Data Security


The Customer Cloud is architected with sound infosec principles. Nothing in the Customer Cloud is accessible to internal and external stakeholders, other than nominated IT users. It is architected with multiple layers of security.


Xerago deploys the Customer Cloud on a shared-nothing private cloud or on your servers, in both instances isolated from the internet.


All user sessions and Application to Private Cloud connections are secured via HTTPS using 2048 bit Certificates with strong 256 bit encryption. All data belonging to your business is stored entirely in your Private Cloud which is inaccessible via public Internet. All Personally Identifiable Information is stored in a separate token vault.


All ports and servers are closed to the public Internet, with the exception of two HTTPs 443s ports.

Xerago uses Intrusion Detection System (IDS) sensors to detect and alert unauthorized efforts for network access.


Risk mitigation

Cato ensures that the risk and vulnerability management, incident response, mitigation, and resolution process is agile and precise.

Cato identifies potential security vulnerabilities to improve the security of the Customer Cloud overall. Our security team also ensures that high risk vulnerabilities are addressed prior to each release.

Ready to be on point?

Regulatory / Standards Compliance

Below is the list of certifications, standards and regulations that the platform complies with.

SOC2 – Type II

SOC 2 is an evaluation of the design and operating effectiveness of controls that meet the AICPA's Trust Services Principles of security, privacy, confidentiality, availability, and processing integrity. 


The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.


OWASP (Open Web Application Security Project) is an online community which creates freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security. Cato Customer Cloud ensures implementation and monitoring of coding best practices outlined in the Open Web Application Security Project (OWASP) guidelines.


The CAN-SPAM Act, a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations.


The TCPA (The Telephone Consumer Protection Act of 1991) restricts telephone solicitations and limits the use of automatic dialing systems, artificial or prerecoreded voice messages, SMS texts and fax machines primarily to safeguard consumer privacy.

11 (1)

Customer Data Confidentiality

Cato does not use or share customer information collected on behalf of the client except as may be allowed in the agreed contract and as mentioned in the Cato Customer Cloud Terms of Use and Privacy Policy.

These approach and steps taken by Cato help safeguard the security of  customer data.

You can rest assured knowing that the integrity and security of their data is fully intact.