmail, hotmail etc. Private email addresses are often shared widely across social media, online services, smart devices, family computers etc, and are more vulnerable to social engineering and password exposure. They may create a significantly higher risk of unauthorised access to your company data.
- Make sure that your users activate Multi-Factor-Authentication (MFA), which adds an extra level of security when logging in.
- Create user roles that correctly reflect the tasks and responsibilities of your team members. Do not give people more permissions or access to more information than they really need to do their work.
- Consider carefully which users are allowed to export data to Excel and other files. Information is secure within XLReporting, but not when it is exported to files.
- Review all user logins and activity on a regular basis, which you can do in the Manage menu.
- Delete users as soon as they leave your company, become inactive, move into another role, or otherwise should no longer have access.
- Security settings - you are responsible for security measures across your
company. We recommend the following:
- Enforce Multi-Factor-Authentication (MFA) for all users in your tenant.
- If you have a Single Sign-On (SSO) system, you can integrate that with XLReporting. Contact us for more information.
- Enforce "Same domain" so that users can only be created with your company's email address.
- Disable published dashboards and scripts, unless your company really needs it.
- Reports and models - you are responsible for the correct results of reports
and models that you have created or changed. We recommend the following:
- Consider carefully which users are allowed to create or change reports and models.
- Make a copy of a report or model before you change it, so you can always go back to the original version.
- Make sure that any change to reports and models is fully tested before you make it available to other users.
We are responsible for the following:
- IT security - we are responsible for the IT security of our operations. We regard IT security and data protection as our top priority. We are GDPR-compliant.
- Software releases - we are responsible for regular releases of our software with improvements and new features, and we will do our utmost to avoid any impact on availability and existing functionality.
- Servers and uptime - we are responsible for hosting the XLReporting application, website and support center, the servers and networks, and ensuring availability and uptime. For more details, please refer to the Service Agreement and its SLA addendum.
- Backups - we are responsible for full daily backups of your data. The backups are replicated in multiple locations within your own geographic region, ensuring redundancy and availability in any situation.
If you have any questions, feel free to contact us.