Priser og fakturering
Whitepaper XtraMile
Last Modified: 20.05.2026
The information contained in this document represents the current view of XTRAMILE AS on the issue discussed as of the date of publication. Because XTRAMILE AS must respond to changing market conditions, it should not be interpreted to be a commitment on the part of XTRAMILE AS, and XTRAMILE AS cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for information purposes only. XTRAMILE AS MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
XTRAMILE AS may have patents, patent applications, trademark, copyright or other intel- lectual property rights covering the subject matter of this document. Except as expressly provided in any written license agreement from XTRAMILE AS, the furnishing of this doc- ument does not give you any license to these patents, trademarks, copyrights or other intellectual property.
XTRAMILE AS, the XTRAMILE Logo, are trademarks of XTRAMILE AS in Norway and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
XTRAMILE AS, Sørkedalsveien 8c, 0369 Oslo
This white paper is for information purposes only. XTRAMILE AS MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
XTRAMILE AS may have patents, patent applications, trademark, copyright or other intel- lectual property rights covering the subject matter of this document. Except as expressly provided in any written license agreement from XTRAMILE AS, the furnishing of this doc- ument does not give you any license to these patents, trademarks, copyrights or other intellectual property.
XTRAMILE AS, the XTRAMILE Logo, are trademarks of XTRAMILE AS in Norway and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
XTRAMILE AS, Sørkedalsveien 8c, 0369 Oslo
CONTENTS
- Introduction
- Intended audience
- Basic overview of the XTRAMILE architecture
- General communication security
- Authentication and access control
- Password recovery
- Identity synchronization and user provisioning
- Infrastructure and platform security
- Backup and data resilience
- Disaster recovery
- Security breach investigation
- Subcontractors and operational partners
- Information collection and usage
- User-created content protection
- Handling financial transactions and details
- Statutory body and regulation compliance
1. Introduction
What is included in this document?
Security is a top priority for XTRAMILE AS and its employees, just as it is for our clients. For this reason, we’ve had this issue in mind ever since we started to plan and design this service back in 2013. Thanks to this security-centric approach, XTRAMILE conforms to all current best practices of our industry.
The following whitepaper provides an overview of the safety mechanisms we have implemented in order to ensure the integrity of our sys- tems and services. It outlines security measures used during various steps of the user’s workflow, and outlines some crucial procedures, such as disaster recovery or security breach investigation.
What is not included?
Some internal/sensitive features are not described in detail, in order to deter potential attackers. Additionally, some details may have been minimized to protect our intellectual property (IP) rights. XTRAMILE operates in a competitive environment, therefore we are unable to dis- close some confidential details to parties that have not signed confidentiality agreements with XTRAMILE AS.
We ask you not to copy, distribute or reproduce this document without permission.
2. Intended audience
This document is intended for customers, partners and stakeholders who require information regarding the security, privacy, operational and technical aspects of the XtraMile platform.
The whitepaper is particularly relevant for IT administrators, security personnel, compliance teams, procurement processes and others involved in evaluation, implementation, operation or governance of the service.
3. Basic overview of the XTRAMILE architecture
How does our platform work?
XtraMile is a cloud-based learning and awareness platform designed to deliver training, communication and user engagement across organizations and devices.
The platform supports multiple authentication and access methods, including password, Single Sign-On (SSO), secure login links and SMS-based authentication. Training content and platform functionality are securely delivered through web-based services, email communication and APIs accessible from modern browsers and supported devices.
XtraMile enables organizations to manage both standardized and custom learning programs, awareness campaigns and communication workflows tailored to their operational and compliance requirements.
To support enterprise identity and lifecycle management, XtraMile integrates with external identity providers, HR systems and other business platforms through Microsoft Entra ID integration, SCIM provisioning and secure APIs. These integrations allow organizations to centrally manage users, groups, authentication and access rights through existing operational processes.
The platform is hosted in Microsoft Azure and utilizes modern cloud-native services for identity management, data storage, monitoring, messaging and secure communication.
XtraMile is designed with logical tenant separation to help ensure isolation of customer environments, user data and access permissions across the platform.
4. General communication security
External communication with the XtraMile platform is secured using HTTPS and modern TLS protocols, including support for TLS 1.3. TLS certificates are managed through trusted cloud and certificate infrastructure providers.
The platform leverages cloud-native security capabilities and edge protection services provided through Microsoft Azure and Cloudflare. Communication between users, integrations and platform services is protected using industry-standard encryption and secure key exchange mechanisms designed to ensure confidentiality and integrity of transmitted data.
To maintain a high security standard, unencrypted HTTP traffic, outdated protocols and insecure communication methods are disabled.
5. Authentication and access control
Authentication and account access
XtraMile supports multiple authentication methods designed to provide secure and flexible access to the platform for both internal and external users.
A. Password login
Access to the XtraMile platform is protected through authenticated user accounts and encrypted HTTPS/TLS communication.
The platform supports password login and secure session handling mechanisms designed to reduce the risk of unauthorized access. Login attempts are monitored and protected through rate limiting and automated security controls to help mitigate brute force and credential-based attacks.
User sessions automatically expire after a period of inactivity, and authentication tokens are handled securely through browser-based session mechanisms.
For organizations using federated identity providers, authentication policies such as password complexity requirements and multi-factor authentication (MFA) may be enforced through the customer’s identity provider.
B. Secure login links
XtraMile supports time-limited login links delivered by email to simplify access to courses and learning activities.
These login links are tied to authorized user accounts and specific training activities. Tokens automatically expire after a limited period of time and are designed to prevent unauthorized reuse.
C. Single Sign-On (SSO)
XtraMile supports Single Sign-On (SSO) through Microsoft Entra ID.
When SSO is enabled, users authenticate through their Entra Id using their existing corporate credentials and security policies. This allows organizations to centrally manage authentication controls such as password policies, conditional access and multi-factor authentication (MFA).
D. SMS authentication
XtraMile supports SMS-based authentication for organizations that require simplified access to training and learning activities.
When enabled, users authenticate using a one-time verification code sent to a registered mobile phone number associated with their account. Verification codes are time-limited and intended for single-use authentication.
To reduce the risk of unauthorized access, XtraMile applies validation and monitoring mechanisms related to login attempts, token expiration and account activity.
SMS authentication is primarily intended as a user-friendly access mechanism for low-friction learning participation and should be evaluated by customers according to their own security requirements and risk assessments.
SMS authentication is primarily intended as a user-friendly access mechanism for low-friction learning participation and should be evaluated by customers according to their own security requirements and risk assessments.
6. Password recovery
A password recovery functionality is provided to users via their specified e-mail account. After entering a correct e-mail, we send out a link with a one-time secure access token. The link deactivates after a short period of time to limit the possibility of unauthorized use.
7. Identity synchronization and user provisioning
Secure user synchronization
XtraMile supports secure identity synchronization and user provisioning to simplify account management for enterprise customers.
Organizations may manage users and access through supported identity and provisioning integrations, including Microsoft Entra ID synchronization, Single Sign-On (SSO), SCIM-based provisioning and REST API-based integrations.
XtraMile also supports user provisioning and synchronization from a range of HR, IAM and business systems through supported integrations and APIs. An updated overview of supported integrations and connected systems is available on the XtraMile website.
Seamless Integrations | Automate Workflows and Ensure Data Accuracy | XtraMile
Seamless Integrations | Automate Workflows and Ensure Data Accuracy | XtraMile
These integrations enable organizations to centrally manage users, groups, authentication and access rights through their existing identity management processes and operational workflows.
Microsoft Entra ID integration
XtraMile provides a preconfigured integration with Microsoft Entra ID for secure user synchronization and Single Sign-On (SSO).
The integration is established through delegated organizational consent and allows authorized synchronization of user and group information based on customer-controlled permissions and configuration.
Organizations may use Entra ID as the authoritative identity source for user lifecycle management, group-based access control, authentication and SSO, organizational hierarchy and manager relationships, as well as Conditional Access and multi-factor authentication (MFA) enforcement.
API and SCIM provisioning
XtraMile also supports automated user provisioning and integrations through secure APIs and SCIM-compatible interfaces.
These interfaces may be used to synchronize users, groups and related organizational data from HR systems, identity providers and other enterprise platforms.
Authentication and provisioning access are secured through customer-specific credentials, access controls and encrypted communication channels.
8. Infrastructure and platform security
XtraMile is hosted in Microsoft Azure and protected through multiple layers of cloud-native infrastructure security controls.
The platform utilizes modern identity, network and application security mechanisms including:
- Role-based access control (RBAC)
- Restricted administrative access
- Network segmentation and firewall policies
- HTTPS/TLS encrypted communication
- Centralized logging and observability
- Azure Key Vault for secure handling of secrets and certificates
- Encryption of sensitive information in transit and at rest
- Security monitoring and operational alerting
Public-facing traffic is additionally protected through edge security and traffic filtering services provided by Cloudflare.
Infrastructure and platform services are continuously maintained through managed cloud services and operational security procedures designed to reduce exposure to known vulnerabilities and unauthorized access.
9. Backup and data resilience
XtraMile leverages cloud-native backup and recovery services provided by Microsoft Azure.
Critical databases and platform services utilize automated backup routines and point-in-time restore (PITR) capabilities designed to support recovery from operational incidents, accidental deletion or infrastructure failures.
Backup data is encrypted and replicated using geographically redundant storage within Microsoft Azure to support resilience against regional outages and infrastructure-related incidents.
Backup and recovery procedures are reviewed as part of XtraMile’s operational continuity and disaster recovery processes.
10. Disaster recovery
XtraMile maintains documented disaster recovery and operational continuity procedures designed to support recovery from critical infrastructure, platform or service incidents.
The platform leverages cloud-native resiliency capabilities within Microsoft Azure, including backup, redundancy and recovery mechanisms intended to reduce the impact of service interruptions and infrastructure failures.
Operational continuity is supported through periodic recovery testing, centralized monitoring and alerting, incident escalation procedures, backup and restoration processes, and controlled access to recovery operations.
Recovery and continuity procedures are reviewed regularly as part of XtraMile’s security and operational governance processes.
12. Security breach investigation
What do we do in case of a security breach?
Incidents that are classified by our team as security breaches (and therefore receive highest priority) include: theft or unauthorized access of information or sensitive data, any successful or failed attempts to compromise our network or server infrastructure, sudden loss of service, data corruption or serious system malfunctions, unauthorized use of our systems by any person, and any detected or suspect changes to any XTRAMILE AS hardware, firmware of software.
In any of the above events, reported by either client or our developers, we’re ready to immediately launch a procedure consisting of:
Identification – our experienced IT security personnel immediately reviews the log files, recorded events and details of server activity, running various incident-response tools when necessary.
Containment – the team makes sure no additional data or accounts can be compromised. This includes implementing stricter firewall rules as well as close coordination with client’s staff.
Eradication – our software engineers step in to roll back all unauthorized changes and restore the data and service integrity using one of the recent backups. Any passwords that could be accessed by the attacker are immediately flagged for replacement.
Recovery – systems are returned to regular service and monitored for any further activity
Lessons learned – we review the case, create an executive summary of the incident, identify root cause and determine ways in which the XTRAMILE platform might be improved. Security-related improvements are on top of our list of software development priorities.
12. Subprocessors and operational partners
XtraMile utilizes selected subprocessors and operational partners to support delivery, hosting, infrastructure, communication services and software development related to the platform.
Core platform infrastructure is hosted in Microsoft Azure within the EU/EEA region. Additional service providers may be used for services such as edge protection, email delivery, monitoring and operational support.
Software development and operational support are performed by XtraMile AS in cooperation with affiliated companies, including XtraMile Tech AS, under established security and confidentiality requirements.
An updated overview of subprocessors and data processing partners is maintained through XtraMile’s Data Processing Agreement (DPA) documentation.
13. Information collection and usage
XtraMile processes information necessary to provide, secure and improve the platform and related services.
This may include user account information, authentication data, course participation and completion status, operational logs, and limited technical information related to platform access and usage, such as browser type, device information and language settings.
Information is processed for purposes related to delivery of learning services, authentication and access management, operational monitoring, troubleshooting, security, incident handling and platform performance improvement.
XtraMile may utilize selected third-party services for analytics, operational monitoring and platform diagnostics where applicable.
The platform utilizes cookies and similar technologies related to session management, platform functionality and operational services.
Additional information regarding cookies, privacy and processing of personal data is available in XtraMile’s privacy and cookie policy:
14. User-created content protection
How do we protect our client’s data?
We do not review or intentionally access the content of training modules set up by our clients or their staff, unless the client specifically asks us for either technical or educational help. We believe our client’s training modules are strictly confidential and we use all available measures to limit the number of XTRAMILE developers or team members who can access any custom user-created content.
The customers remain in full control of the data throughout the entire process, and thus they are the only party responsible for quality, accuracy, appropriateness or intellectual property ownership of the content they upload to XTRAMILE.
15. Handling financial transactions and details
How do we handle financial transactions?
XTRAMILE web service and any of its modules do not contain any first party or third party payment processor / solution. We also don’t keep any financial data in our main XTRAMILE database. This greatly reduces the risk and the number of potential attack vectors.
We are mostly involved with big institutional and business partners, and that is why invoicing is handled outside of the XTRAMILE service, ensuring the best possible level of service, communication and security.
17. Statutory body and regulation compliance
What regulations are we subject to?
XTRAMILE AS privacy and data security policies are compliant with both Norwegian and European Union guidelines. All data and personal information of XTRAMILE AS clients, as well as any content created by them, always stays within our region.
We are determined to never voluntarily disclose any of our client’s data or any content of training modules uploaded to the XTRAMILE service, unless forced to do so by a valid court order from a Norwegian court, law enforcement officers or authorized governmental agencies.
Should such a request ever be made, we’re going to immediately notify any affected customers, detailing what type of data has been accessed.
