At Xactly we C.A.R.E. about you, our customer:


To succeed and earn your trust, we need to meet your expectations every single day, with every interaction. We also know that trust starts with security and visibility. Using Xactly Incent Trust, you can find real-time updates on system performance, including privacy and security information, for the Incent Suite.

Note: For more information about the Xactly Express Trust site, visit

System Status
System Status


Xactly recognizes the importance of visibility into the system availability, scheduled maintenance, and overall reliability of the Xactly Incent Suite. This page displays the system maintenance announcements, including the current system status of the Xactly Incent Suite, as well as the Historic System Up Time of the Xactly Incent production environment.

Current System Status

To determine the refresh status section that applies to your business, please refer to the URL in the browser window address bar when you log into Incent (example: "").


Secure 1


Secure 2


Secure 3


Secure 4










Credit Assignment








= Online      = Under Maintenance      = Information Available      = Service Disruption

System Uptime


Xactly recognizes the importance of visibility into the system availability, scheduled maintenance, and overall reliability. To determine the refresh status section that applies to your business, please refer to the URL in the browser window address bar when you log into Incent (example: ""). For more information on how uptime is calculated, refer to your Service Level Agreement (SLA). Note: Current month uptime is calculated on a month to date basis.




Xactly understands that the confidentiality, integrity, and availability of our customers’ information are vital to their business operations and therefore to our success.

We use a multi-layered approach to protect that key information, constantly monitoring and improving our applications, systems, and processes to meet the changing demands and challenges of security.

Secure Data Centers

Our service is collocated in dedicated secure cages in top-tier data centers. These facilities provide carrier-level support, including:


  • 24×7 monitoring by closed-circuit cameras and onsite guards
  • Data center space is physically isolated and accessible only by specified administrators
  • Access is restricted to authorized personnel through biometric two-factor authentication
  • Fully-managed, hardened, stateful inspection firewall technology
  • Fully-managed Intrusion Detection System (IDS)
  • Edge-to-edge security, visibility and carrier-class threat management and remediation utilizing Arbor Networks Peakflow to compare real-time network traffic, immediately flagging anomalies such as:
    • Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks, worms or botnets
    • Network issues such as traffic and routing instability, equipment failures, or misconfigurations
    • 24x7x365 Firewall, VPN, and IDS support and maintenance
  • Security Incident Response Team (SIRT) to handle reports of security incidents

Power and Environment

Redundant UPS and generator backups for all systems
HVAC (Heating Ventilation Air Conditioning) systems arranged in an N+1 redundancy configuration
Automated controls that provide the appropriate levels of airflow, temperature, and humidity

Fire Detection and Suppression

Multi-zoned, dry pipe, water-based fire suppression systems
Monitors to sample the air and provide alarms prior to pressurization
Dual-alarm activation necessary for water pressurization
Water discharge specific to fire alarm location

Flood Control and Earthquake

All facilities built above sea level with no basement areas
Moisture barriers on exterior walls
Dedicated pump rooms for drainage/evacuations systems
Moisture detection systems
Location-specific seismic compliance
All facilities meet or exceed requirements for local seismic building codes

Secure Transmission and Sessions

Connection to the Xactly Incent environment is via SSL 3.0/TLS 1.0, using global step-up certificates, ensuring that our users have a secure connection from their browsers to our service
Individual user sessions are identified and re-verified with each transaction, using a unique token created at login

Network Protection

Perimeter firewalls and edge routers block unused protocols
Internal firewalls segregate traffic between the application and database tiers
A third-party service provider continuously scans the network externally and alerts changes in baseline configuration

Disaster Recovery

The Xactly Incent service performs real-time replication to disk within the data center for business continuity purposes, and offsite data storage at a secure facility for disaster recovery purposes. Note also the following:
Data is transmitted across encrypted links
Disaster recovery functionality is exercised regularly to verify projected recovery times and the integrity of customer data


All data is backed up at each data center, on a rotating schedule of incremental and full backups. The backups are then replicated over secure links to a secure archive.

Internal and Third-party Testing and Assessments

Xactly tests all code for security vulnerabilities before release, and regularly scans our network and systems for vulnerabilities. Third-party assessments are also conducted regularly, including:

  • Web application vulnerability assessments
  • Network vulnerability assessments
  • Selected penetration testing and code reviews
  • Security control framework review and testing

Security Monitoring

Xactly Operations monitors notifications from various sources and alerts from internal systems to identify and manage threats. Potential threats are logged and investigated as part of the Xactly Incident Management Process.

TRUSTe European Safe Harbor certification
Security Notice


Xactly uses the most advanced Internet security available today to ensure the security of customer information. Whenever a user accesses Xactly Incent, a secure HTTP connection is established leveraging Secure Socket Layer/Transport Layer Security (SSL/TLS) technology. This technology enables Xactly to ensure that customer information is safe, secure, and only available to registered users.

All Xactly Incent users have a unique user name and password that is enforced with strict rules regarding password length, reuse, and more. Additionally, since a limited number of users, typically compensation analysts, enter company data, Xactly offers an optional feature to lock their access to specific IP addresses.

The Xactly hosted environment is secured in Tier IV data center facilities managed by a world-class Managed Services Provider. Security at these facilities is guided by a “defense-in-depth” security strategy using layers of integrated and redundant security measures.



Users of online services are potential targets for attempts to steal login credentials and other sensitive information. These threats include scam emails (phishing and malware) and phone calls (or other social engineering techniques) attempting to gather information that can be used to gain unauthorized access or privileged knowledge.

Xactly does not require the use of Java running within a user’s browser. Information regarding risks related to Java runnning within a user’s browser can be found at:

Username and Password Reuse Across Multiple Sites

At Xactly, we recognize that having a trusted relationship with our customers is a continuous and on-going process. When creating your username and password for the Xactly Incent suite, please keep in mind best practices for access credentials:

  • Don’t use the same username and password for all (or even many) of your online accounts.
  • Don’t share your passwords with anybody; don’t write them down or send them via email. Xactly support personnel will never ask you for your password.
  • Configure strong password policies such as password strength, aging, and re-use.
  • For more information about passwords and your Xactly Incent configuration, see the Security Best Practices section of our Trust site at:

Wireless Connection Sniffing and Hijacking

Xactly provides SSL 3.0/TLS 1.0 encryption (https) for login and communications between the Incent application and a user’s web browser. This means that even when logging in to Incent over an unsecured wireless network, your login credentials and business data are protected from hijacking.
Along with encrypted connections, Xactly offers a suite of security features that customers can configure to their needs. For more information, see the Security Best Practices section of our Trust site at:

Phishing and Malware

“Phishing” is an attack technique whereby Internet criminals set up a web site that mimics a legitimate site, such as By following the tips below, you can reduce the potential for becoming a victim:

  • Always look for the “lock” icon in the bottom-right corner of your browser
  • Be suspicious of emails that include links to Don’t click on such links—instead, always log in to Incent in one of the following ways:
    • Enter “” in the browser address field for the Incent production environment.
    • Enter “” in the browser address field for the Incent sandbox environment.
    • Click the Customer Login tab on the home page (

Suspicious Emails

Phishing emails try to trick you into revealing information, often by asking you to “verify” or “update” information. Such emails may use the logos of the companies or government agencies they are impersonating to look legitimate.

One clue is that these messages often contain poor spelling and grammar. However, as technology criminals become more sophisticated, their approaches are becoming more varied and their attempts are getting better.
Another sign to check is a link (or links) that don’t match the URLs of the companies from which they claim to come.

Legitimate businesses, such as Xactly, will never ask you for sensitive information via email. If you receive such an email, do not respond or click any links in the email; instead contact Xactly Support to report the issue.

Look out for Suspicious Links and Attachments

Malicious software attacks can also come via email, using many of the same tactics as phishing. These emails include links or attachments that install malicious code—including programs that capture keystrokes—on your computer. As users have become wary of attachments with “.exe” or unknown extensions, Internet criminals are now using attachments with seemingly innocuous “.doc” or “.pdf” extensions.
To avoid becoming a victim of malicious emails, please adhere to these recommendations:

  • Beware of unusual links.
  • Watch out for links that contain URLs that look similar to real ones, for example: “” or “”.
  • To validate a suspicious link, enter the company’s URL into the browser address field yourself. Phishers can make links look legitimate, even though they take you to a different site.
  • If you receive a suspicious email that includes the brand, please contact Xactly Support to report the issue.

Suspicious Phone Calls (Social Engineering)

Criminals may also try to misrepresent themselves as employees or agents of Some of these callers are attempting to steal your credentials—an illegal practice known as “social engineering.”

Here’s how it typically works:

  • A caller identifies companies that use Xactly applications.
  • The caller contacts the customer’s main switchboard and asks for the person responsible for Xactly or the Xactly administrator. The caller may claim to offer a “new version of the application.”
  • The caller asks for login credentials to “install improvements” or perform other activities in the customer’s instance of Xactly.

What you need to do:

  • Remind your users that Xactly employees will never ask for usernames or passwords.
  • If one of your users betrays his or her login credentials, reset that person’s password immediately and notify Xactly Support.
  • If a caller identifies him or herself as an Xactly employee and you do not recognize his or her name, ask for a call-back number and email address. After you get the information, contact Xactly Support to verify whether the caller is an Xactly employee.
Best Practices


Administrators – Protect Your Company

Implement IP Restrictions in Xactly Incent

A great tool for protecting your applications is restricting login to those IP addresses that you specifically approve.To restrict IP addresses, click Setup > Users > User Information, and enter the appropriate address in the IP address field. When enabled, the specified user can only log into the Xactly Incent application using the specified IP address.

Secure Employee Systems

One of your goals should be to keep email fraud, malware and phishing attempts, from reaching your users. To help do this, secure all computers used by your employees by doing the following:

  • Update all users to the latest supported browser version.
  • Deploy email filtering technology. Make sure you white list Xactly Incent IP addresses.
  • Install and maintain virus and malware protection software on all user machines, and keep all applications and definitions up to date.

Strengthen Password Policies

You can make passwords more secure and harder to break by requiring users to utilitze complex passwords, enforcing password expiration on a regular basis, and implementing lockouts based on unsuccessful login attempts. To set password policies, click Preferences > Password Policies, and specify the following values:

  • Password Expiration

    Controls the frequency by which passwords expire for the Xactly Incent suite

  • Minimum Length

    Specifies the minimum required password length to access the Xactly Incent suite

  • Password Complexity

    Establishes the degree of complexity required for a password

  • Login Attempt Account Lockout Threshold

    Locks out a user after the specified number of consecutive unsuccessful login attempts

  • New Password After Lockout Requirement

    Controls whether a user must create a new password after being locked out of the application

  • Challenge Question Requirement

    Requires a challenge question and answer when the user is resetting their password (to better ensure the identity of the user)

Require Secure Sessions

By default, Xactly mandates that all Xactly Incent suite sessions are encrypted and secure to protect information in transit.

Decrease Session Timeout Thresholds

Users sometimes leave their computers unattended, or they fail to log off. You can protect your applications against unauthorized access by automatically closing sessions when there is no session activity for a period of time. The default timeout is 2 hours; you can set this value from 30 minutes to 2 hours.

To change the session timeout, click Setup > Preferences > SESSION_TIMEOUT, and enter the appropriate value. In addition, you can configure a session timeout warning that is issued to users 10 minutes prior to their session automatically timing out.

To change the session timeout, click Setup > Preferences > SESSION_TIMEOUT_WARNING, and specify the appropriate warning.

Identify the Primary Business Administrator

Xactly recommends that you identify a person in your company who is to serve as the primary person responsible for application administration and security. This person should have a thorough understanding of your application and security policies. Be sure to make this person your single point of contact for Xactly Incent.

To notify Xactly about your primary administrative/security contact, contact Xactly Support.

Privacy Policy
Privacy Policy


Effective Date: August 12, 2014

Xactly Corporation (“Xactly” or “we”) has created this privacy statement (“Statement”) in order to demonstrate our commitment to data privacy. Privacy on the Web Site (the “Site) and the Xactly platforms; Xactly Incent Pro, Incent Enterprise, Insights and Objectives (the “Platform”) is of great importance to us. Since we gather sensitive information from our visitors and customers, we have established this Statement to communicate our information gathering and management practices as well the choices we have made regarding how we use the information we collect. In an effort to ensure the highest levels of data privacy, our standards meet or exceed the U.S. Department of Commerce’s “Safe Harbor” standards. If you have any questions regarding this policy please contact us via email at

Xactly has received TRUSTe’s Privacy Seal certifying that this privacy statement and our practices have been reviewed for compliance with the TRUSTe program viewable on the validation page available by clicking the TRUSTe seal. The TRUSTe certification does not cover information collected behind the login or through mobile applications.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact TRUSTe at

Xactly complies with the U.S.–E.U. and U.S.–Swiss Safe Harbor Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal data from European Union member countries and Switzerland. Xactly has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view Xactly’s certification, please visit

Collected Information

In order to access certain portions of the Site, you will be required to register by providing certain limited information regarding you and the company you represent such as name, email address, address and phone number. Xactly collects this information and engages third parties to collect personal information to assist us for a variety of reasons, including personalizing your experience, contacting visitors to further discuss their interest in our company, when you register for a webinar or other informational offering, and sending information regarding our company, such as newsletters and events. Xactly and the third parties we engage may combine the information we collect with information obtained from other sources to help us improve its overall accuracy and completeness, and to help us better tailor our interactions with you. Visitor and any personal customer information will not be distributed or shared with any third parties under any circumstance other than as outlined in this Statement. Customers can opt out of being contacted by us, or receiving such information from us, at any time by following the unsubscribe instructions contained in the email communications you receive or by sending an email to

Cookies and other Web Technologies

When you interact with the Site and Platform, we strive to make that experience easy and meaningful. Like many websites, Xactly uses automatic data collection tools, such as cookies, embedded web links, web beacons, and clear gifs. When you come to our Site and Platform, our Web server may send a cookie to your computer. Cookies are files that Web browsers place on a computer’s hard drive and are used to tell us whether customers and visitors have visited the Site previously. Standing alone, cookies do not identify you personally. They merely recognize your browser. Unless you choose to identify yourself to Xactly either by requesting a download or registering for a demo or webinar, you remain anonymous to Xactly. If you do not accept cookies from the domain “”, you cannot access certain portions of the Site or Platform without registering again each time you would like to access restricted information.

The use of cookies by our partners, affiliates, tracking utility company, service providers on the Site is not covered by our privacy statement. We do not have access or control over these cookies.

We use IP addresses to analyze trends, administer the Site, track user’s movement, and gather broad demographic information for aggregate use. IP addresses that we collect are not linked to personally identifiable information.

Our third party partners employ a software technology called clear gifs (a.k.a. Web Beacons/Web Bugs), that help us better manage content on our Site by informing us what content is effective. Clear gifs are tiny graphics with a unique identifier, similar in function to cookies, and are used to track the online movements of Web users. In contrast to cookies, which are stored on a user’s computer hard drive, clear gifs are embedded invisibly on Web pages and are about the size of the period at the end of this sentence. The information gathered does not personally identify you, but could potentially be linked with the personal information that you or third parties engage by Xactly provide to Xactly. We do not tie the information gathered by clear gifs to our customers’ personally identifiable information.


We partner with a third party ad network to either display advertising on our Web site or to manage our advertising on other sites. Our ad network partner uses cookies and Web beacons to collect non-personally identifiable information about your activities on this and other Web sites to provide you targeted advertising based upon your interests. If you wish to not have this information used for the purpose of serving you targeted ads, you may opt-out by clicking here. Please note this does not opt you out of being served advertising. You will continue to receive generic ads.

Social Media Features

Our Web site includes Social Media Features, such as the Facebook Like button. These Features may collect your IP address, which page you are visiting on our site, and may set a cookie to enable the Feature to function properly. Social Media Features are either hosted by a third party or hosted directly on our Site. Your interactions with these Features are governed by the privacy policy of the company providing it.

Users Outside of the United States

While we make every effort to honor the laws and wishes of all users, this Site is available for users located primarily in the United States of America and therefore may or may not address privacy requirements contained in non-domestic legislation.


Xactly takes substantial precautions to protect data and information under its control from misuse, loss or alteration. We utilize some of the most advanced technology available today for Internet security and are constantly taking measures to adjust to the changing security landscape. As such, Xactly maintains layered, defense in-depth security measures, including hosting our solution in a Tier IV (the highest recognized level) datacenter, to allow only authorized personnel access to your information. When you provide us with sensitive information (such as your login credentials) we transmit your personal information via SSL encryption. Unfortunately, no system can ensure complete security, and Xactly disclaims any liability resulting from use of the Site. If you have any questions regarding security on our web site, you can contact us at

Links to Third-Party Sites

The Site contains links to other Web Sites. Xactly is not responsible for the privacy practices or the content of these other Web Sites. Visitors are advised to check the policy statements of other Web Sites to understand their policies. Accessing a linked site may expose your private information.

Safe Harbor

Xactly complies with the US-EU Safe Harbor Framework and US-Swiss Safe Harbor Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland.

Xactly has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view our certification page, please visit


Through this Privacy Policy, Xactly hereby informs you of the purpose for which it collects and uses personal information. Xactly will notify you in the event of any unintentional disclosure of your personal information to a third party. You have the option to limit the use of any personal information through the means described herein.


Xactly provides you with a choice to opt out of disclosure of your personal information to a third party or the use of personal information for something other than it was originally collected.

Xactly collects information under the direction of its customers, and has no direct relationship with the individuals whose personal data it processes.

Onward Transfers

Xactly may transfer personal information to companies that help us provide our services to our customers and users such as an email service provider to send emails on our behalf and a career management partner to collect potential employee information. Transfers to these third parties are covered by the provisions in this Policy regarding notice and choice and the service agreements with our Clients.

We reserve the right to disclose personal information as required by law and when we believe that disclosure is necessary to protect our rights and/or to comply with a judicial proceeding, court order, or legal process served on our Web site.
In the event Xactly goes through a business transition, such as a merger, acquisition by another company, or sale of all or a portion of its assets, your personally identifiable information will likely be among the assets transferred. You will be notified via either email or prominent notice on our Web site for 30 days of any such change in ownership or control of your personal information.

Data Integrity

Xactly shall use information collected for its relevant and intended purpose only. If there is any change of use of the personal information collected, Xactly shall inform you and gain your approval before making such changes of the use of the personal information collected. Further, Xactly shall take reasonable steps to ensure that the personal information collected is accurate and reliable for its intended use.

Access to Personal Information Received

Xactly shall provide you with reasonable access, as required by law, to your personal information in order to confirm that it is correct or to amend or delete inaccurate information. If you need to correct, update, or remove personal information provided to Xactly, please contact Xactly at:

Xactly has no direct relationship with the individuals whose personal data it processes. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data should direct his query to the Xactly’s customer (the data controller). If the customer requests Xactly to remove the data they can contact us We will endeavor to respond to all requests for access within 30 days.

Xactly will retain your personal information and the personal information we process on behalf of our customers for as long as needed provide services to our customers. Xactly will retain and use this personal information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.


Xactly has established internal mechanisms to verify its ongoing adherence to its privacy policy, including the Safe Harbor Principles. Xactly encourages individuals covered by this privacy policy to raise any concerns about our processing of personal information by contacting Xactly at After a complaint or concern is received, Xactly will work internally to resolve the issue.

In compliance with the US-EU and US-Swiss Safe Harbor Principles, Xactly commits to resolve complaints about your privacy and our collection or use of your personal information. European Union or Swiss citizens with inquiries or complaints regarding this privacy policy should first contact Xactly at:

Xactly Corporation
300 Park Ave #1700
San Jose, CA 95110


This Policy may be amended from time to time, consistent with the requirements of the Safe Harbor Privacy Principles. Appropriate notice of any material amendments we will notify you by email (sent to the e-mail address specified in your account) or by means of a prominent notice on this Site prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.

Questions or Comments Regarding the Privacy Policy

For additional questions, or to be taken off our marketing lists, please send an e-mail to or to the contact information above.

Xactly Tools


Xactly Tools that Support Privacy Compliance

Xactly recognizes that many of our customers are subject to at least some privacy-related laws that govern the handling of personal information. We seek to support our customers’ compliance with such laws by providing a comprehensive privacy and security program that includes technology, policies, practices, people and certifications.


Xactly maintains a comprehensive array of technical measures to protect the Xactly service, and offers a robust set of customer-controlled settings to further heighten privacy and security protection.

Default Privacy and Security Features

Application features that protect customer data

  • Connection to the Xactly Incent service is via secure socket layer/transport layer security (SSL/TLS), ensuring that our customers have a secure connection to their data.
  • Individual user sessions are uniquely identified and re-verified with each transaction.
  • Customer passwords are not accessible by Xactly personnel.
  • Application logs record the creator, last updater, timestamps, and originating IP address for every record and transaction completed.

Logical separation of customer data

  • Hardware and software configurations are designed to provide secure logical separation of customer data that permits each customer to view only its related information.
  • Multitenant security controls include unique, non-predictable session tokens, configurable session timeout values, password policies, sharing rules, and user profiles.
  • The Xactly Incent service supports delegated authentication.

Network security measures

  • Multiple layers of external firewalls
  • Intrusion-detection sensors
  • Security event management system
  • Continuous external vulnerability scanning

Redundancy and Scalability

  • The Xactly Incent service is highly scalable and redundant, allowing for fluctuation in demand and expansion of users while greatly reducing the threat of long-term outages.
  • Load-balanced networks, pools of application servers, and clustered databases are features of our design.

Disaster Recovery

  • All customer data is stored in secure data centers and is replicated over secure links to an offsite disaster recovery facility.
  • The design provides the ability to rapidly restore the Xactly Incent service in the case of a catastrophic loss.


  • In addition to disaster-recovery capabilities, customer data is also backed up.
  • Xactly utilizes a 90 day, grandfather/father/son retention scheme for production server backups, as follows:
    • Son: Daily backup – six incremental copies kept for 7 days
    • Father: Weekly backup – five full backup copies kept for 28 days
    • Grandfather: Monthly backup – retained for 90 days

Customer-Controlled Privacy and Security Settings

  • Customers can determine which of their respective designees can access different categories of data.
  • Customers can set customizable password rules.
  • Customers can define log-off times for inactivity.
  • Customers can enable Xactly’s IP restrictions feature that enables customers to restrict the IP address from which its designees can log in.


Xactly has privacy and security policies that apply to all of our information handling practices.

Privacy Statement

  • For information collected, Xactly provides assurances about the types of information collected, how that information may be used, and how that information may be shared.
  • Xactly offers individuals the opportunity to manage their receipt of marketing and other non-transactional communications.
  • Xactly offers individuals the opportunity to update or change the information they provide.


Xactly’s comprehensive privacy and security program includes communicating with personnel and customers about current issues and best practices.

Internal Training and Communications for Xactly Personnel

  • Xactly regularly communicates with our personnel about our obligation to safeguard confidential information, including customer data and personal information.

Customer End User Awareness

  • Xactly strongly encourages all of our customers and users to adopt industry-standard solutions to secure and protect their authentication credentials, networks, servers, and computers from security attacks.
  • Xactly maintains a proactive client communication process which includes notifying end users about specific security issues, when warranted.
  • The Xactly Help system contains information about implementing customer-controlled security settings within the application.
  • The Security section of the Trust Web site includes a security-related white paper.


Xactly has regulated and auditable security certifications, including audits performed by third parties.

Geographical Recognition

  • EU Safe Harbor

Global Audit Compliance

  • SSAE 16 Type II