Networking is defined by trust.

We consider member trust essential, which is why we do everything we can to protect your data.

XING is subject to German data protection law.

Your personal data deserve maximum protection. XING AG is a German company with both its headquarters and data centres – used for direct data processing – located in Germany. This means that XING is subject to German data protection law, some of the strictest in the world.

 Data protection in line with strict German regulations.

XING is bound to comply with strict German data protection regulations and respective EU regulations. If XING commissions third parties to process data(1), it will always require said third parties to process such data within the EU. The EU’s overriding principle is “prohibition pending approval”, meaning that data may not be collected, processed or used in any way without prior legal permission, which is why we obtain express consent from users before processing any of their data (registration privacy policy).

Data sharing – It’s up to you.

XING gives you all the tools you need to retain full control over your own data. This means: You specify for each XING member, irrespective of whether or not they’re a contact, which of your contact data they can see and whether that member can send you messages. You can determine whether your profile can be found by non-members and search engines like Google. As a result, you get to decide where you and your XING profile should appear. You also get to decide what and how much you write about yourself in your profile as the only mandatory fields are your name, gender, country/region and professional status (poss. company name and position).

SSL/TLS-encrypted data transfer

Data traffic generated by logged-in XING members is always encrypted and always has been. The encryption technology we use is the same banks have in place for their online banking sites. Thanks to this encryption, your data traffic can’t be accessed by third parties.

Data is transferred using SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols, and we support TLS 1.2, 1.1 and 1.0. We provide up to 256-bit encryption, but the level of encryption depends on the browser you use. If you have an older browser, we provide at least 128-bit encryption.

We adhere to the recommendations provided by the Federal Office for Information Security (BSI) and the European Union Agency for Network and Information Security (ENISA) when choosing our algorithms and key lengths. You can use the Qualys SSL Labs SSL server test (https://www.ssllabs.com/ssltest/analyze.html?d=xing.com) to see which algorithms and settings our systems provide.

Responsible Disclosure Policy

Here at XING we work closely with security researchers in order to act in a responsible way. XING is willing to address reported vulnerabilities quickly, which, depending on the complexity of the fix, generally means within two release cycles. We intend to patch the vulnerability before details become publicly available as it ensures safety for our users. Please get in touch with us by sending an e-mail to security-reports [at] xing [dot] com and we will get back to you as soon as possible.

XING’s security experts are members of the Federal Office for Information Security’s expert panel

XING’s security team is a member of the Federal Office for Information Security’s expert panel for cyber security, an alliance put in place by the Federal Office for Information Security (BSI) in cooperation with the German Association for Information Technology, Telecommunications and New Media (Bitkom) with the aim of exchanging news and views on the latest cyber security topics. The expert panel also identifies key measures to safeguard against cyber-attacks which the BSI then publishes on behalf of the cyber security alliance, thus making them available to German industry.

Independent audits

We have external independent institutes verify the various technical aspects of our platform on a regular basis. We are regularly audited to make sure we adhere to the Payment Card Industry Data Security Standard (PCI DSS), and our in-house security team and external security experts perform regular checks to analyse our infrastructure and the many features our platform has to offer. 

PCI-Compliance zur Kreditkartensicherheit

We are regularly audited to make sure we adhere to the Payment Card Industry Data Security Standard (PCI DSS), which is required to handle and process credit card data. Such audits comprise both physical and technical components of our platform, and range from the installation of a firewall right through to encrypted payment data transfer. Please visit the PCI Security Standards Council (https://www.pcisecuritystandards.org) website for more information.

Code review and external security audits

Our in-house security team and external security experts perform regular checks to analyse our infrastructure and new features, one such example being the member profile we relaunched in July 2013 which successfully passed tests carried out by Inverse Path S.r.l.

Other protective measures

Our platform also incorporates a number of security measures to safeguard against a wide range of typical risks, including:

  • so-called intrusion detection, which we use to track potential attacks and suspicious activity on our platform.
  • scanning of the entire platform where members post text - e.g., in groups, events, search results, and profile entries - in order to stop malicious code known as cross-site scripting from penetrating the platform.
  • a number of monitoring tools which continually analyse activity on the platform while checking user entries for plausibility. Our Customer Care Team is immediately notified if certain strings are used (e.g. "asdf" in all input fields during registration) or if various members appear to log in to one computer. This may even lead to users being automatically blocked temporarily due to suspicious activity.

 

 

(1) XING AG commissions kununu GmbH to process, e.g. data on its behalf. To this end, kununu uses IT systems that are not located in the Federal Republic of Germany, but within the European Union. XING AG has taken the necessary steps to ensure that German data security standards are upheld.

The XING Security Team

Veronika Isbarn
Data Protection Officer
& Legal Counsel
Ingo Chao
Team Leader Technical Risk Management
Daniel Silva Yañez
Team Leader Customer Care
Dr. Stefan Kaes
Principal System Architect
Felix Lasse
Principal Legal Counsel
Tilmann Haak
Security Engineer
Martin Richardson
Product Manager