Security

🔒 Encryption at Rest

All documents and processed data are encrypted at rest using AES-256 encryption. Database backups are encrypted with separate keys.

🔐 Encryption in Transit

All data transmission uses TLS 1.3 with strong cipher suites. API connections and document uploads are encrypted end-to-end.

🔑 Key Management

Encryption keys are managed separately from data stores and rotated regularly. Key access is logged and monitored.

🏢 Multi-Tenant Architecture

LuxonLink Plan: Shared infrastructure with logical isolation. Each customer's data is isolated at the application and database level. No customer can access another customer's data.

🏢 Dedicated Instances

Enterprise Plan: Single-tenant deployment with dedicated compute, storage, and database resources. Physical and logical separation from all other customers.

🔒 Enhanced Security Option

Enterprise Add-On: Isolated network environment with additional firewall rules and VPN access, available by request.

👥 Role-Based Access Control (RBAC)

Department-level permissions ensure users only see documents they're authorized to access. Admins control which users have access to which departments.

🔐 Authentication

User authentication via Cloudflare Zero Trust with support for SSO (SAML 2.0), Google Workspace, Microsoft 365, and Okta integration. Multi-factor authentication (MFA) is supported and recommended.

⏱️ Session Management

Sessions expire after inactivity. Admins can revoke access immediately when employees leave or change roles.

💾 Automated Backups

Daily automated backups of all customer data and configurations. Backups are encrypted and stored in geographically separate locations.

⏮️ Retention Policy

LuxonLink: 30-day backup retention.
Enterprise: Configurable retention (30-90 days standard, longer available).

🔄 Disaster Recovery

Backups are tested monthly. Recovery time objective (RTO) is 4 hours for Enterprise customers, 24 hours for LuxonLink.

📝 Query Logs

Every user query is logged with timestamp, user identity, question asked, documents retrieved, and answer generated.

🔍 Admin Activity Logs

All administrative actions (user changes, document uploads, configuration changes) are logged and available for export.

📊 Log Retention

LuxonLink: 90-day log retention.
Enterprise: 1-year retention standard, configurable up to 7 years for compliance.

📤 Log Export

Enterprise customers can export audit logs in CSV or JSON format for compliance reporting and SIEM integration.

☁️ Hosting

xillix is hosted on enterprise-grade cloud infrastructure with a 99.9% uptime target. All infrastructure is managed by xillix with regular security patching and updates.

🔥 Network Security

Firewalls, DDoS protection, and intrusion detection systems are in place. Web application firewall (WAF) protects against common attacks (SQL injection, XSS, etc.).

🔐 Cloudflare Zero Trust

Access control and authentication powered by Cloudflare Zero Trust. Every request is verified before reaching xillix infrastructure.

📋 Current Status

xillix is built to support compliance with common data protection regulations:

• GDPR: Data processing agreements, data portability, right to deletion
• CCPA: Privacy controls and data access requests
• SOC 2: Certification in progress (target Q3 2026)

🏥 Industry-Specific Compliance

HIPAA: Business Associate Agreements (BAA) available for Enterprise customers handling protected health information (PHI).

FERPA: Education customers can deploy with appropriate data handling agreements.

🔍 Security Testing

Regular vulnerability scanning and penetration testing. Third-party security audits conducted annually.

🐛 Responsible Disclosure

Security researchers can report vulnerabilities to security@xillix.io. We respond to all reports within 48 hours.

🔄 Patch Management

Critical security patches are applied within 24 hours. Routine patches and updates are applied during scheduled maintenance windows with advance notice.

🚫 No AI Training on Your Data

We never use your documents to train AI models. Your proprietary information, trade secrets, and sensitive data stay private. This is enforced by contract and system architecture.

🔒 Third-Party AI Models

xillix uses OpenAI's API (with your key or ours) for language processing. When using your own API key (BYOK), OpenAI does not train on your data per their API terms. When using xillix-managed keys (Enterprise), we enforce zero data retention policies.

📤 Data Portability

Export your documents and data at any time in standard formats (PDF, DOCX, JSON). No vendor lock-in.

🗑️ Data Deletion

When you cancel, all your data is deleted within 30 days. Enterprise customers can request immediate deletion.