Security Overview

1. Platform Architecture

XOLeap is a multi-tenant SaaS platform hosted on hardened cloud infrastructure. Each organization is isolated at the application and database layers using scoped organization IDs, row-level policies, and encrypted credentials per account.

2. Data Protection

• Encryption in transit via TLS 1.2+ and encryption at rest for databases, backups, and object storage.
• Secrets management with rotation policies for API keys, credentials, and webhooks.
• Access to production data restricted to vetted personnel following least-privilege principles.

3. Application Security

We enforce secure SDLC practices, automated dependency scanning, peer review, and continuous testing. Critical workflows (billing, tax, integrations) include audit logging, rate limiting, CSRF protection, and validation to prevent cross-tenant data exposure.

4. Compliance & Monitoring

Environment and access logs are aggregated, retained, and monitored for anomalies. We conduct recurring vulnerability scans and engage external auditors for penetration testing. Customers can request current compliance reports via security@xoleap.com.

5. Incident Response

A dedicated on-call team monitors alerts 24/7. In the event of an incident, we follow a defined triage, containment, and notification runbook. Affected customers will be notified without undue delay and provided with status updates and remediation guidance.

6. Customer Controls

• Role-based access control with granular permissions per module.
• Multi-factor authentication and SSO options for supported plans.
• Audit trails for inventory, tax, billing, integrations, and admin changes.