Security and data separation

🔒 Encryption at rest

Documents, indexed content, and stored data are encrypted at rest.

🔐 Encryption in transit

Data is encrypted in transit between users, services, and storage.

🔑 Key management

Access to encryption keys is controlled and managed separately from customer content.

Customer data is isolated so one system cannot access another.

🏢 Standard deployments

Data is logically separated so each customer operates independently.

🏢 Separate deployments

When stronger separation is required, xillix can be deployed as separate instances by department, team, or use case.

🔒 What this means in practice

HR, IT, customer service, compliance, and website assistants do not need to share the same system unless you want them to.

👥 Role-based access

Users only see the documents and content they are allowed to access.

🔐 Authentication

xillix supports controlled login and identity management options such as SSO-capable environments and trusted access workflows.

⏱️ Session management

Access can be reviewed, updated, and removed as teams change.

💾 Automated backups

Customer data is backed up and protected so systems can be recovered if something goes wrong.

⏮️ Recovery planning

Backup and recovery processes are designed to reduce risk and support business continuity.

📝 System visibility

xillix provides visibility into system usage, question activity, and document-backed responses so teams can review how the system is being used.

🔍 Audit support

This supports security reviews, operational oversight, and internal accountability.

☁️ Hosting

xillix is hosted on cloud infrastructure selected for reliability, security controls, and operational visibility. Infrastructure is managed by xillix with ongoing patching and updates.

🔥 Network Security

Standard deployments use layered network protections such as firewall rules, provider-level DDoS mitigation, TLS, access controls, logging, and monitored service boundaries. Specific WAF, intrusion detection, and traffic filtering controls depend on the deployment and hosting configuration.

🔐 Access Gateway Options

Cloudflare-based access controls, including Zero Trust-style policies, can be used where the deployment requires them. Availability depends on the product plan, customer requirements, and agreed implementation.

Standard baseline controls

Baseline hosted deployments include TLS, managed infrastructure, access control, customer data separation, operational logging, backup planning, and security patching based on severity and exposure.

Deployment-dependent controls

Controls such as dedicated instances, custom WAF rules, Cloudflare Zero Trust policies, SSO, advanced audit retention, regional hosting, and enterprise review workflows are scoped during implementation or enterprise contracting.

Compliance support

xillix can support security and privacy reviews with documentation, DPAs where applicable, and deployment discussions. This page does not claim formal certifications unless they are explicitly listed in a signed agreement or current security document.

📋 Current Status

xillix is designed to support customer compliance reviews for common data protection requirements:

• GDPR support: Data processing agreements, data portability, and deletion workflows where applicable
• CCPA support: Privacy controls and data access request support where applicable

🏥 Regulated Data Review

Healthcare, education, and other regulated data use cases require security, privacy, and contracting review before deployment.

🔍 Security Testing

Security testing practices can include vulnerability scanning, dependency review, and targeted testing based on deployment requirements.

🐛 Responsible Disclosure

Security researchers can report vulnerabilities to [email protected]. Reports are reviewed and prioritized based on severity and impact.

🔄 Patch Management

Security patches are prioritized based on severity, exposure, and operational risk. Routine patches and updates are applied during planned maintenance windows when practical.

🚫 Your documents stay yours

Customer documents are not used to train AI models. Your data is only used to operate your system and return answers within your environment.

🔒 Third-party AI models

xillix uses managed AI model access to process language. We enforce data handling practices that keep customer content private.

📤 Data Portability

Export your documents and data at any time in standard formats (PDF, DOCX, JSON). No vendor lock-in.

🗑️ Data Deletion

When you cancel, all your data is deleted within 30 days. Enterprise customers can request immediate deletion.