Skip to content
XESO
HomePricing
Docs
Help centerRelease notesSecurityRoadmapStatus
Sign in
Start free
Security

Trust and security

XESO is built for people who put their thinking into software. We treat that data the way a bank treats deposits — encrypted, siloed, replicated, and never used to train anyone's model.Your library stays yours: capture and blank notes on every plan, self-serve export to Markdown and JSON from Settings, optional full data export, and imports from your own files — with higher limits and more formats when you upgrade to Pro.
SOC 2 Type II in progress
GDPR-aligned DPA
No training on customer data
99.9% uptime target

Security

Defense-in-depth at the edge, the app, and the database. Every boundary is typed, logged, and tested.
Transit & at-rest encryptionTLS 1.2+ everywhere via Cloud Run; HSTS preloaded. Customer content at rest is encrypted by Cloud SQL; highest-sensitivity credentials use AES-256-GCM with owner-bound AAD and Secret Manager-backed key material.
Strict CSP with noncesNonce-based `strict-dynamic` Content Security Policy blocks third-party script injection. Violations are reported to `/api/csp-report` and alerted on.
Row-level security (RLS)Tenant reads and writes are scoped by user at the application layer, with database guardrails and regression tests on high-risk paths.
Authentication & session hardeningNextAuth with CSRF double-submit, JTI deny-list, session versioning for revocation, and recent step-up checks on sensitive actions.
Secure by default supply chainSBOM + signed container images, CodeQL + Semgrep + gitleaks + npm audit on every PR, pinned base images, and dependency review gates.

Privacy

Minimal collection, zero training on customer data, and a one-click export/delete path — backed by automated audit trails.
No training on your dataYour notes, queries, and chat traffic are never used to train XESO's models. Provider requests are handled under zero-retention terms where supported.
GDPR / CCPA / APP rightsSelf-serve export (all your notes + settings as a Zip) and self-serve deletion with a 30-second undo window. DSAR fulfilment SLA is 30 days; most requests resolve in under a minute.
Vault / soft-deleteSensitive notes can be placed in a vault that is excluded from chat, analytics, digests, and share links. Deleted notes tombstone for 30 seconds, then cascade-delete their passages and embeddings.
PII scrubbed before leaving the appAnalytics and error telemetry run through a PII redactor that strips emails, credit-card-shaped digits, tokens, cookies, and authorization headers before the event is sent to PostHog or Sentry.

Reliability

Multi-AZ Cloud Run + Cloud SQL HA, canary deploys with auto-rollback, and a public status page.
Uptime SLOTarget: 99.9% monthly on the core chat + library path. Real-time health is on /status; incidents are posted within 15 minutes.
Canary deploys & auto-rollbackEvery production deploy first rolls to a no-traffic canary revision, runs a deep smoke suite, and only promotes on green — a single failing probe triggers an automatic rollback.
Tested disaster recoveryPostgres backups run continuously with 30-day retention. We run a restore drill quarterly against a throwaway project and record RTO/RPO.
Core Web Vitals monitoredCore Web Vitals are reported through RUM and reviewed against launch dashboards; low-volume routes stay marked as insufficient evidence rather than green.

Compliance

SOC 2 Type II in progress, GDPR-aligned DPA, and a published sub-processor list with 30-day change notice.
SOC 2 Type IIAudit window open with a Big-4 SOC-2 firm; control map in docs/security/COMPLIANCE_MAP.md. Customers under NDA can request the in-progress Type I report and our SIG-Lite questionnaire.
GDPR / CCPA / APPDPA available at /dpa (Standard Contractual Clauses for EU data transfers). Sub-processors are listed publicly and customers receive 30 days' written notice before a new sub-processor receives personal data.
Data residencyProduction data resides in US-Central Google Cloud regions. Additional residency options are not part of the public launch surface.
Access control & change managementLeast-privilege IAM on GCP; production access requires step-up auth and is audit-logged. Every code change is peer-reviewed via CODEOWNERS and gated on the full CI suite before merging.

Legal & data-protection resources

Every document you'll need for procurement review, in one place.
Privacy Policy →What we collect, why, and how you control it.
Terms of Service →The user agreement for XESO accounts.
Data Processing Addendum →GDPR-aligned DPA with Standard Contractual Clauses.
Sub-processors →Every vendor that processes customer data on our behalf.

Reliability & disclosure

Live operational posture and how to get help.
System status & incident history →Real-time health per subsystem and recent incidents.
Coordinated disclosure ↗Email security@xeso.ai. We acknowledge within 24 hours and triage within 3 business days.
Release notes & security changelog →What shipped, when, and what changed in the security or privacy posture.
Questions for procurement? Email security@xeso.ai — we respond within one business day.
Privacy
DPA
Sub-processors
Back to XESO
XESOSaves what you read. Pulls the right passage when you ask, with a link back to the source.
All systems operational
Product
  • Home
  • Pricing
  • Help
Legal
  • Terms
  • Privacy
  • Refunds
  • DPA
  • Subprocessors
Trust
  • Security
  • Roadmap
  • Status
Talk to usReplies from a human, usually within a day.
Deletion completionWhen you delete an account, XESO revokes sessions, removes user rows and encrypted credential records, and lets provider-managed backups age out under the documented retention policy.
DMCA & copyright →
How to submit a takedown request.
  • hello@xeso.aiGeneral
  • Help centreDocs & FAQs
    • © 2026 XESO · Built for readers, researchers, and builders.