Security and data separation

🔒 Encryption at rest

Documents, indexed content, and stored data are encrypted at rest.

🔐 Encryption in transit

Data is encrypted in transit between users, services, and storage.

🔑 Key management

Access to encryption keys is controlled and managed separately from customer content.

Customer data is isolated so one system cannot access another.

🏢 Standard deployments

Data is logically separated so each customer operates independently.

🏢 Separate deployments

When stronger separation is required, xillix can be deployed as separate instances by department, team, or use case.

🔒 What this means in practice

HR, IT, customer service, compliance, and website assistants do not need to share the same system unless you want them to.

👥 Role-based access

Users only see the documents and content they are allowed to access.

🔐 Authentication

xillix supports controlled login and identity management options such as SSO-capable environments and trusted access workflows.

⏱️ Session management

Access can be reviewed, updated, and removed as teams change.

💾 Automated backups

Customer data is backed up and protected so systems can be recovered if something goes wrong.

⏮️ Recovery planning

Backup and recovery processes are designed to reduce risk and support business continuity.

📝 System visibility

xillix provides visibility into system usage, question activity, and document-backed responses so teams can review how the system is being used.

🔍 Audit support

This supports security reviews, operational oversight, and internal accountability.

☁️ Hosting

xillix is hosted on enterprise-grade cloud infrastructure with a 99.9% uptime target. All infrastructure is managed by xillix with regular security patching and updates.

🔥 Network Security

Firewalls, DDoS protection, and intrusion detection systems are in place. Web application firewall (WAF) protects against common attacks (SQL injection, XSS, etc.).

🔐 Cloudflare Zero Trust

Access control and authentication powered by Cloudflare Zero Trust. Every request is verified before reaching xillix infrastructure.

📋 Current Status

xillix is built to support compliance with common data protection regulations:

• GDPR: Data processing agreements, data portability, right to deletion
• CCPA: Privacy controls and data access requests
• SOC 2: Certification in progress (target Q3 2026)

🏥 Industry-Specific Compliance

HIPAA: Business Associate Agreements (BAA) available for Enterprise customers handling protected health information (PHI).

FERPA: Education customers can deploy with appropriate data handling agreements.

🔍 Security Testing

Regular vulnerability scanning and penetration testing. Third-party security audits conducted annually.

🐛 Responsible Disclosure

Security researchers can report vulnerabilities to security@xillix.io. We respond to all reports within 48 hours.

🔄 Patch Management

Critical security patches are applied within 24 hours. Routine patches and updates are applied during scheduled maintenance windows with advance notice.

🚫 Your documents stay yours

Customer documents are not used to train AI models. Your data is only used to operate your system and return answers within your environment.

🔒 Third-party AI models

xillix uses managed AI model access to process language. We enforce data handling practices that keep customer content private.

📤 Data Portability

Export your documents and data at any time in standard formats (PDF, DOCX, JSON). No vendor lock-in.

🗑️ Data Deletion

When you cancel, all your data is deleted within 30 days. Enterprise customers can request immediate deletion.