Security
Security Questionnaire
Pre-filled answers to common vendor security questions. Download or share with your procurement team.
| # | Category | Question | Answer |
|---|---|---|---|
| 1 | General | What does your product do? | Xplorr is a multi-cloud cost management platform that connects to AWS, Azure, and GCP via read-only credentials to provide cost visibility, anomaly detection, recommendations, and reporting. |
| 2 | General | Where is data stored? | Customer cloud billing data is stored in a PostgreSQL database hosted on the customer's preferred infrastructure (self-hosted K8s or managed). |
| 3 | Authentication | How do users authenticate? | Email/password with mandatory 2FA (TOTP or WebAuthn/passkeys), or SAML SSO (Okta, Azure AD, OneLogin). |
| 4 | Authentication | Do you support SSO? | Yes. SAML 2.0 with auto-provisioning, domain detection, and mandatory SSO enforcement per org. |
| 5 | Authentication | Do you support MFA? | Yes. TOTP (Google Authenticator, Authy) and WebAuthn (Touch ID, Windows Hello, YubiKey). Mandatory 2FA can be enforced org-wide. |
| 6 | Encryption | Is data encrypted at rest? | Yes. Cloud credentials are encrypted with AES-256-GCM. Database at rest encryption depends on the hosting provider's storage encryption. |
| 7 | Encryption | Is data encrypted in transit? | Yes. All connections use TLS 1.2+. Internal service-to-service communication is within the Kubernetes cluster network. |
| 8 | Access Control | How is access controlled? | RBAC with 4 roles (admin, member, viewer, super_admin). Per-cloud-account access scoping. Approval workflows for high-value actions. |
| 9 | Access Control | Can access be scoped to specific cloud accounts? | Yes. Non-admin users can be restricted to specific cloud accounts. They only see costs, recommendations, and alerts for their assigned accounts. |
| 10 | Audit | Do you maintain audit logs? | Yes. All significant actions (user changes, account connections, recommendation actions, settings changes) are logged with user, IP, timestamp, and resource details. Exportable as CSV. |
| 11 | Audit | What is the audit log retention period? | 14 days by default. Configurable for enterprise customers. |
| 12 | Cloud Access | What permissions do you require on our cloud accounts? | Read-only. AWS: IAM Role with Cost Explorer read access. Azure: Service Principal with Reader role. GCP: Service Account with Billing Viewer + Cloud Asset Viewer. |
| 13 | Cloud Access | Can you modify or delete our cloud resources? | No. All connections are strictly read-only. Xplorr cannot create, modify, or delete any cloud resources. |
| 14 | Data | What data do you collect from our cloud accounts? | Billing/cost data (service, region, amount, date, tags), resource inventory metadata (instance types, sizes, status). No application data, logs, or PII from workloads. |
| 15 | Data | Can we delete our data? | Yes. Org admins can close their account, which deletes all associated data. Data deletion is immediate and irreversible. |
| 16 | Incident Response | What is your incident response process? | Incidents are detected via automated monitoring (Gatus). Critical incidents trigger immediate response. Affected customers notified within 1 hour. Post-incident reports provided within 5 business days. |
| 17 | Compliance | Do you have SOC 2? | SOC 2 Type II certification is in progress (expected Q3 2026). |
| 18 | Compliance | Are you GDPR compliant? | Yes. We offer a Data Processing Agreement (DPA) and process data according to GDPR principles. |
| 19 | Infrastructure | Where do you host your platform? | Self-hosted Kubernetes (k3s) with plans to offer multi-region deployment. |
| 20 | Infrastructure | Do you use sub-processors? | Yes. See our DPA for the full list. Key sub-processors: Resend (email), OpenAI (AI analysis), Sentry (error monitoring), Cloudflare (CDN/DNS). |
| 21 | Business Continuity | Do you have backups? | Yes. Daily automated PostgreSQL backups. |
| 22 | Business Continuity | What is your SLA? | 99.9% monthly uptime for paid plans. See xplorr.io/sla for details. |
Need a custom format?
Contact [email protected] and we'll fill out your specific questionnaire (SIG Lite, CAIQ, or custom).