Compliance roadmap
XELIA operates today with controls designed to align with recognized frameworks. The distinction between "aligned" and "certified" matters, and we state it plainly: we are in progress, not at the finish line.
Technical controls in production
Each of the following controls is active today on production infrastructure and verified empirically on every deploy.
Multi-tenant isolation
- PostgreSQL Row-Level Security (RLS) with
tenant_isolation_*policies on every operational table. - Defense in depth: application-layer isolation plus row-level isolation at the database tier.
- Per-request bridge using AsyncLocalStorage to guarantee tenant context on every query.
Encryption
- At rest: PostgreSQL
pgcryptoover sensitive PII fields (tokens, connector credentials). - In transit: TLS 1.3 enforced; HSTS with
preload+includeSubDomains. - Key rotation tracked in
secret_inventory.
Authentication and authorization
- Better Auth (self-hosted) with
organization,phoneNumber, andtwoFactorplugins. - Sessions with
HttpOnly,Secure,SameSite=Laxcookies. - RBAC: explicit allowlist for platform admins; all other users scope-limited.
Audit and observability
audit_log: every authenticated HTTP call (action, method, path, status, request_id, user_id, tenant_id, timestamp). Minimum retention 90 days.security_events: security incidents (auth failures, RLS bypass attempts, suspicious patterns). Minimum retention 1 year.ai_audit_log+legal_consent_ledger: per-decision evidence for GDPR Art. 22 / LFPDPPP.
Input validation and webhook signing
- Zod on every endpoint that accepts user input; HTTP sanitizer ahead of the handler (XSS, injection, traversal, prototype pollution).
- Webhooks verified by cryptographic signature before any side effect: Stripe (
whsec_), Twilio (HMAC-SHA1), Meta (HMAC-SHA256).
Resilience and backups
- Daily encrypted backups; recovery runbook
scripts/restore-procedure.mdverified. - Automated post-deploy verification (
scripts/verify-production.sh, 10 critical checks). - Rollback runbook with < 5 min objective for code reversion.
Public documents
- Privacy Notice — compatible with LFPDPPP, GDPR, and regional equivalents.
- Terms and Conditions — service rights and obligations.
- Data Processing Agreement (DPA) — GDPR Art. 28 and equivalents; e-signature available.
- Cookies Policy — categories and opt-out.
- Subprocessor list — who, where, and for what.
Detailed security whitepaper. Available on request to evaluating customers. Email security@xelia.ai with your organization; we typically respond within 24 business hours.
Incident and vulnerability reporting
If you discover a vulnerability or suspect an incident affecting XELIA or your data, contact us through the dedicated channel. We take every report seriously and respond within 24 business hours for security incidents.
We do not currently operate a paid bug-bounty program. We will publicly acknowledge responsible researchers (with their consent) on a thanks page when the formal program launches in 2027.
What we do not claim
XELIA is not certified in SOC 2 or ISO 27001 as of today. Certifications are 6–12 month processes with independent auditors; we are in preparation.
We do not display badges for certifications we do not hold. When we obtain each certification, we will publish on this same page the SOC 2 report (executive summary) or the ISO certificate with its number and validity dates.
Any commercial message or marketing piece claiming otherwise is an error — please report it to security@xelia.ai so we can correct it.