Security is not a feature. It's the foundation.

Enterprise-grade security by default. Read-only access. Your credentials encrypted at rest.

AES-256-GCM
Encryption at rest
bcrypt hashing
Password storage
JWT + refresh tokens
Session management
SOC 2 Type II
In progress

Credential security

When you connect a cloud account, Xplorr stores your credentials (IAM role ARN, service principal ID, or service account key) in a dedicated secrets vault.

  • Encrypted at rest with AES-256-GCM, the same standard used by financial institutions.
  • Stored in a separate infrastructure environment from application data -- a breach of the app database does not expose credentials.
  • Accessed only by the background sync process on a need-to-use basis. Credentials are decrypted in memory for the duration of the API call, then discarded.
  • Never logged, never included in error reports, never transmitted to third parties.

We strongly recommend creating a dedicated read-only IAM role or service account for Xplorr, rather than using existing credentials. Our onboarding wizard generates the exact IAM policy JSON needed.

What we can and cannot do

What we can access

  • Billing and cost data
  • Resource metadata (instance type, region)
  • CloudWatch / Azure Monitor metrics
  • Cost allocation tags

What we cannot do

  • Create or modify cloud resources
  • Delete resources or data
  • Change IAM policies or permissions
  • Access your application data or databases
  • Make purchases or change billing settings
  • Access secrets, environment variables, or credentials

Authentication

Password hashing
bcrypt with cost factor 12. Passwords are never stored in plaintext.
Session tokens
Short-lived JWTs (1 hour) with refresh token rotation.
Token storage
Refresh tokens are hashed in the database using SHA-256.
Transport security
TLS 1.2+ enforced everywhere. HTTP Strict Transport Security enabled.
Rate limiting
Login and API endpoints are rate-limited to prevent brute force.
SSO
SAML 2.0 SSO available on Enterprise plan. Supports Okta, Azure AD, Google Workspace.
Account lockout
Accounts are temporarily locked after 10 consecutive failed login attempts.
Audit logs
All admin actions, login events, and credential access are logged (Enterprise plan).

Infrastructure

Cloud hosting

Hosted on AWS in eu-west-1 (Ireland) with multi-AZ redundancy for all stateful services.

Data encryption

All data encrypted at rest (AES-256) and in transit (TLS 1.2+). Database backups encrypted.

Network isolation

Services run in private subnets with no direct internet access. Public surface is minimal.

Backups

Automated daily database backups with 30-day retention. Point-in-time recovery enabled.

Incident response

We will notify affected users within 72 hours of any confirmed security incident, per GDPR Article 33.

Monitoring

Continuous uptime and performance monitoring with automated alerting for anomalies.

SOC 2 Type II

We are currently undergoing a SOC 2 Type II audit with an independent third-party auditor. This covers security, availability, and confidentiality. Enterprise customers can request our current security questionnaire and trust documentation.

In progress -- targeting Q3 2026

Questions or concerns?

Email our security team directly. We respond within 24 hours.

[email protected]
Privacy Policy Data Handling Get Started