Trust Center
Security & compliance at XOR
XOR builds verification infrastructure and training environments for security AI. We hold ourselves to the standards we help our customers meet. This page summarizes our security posture, compliance status, and the documentation we share with prospects and customers. For anything not covered here, email security@xor.tech.
Compliance & certifications
We report status honestly — including what is in progress or planned rather than complete.
EU GDPR-aligned processing. Privacy policy published; DPA in preparation.
Controls mapped to CAIQ v4 domains; CSA CAIQ self-assessment in preparation.
Controls mapped to the SOC 2 Trust Services Criteria; SOC 2 audit engagement on the roadmap (not yet started).
On the compliance roadmap.
Continuous internal adversarial security testing today; independent third-party assessment on the compliance roadmap.
Security overview
Infrastructure
- Cloud-native deployment on Google Cloud with least-privilege IAM.
- Secrets stored in Google Secret Manager — never on disk, never in source.
- Network egress restricted; benchmark workloads run in isolated containers.
Application security
- Static analysis (Semgrep), dependency and container scanning (Trivy, Grype, OSV) — CI-gating in progress.
- Secret scanning (TruffleHog) available; pre-commit/CI gating in progress.
- All code changes reviewed before merge.
Data protection
- Customer data encrypted in transit (TLS 1.2+) and at rest.
- Data minimization — we collect only what the product requires.
- Subprocessors listed publicly below.
Operations
- Documented incident response with US + EU follow-the-sun on-call — under 60-minute acknowledgement, 24/7.
- Critical issues remediated within 24 hours (e.g. the litellm upstream-dependency vulnerability).
- Audit logging across production systems.
- Vulnerability disclosure: security@xor.tech.
Documents
Public documents are linked directly. Confidential documents are shared with verified prospects under confidentiality terms — request access below.
- Privacy PolicyPublic
How we collect, process, and protect personal data under GDPR.
- Terms of ServicePublic
Terms governing use of XOR products.
- Data Processing Agreement (DPA)On request
Standard DPA covering controller/processor obligations and SCCs (in preparation).
- CAIQ — Consensus Assessments Initiative QuestionnaireOn request
CSA CAIQ self-assessment, mapped to our controls (in preparation).
- Security & infrastructure hardening overviewOn request
How XOR systems and the product are hardened.
Subprocessors
Third parties that may process data on our behalf — customer-data/infrastructure sub-processors first, then website-visitor-data processors. The same register also generates the data-processor disclosure in our privacy policy.
| Subprocessor | Purpose | Region |
|---|---|---|
| Google Cloud | Compute, storage, Secret Manager, databases | US (primary); EU |
| Anthropic, PBC | LLM inference | US |
| OpenAI | LLM inference | US |
| Google Vertex AI | LLM inference (Gemini; Anthropic-via-Vertex) | US / regional |
| OpenRouter | LLM inference routing (open-weight models) | US |
| GitHub, Inc. | Source hosting; repo mirroring (scoped App tokens) | US |
| Docker Hub | Container image source (authenticated) | US |
| Sentry | Error monitoring / crash capture | US |
| Resend Inc. | Transactional email | US |
| Vercel Inc. | Website hosting, edge network | US (EU edge) |
| PostHog | Product/website analytics | EU (eu.i.posthog.com) |
| Plausible | Website analytics (cookie-free) | EU |
| Google Analytics | Website page/event analytics | US |
| Microsoft Clarity | Heatmaps / session replay (consent-gated) | US |
| Leadpipe | Visitor identification (US) | US |
| Warmly AI | Visitor identification | US |