Security & Trust

Enterprise-grade security,
by default

We handle credentials and billing data for engineering teams. That means we hold a position of serious trust. Here is exactly what we do with it.

🔐 AES-256-GCM
🔒 bcrypt hashing
🪙 JWT auth
📋 SOC 2 in progress

Credential Security

When you connect a cloud account, Xplorr stores your credentials (IAM role ARN, service principal ID, or service account key) in a dedicated secrets vault. This vault is:

  • Encrypted at rest with AES-256-GCM, the same standard used by financial institutions.
  • Stored in a separate infrastructure environment from application data — a breach of the app database does not expose credentials.
  • Accessed only by the background sync process on a need-to-use basis. Credentials are decrypted in memory for the duration of the API call, then discarded.
  • Never logged, never included in error reports, never transmitted to third parties.

We strongly recommend creating a dedicated read-only IAM role or service account for Xplorr, rather than using existing credentials. Our onboarding wizard generates the exact IAM policy JSON needed.

What We Can and Cannot Do

Action Can Do Cannot Do
Read billing and cost data
Read resource metadata (instance type, region)
Read CloudWatch / Azure Monitor metrics
Read cost allocation tags
Create or modify cloud resources
Delete resources or data
Change IAM policies or permissions
Access your application data or databases
Make purchases or change billing settings
Access secrets, environment variables, or credentials

Authentication Security

Control Implementation
Password hashing bcrypt with cost factor 12. Passwords are never stored in plaintext.
Session tokens Short-lived JWTs (1 hour) with refresh token rotation.
Token storage Refresh tokens are hashed in the database using SHA-256.
Transport security TLS 1.2+ enforced everywhere. HTTP Strict Transport Security enabled.
Rate limiting Login and API endpoints are rate-limited to prevent brute force.
SSO SAML 2.0 SSO available on Enterprise plan. Supports Okta, Azure AD, Google Workspace.
Account lockout Accounts are temporarily locked after 10 consecutive failed login attempts.
Audit logs All admin actions, login events, and credential access are logged (Enterprise plan).

Infrastructure

🌐

Cloud hosting

Hosted on AWS in eu-west-1 (Ireland) with multi-AZ redundancy for all stateful services.

🔐

Data encryption

All data encrypted at rest (AES-256) and in transit (TLS 1.2+). Database backups encrypted.

🧱

Network isolation

Services run in private subnets with no direct internet access. Public surface is minimal.

📋

SOC 2 Type II

SOC 2 Type II audit in progress with an independent auditor. Report expected Q3 2026.

🔄

Backups

Automated daily database backups with 30-day retention. Point-in-time recovery enabled.

🚨

Incident response

We will notify affected users within 72 hours of any confirmed security incident, per GDPR Article 33.

🏆

SOC 2 Type II — In Progress

We are currently undergoing a SOC 2 Type II audit with an independent third-party auditor. This covers security, availability, and confidentiality. We expect to publish the report in Q3 2026. Enterprise customers can request our current security questionnaire and trust documentation.

Questions or concerns?

Email our security team at [email protected] . We respond within 24 hours.

Privacy Policy Data Handling