Security, Privacy and Trust at Xeal
Xeal is a technology-first electric vehicle (EV) charging company operating at the intersection of mobility, real estate, IoT, and energy. We are building the next generation of EV solutions, and that includes ensuring our systems are designed and operated securely. This document gives an overview of the Xeal security program, and how we go about achieving this goal.
SOC 2 Type II Compliance
Xeal is a SOC 2 Type II compliant organization, relevant to security and confidentiality. SOC 2 is a third party audit undertaken annually to ensure that a companies information security program is operating effectively. Each year, more than 50 individual security controls and processes in use at Xeal are independently verified by a third party audit firm.
Introduction
The majority of us have by now, unfortunately, been impacted by some sort of data breach. It’s a jarring feeling to be told that your personal data has been exposed to parties unknown, and to be left wondering how they plan on misusing the data. Given this, we could all be forgiven for being a little cynical when the companies that handle our data make claims about how they keep it secure.
At Xeal, when we consider the secure handling of personal data, we know that trust, very rightly, has to be earned. This document is designed to be the first step towards earning your trust. It will take you on a tour of our security and privacy practices from the top down. We’ll start with our organizational level practices and principles that guide the security decisions that ultimately flow down into our software, hardware and services.
But it is just that; the first step. We know that the majority of trust will come later, as we work together, and as you interact with the Xeal team.
After all, when you partner with Xeal, you’re getting more than just an EV charger. You’re expanding your team to include the security, reliability, and engineering knowledge of the folks at Xeal. We have no doubt that as you engage with us, you’ll find yourself exposed to a group of people who are just as passionate about keeping your data secure as you are.
Xeal, the company
Xeal has employees based across the United States. Some spend every day in a Xeal office, others have adopted a hybrid schedule, and others are fully remote. Regardless of their work location, Xeal employees all have access to a dedicated security team, follow the same policies and procedures, and have company-issued laptops equipped with a common set of technical security measures.
They also follow our core set of security principles, taken directly from our Information Security Policy:
Security in Everything
Xeal aspires to ensure that security is a primary consideration in any activity performed during the course of our operations. Whether that is working with customer information, building a new feature in our software or hardware products, or merely using a computer to research something online.
By adhering to the policies and guidance in the information security policy, and other subordinate documents within the Xeal information security management system (ISMS), Xeal employees have a variety of resources available to abide by this core guiding principle.
Security is for Everyone
The policies within the Xeal ISMS apply to everyone who has been provided access to Xeal computing assets, including, but not limited to, employees, independent contractors, business partners, and vendors.
Security Applies Everywhere
The policies within the ISMS apply to Xeal computing assets and data, no matter the form factor or physical location of the asset.
We Build On Standards
The Xeal ISMS is based on the International Organization for Standardization’s ISO 27001:2022 standard, which lays out the mandatory requirements for an ISMS. The individual policies contained within the ISMS, have been created based on guidance from the International Organization for Standardization’s ISO 27002:2022 code of practice document.
In adopting these standards for its ISMS, Xeal has clearly demonstrated an understanding of the importance of a well defined information security program with top-down support.
A Dedicated Security Team
Xeal maintains a dedicated security team to support both customers and employees in the operation of our security and privacy program. The team contains professionals with significant experience in secure development, security operations, and incident response. Some examples security industry certifications maintained by team members include:
- Certified Information Security Professional (CISSP)
- Certificated Information Privacy Professional - US (CIPP/US)
- Offensive Security Certified Professional (OSCP)
- Certified Information Security Manager (CISM)
- Certified Information Systems Auditor (CISA)
- HealthCare Information Security and Privacy Practitioner (HCISPP)
- Certified Ethical Hacker (CEH)
- Certified Computer Hacking Forensic Investigator (CHFI)
- AccessData Certified Forensic Examiner (ACE)
- Certified Cyber Forensics Professional-US (CCFP-US)
- Security+ Certification
The core responsibilities of the Xeal security team, include:
- Security operations - monitoring Xeal’s software and cloud environments to ensure that everything is securely configured, and operated securely on a daily basis.
- Endpoint security - designing and managing the technical controls deployed on Xeal IT equipment.
- Product security - working directly with partners in the engineering department to ensure that all software, firmware, and hardware products are designed with security in mind.
- Identity and access management - ensuring that Xeal employees have access to the systems they need to perform their job functions, and that access is managed through a central directory.
- Risk management - identifying, tracking, and treating enterprise risks to ensure the continued prosperity of Xeal and our customers.
Technical Security Measures
All Xeal employees are issued with company laptops that run centrally managed, enterprise-grade endpoint detection and response software (EDR).
Our laptops also run mobile device management software (MDM) that allow the Xeal security team to ensure they are compliant with our technical security standards, for example, leveraging full disk encryption and strong passwords.
Xeal employee accounts are protected by two-factor authentication, and robust onboarding and offboarding processes that ensure the timely removal of access for employees should they leave the company.
Privacy at Xeal
The Xeal security team is also an active participant in ensuring that our products and processes are designed with compliance with new and evolving privacy legislation in mind. Working closely with the legal team, Xeal ensures that laws and regulations, such as the California Consumer Privacy Act (CCPA), are considered and followed appropriately in our products.
Xeal’s privacy practices are designed to extend to all users of our products, regardless of citizenship or physical location. We believe that everyone should have the same rights in regards to how their information is handled.
Xeal, the smart charger
The same technology that makes Xeal chargers stand alone with our 100% uptime guarantee, is also responsible for our most effective security control. Uniquely, Xeal chargers do not have an internet or local network interface, meaning they cannot be discovered through port scans or other enumeration activities frequently used to discover and exploit connected devices.
No open ports - in fact, no ports at all
No IT infrastructure must be installed or exposed in parking garages, no firewalls must be reconfigured, and no wireless network credentials are required. Your IT and security team are already pretty busy protecting your business - we’re happy to give them one less thing to worry about!
Additionally, Xeal charger hardware does not include any externally accessible debug or service ports that could be leveraged as part of a physical attack against the device. Communication with the smart charger occurs using close proximity technologies, including BLE and NFC, and requires a valid, time-bound, encrypted user token to be sent along with a request to perform any user facing function on the charger. Remarkably, the lack of permanent connectivity doesn’t mean the chargers go without critical firmware updates which could leave them exposed in future; these are delivered via the Xeal Apollo protocol.
Xeal, the mobile application
At the heart of the Xeal ecosystem is our mobile application, available on both iOS and Android. The application is of course designed to provide a smooth charging experience for drivers, but is also a key part of the Xeal security story.
The Apollo Protocol
The mobile application provides a conduit for the Apollo protocol, Xeal’s patented technology that uses distributed ledger technology to asynchronously relay information about charging sessions, configuration changes, and firmware updates between the Xeal cloud service and the charger hardware.
Public key cryptography is used to ensure that data payloads carried by the Apollo protocol are always encrypted, and unable to be accessed by any entity other than Xeal.
During the development of the mobile application and Apollo protocol, the Xeal security team is responsible for performing regular security assessments and penetration tests against the software.
Xeal, the cloud dashboard
Xeal provides a cloud-based dashboard application to allow our customer organizations to manage their charger configurations, track usage, and pull financial reports. The same development best practices that go into our mobile apps and charger firmware, are present in our cloud software. Availability of the cloud does not have an impact on the availability of a charger.
Cloudy, but no lack of visibility
The service can also be used to manage access controls on the charger, allowing customers the choice of assigning specific residents to a given charger, operating a pool of shared chargers, or providing charging to members of the public.
The Xeal cloud service is hosted in the market leading infrastructure-as-a-service (IaaS) environment, which has been independently audited against IT Security standards such as SOC 2 and ISO 27001.
Xeal leverages intrusion detection systems (IDS), web application firewall (WAF), and centralized logging and monitoring tools in the cloud environment. The end goal of these tools is to ensure that if something moves in our cloud, we know about it, and if it’s not supposed to move, we can shut it down quickly.
Payment handling
Xeal uses a PCI-DSS level 1 compliant service provider for handling financial transactions, which includes both credit card transactions and ACH transfers for payouts.
Further information
Xeal maintains a wide set of documentation and other materials relevant to our security program that are available by request, and where applicable, under a non-disclosure agreement (NDA). If you would like to review any of the following, please reach out to your Xeal contact:
- Xeal security policies and procedures
- Security architecture diagrams
- Rules of engagement for customer penetration testing
Additionally, the Xeal security team can be reached via security@xealenergy.com, and are happy to answer any questions you may have about specific elements of the Xeal security.