Trust & Security
XESO is built for people who put their thinking into software. We treat that data the way a bank treats deposits — encrypted, siloed, replicated, and never used to train anyone's model.SOC 2 Type II in progress
GDPR-aligned DPA
No training on customer data
99.9% uptime target
Security
Defense-in-depth at the edge, the app, and the database. Every boundary is typed, logged, and tested.Transit & at-rest encryptionTLS 1.2+ everywhere via Cloud Run; HSTS preloaded. Customer content at rest is encrypted by Cloud SQL and envelope-encrypted per-tenant for the highest-sensitivity fields.
Strict CSP with noncesNonce-based `strict-dynamic` Content Security Policy blocks third-party script injection. Violations are reported to `/api/csp-report` and alerted on.
Row-level security (RLS)Every tenant query is scoped at the Postgres RLS layer — the app runs under a role that cannot read another tenant's rows even if the ORM layer has a bug.
Authentication & session hardeningNextAuth with CSRF double-submit, JTI deny-list, session versioning for instant revocation, and step-up auth on sensitive actions. WebAuthn + TOTP supported.
Secure by default supply chainSBOM + signed container images, CodeQL + Semgrep + gitleaks + npm audit on every PR, pinned base images, and dependency review gates.
Privacy
Minimal collection, zero training on customer data, and a one-click export/delete path — backed by automated audit trails.No training on your dataYour notes, queries, and chat traffic are never used to train XESO's models. BYOK keys route directly to the model provider with no intermediate logging of prompt content.
GDPR / CCPA / APP rightsSelf-serve export (all your notes + settings as a Zip) and self-serve deletion with a 30-second undo window. DSAR fulfilment SLA is 30 days; most requests resolve in under a minute.
Vault / soft-deleteSensitive notes can be placed in a vault that is excluded from chat, analytics, digests, MCP, and share links. Deleted notes tombstone for 30 seconds, then cascade-delete their passages and embeddings.
PII scrubbed before leaving the appAnalytics and error telemetry run through a PII redactor that strips emails, credit-card-shaped digits, tokens, cookies, and authorization headers before the event is sent to PostHog or Sentry.
Crypto-shredding on deletionWhen you delete an account, per-tenant encryption keys are destroyed in Cloud KMS — your residual ciphertext becomes unreadable immediately.
Reliability
Multi-AZ Cloud Run + Cloud SQL HA, canary deploys with auto-rollback, and a public status page.Uptime SLOTarget: 99.9% monthly on the core chat + library path. Real-time health is on /status; incidents are posted within 15 minutes.
Canary deploys & auto-rollbackEvery production deploy first rolls to a no-traffic canary revision, runs a deep smoke suite, and only promotes on green — a single failing probe triggers an automatic rollback.
Tested disaster recoveryPostgres backups run continuously with 30-day retention. We run a restore drill quarterly against a throwaway project and record RTO/RPO.
Core Web Vitals monitoredEvery page's LCP, INP, CLS, TTFB, and FCP are sampled from real users (RUM) and alerted on when the p75 for any (metric × route) bucket enters the 'poor' band.
Compliance
SOC 2 Type II in progress, GDPR-aligned DPA, and a published sub-processor list with 30-day change notice.SOC 2 Type IIAudit window open with a Big-4 SOC-2 firm; control map in docs/security/COMPLIANCE_MAP.md. Customers under NDA can request the in-progress Type I report and our SIG-Lite questionnaire.
GDPR / CCPA / APPDPA available at /dpa (Standard Contractual Clauses for EU data transfers). Sub-processors are listed publicly and customers receive 30 days' written notice before a new sub-processor receives personal data.
Data residencyProduction data resides in US-Central Google Cloud regions. EU residency for Enterprise customers is available on request.
Access control & change managementLeast-privilege IAM on GCP; production access requires step-up auth and is audit-logged. Every code change is peer-reviewed via CODEOWNERS and gated on the full CI suite before merging.
Legal & data-protection resources
Every document you'll need for procurement review, in one place.Privacy Policy →What we collect, why, and how you control it.
Terms of Service →The user agreement for XESO accounts.
Data Processing Addendum →GDPR-aligned DPA with Standard Contractual Clauses.
Sub-processors →Every vendor that processes customer data on our behalf.
DMCA & copyright →How to submit a takedown request.
Reliability & disclosure
Live operational posture and how to get help.System status & incident history →Real-time health per subsystem and recent incidents.
Coordinated disclosure ↗Email security@xeso.ai. We acknowledge within 24 hours and triage within 3 business days.
Release notes & security changelog →What shipped, when, and what changed in the security or privacy posture.
Questions for procurement? Email security@xeso.ai — we respond within one business day.