Security

Data protection

• TLS 1.2+ for all data in transit, with HSTS enforced.
• AES-256 encryption at rest in managed Postgres.
• Sensitive identifiers are encrypted at the column level.
• Encrypted backups with 30-day point-in-time recovery.

Access controls

• Role-based access enforced through Better Auth, with optional 2FA.
• Privileged actions are audited and reviewed.
• Cross-app traffic uses short-lived signed tokens issued by the central auth server.

Infrastructure

• Hosted on SOC 2-compliant cloud providers.
• Network isolation between auth, application, and analytics workloads.
• Continuous dependency scanning and quarterly penetration testing.

Incident response

We follow a documented incident response plan. Affected users are notified within 72 hours of a confirmed incident, alongside the steps we are taking to remediate.

Reporting a vulnerability

Disclose suspected vulnerabilities responsibly. Email support@xcapesuite.com with reproduction steps. We acknowledge reports within one business day.