xalgorixsecurity & compliance
A security product
worth trusting.
We attack production systems for a living. The platform itself is built to the same standard we expect from our targets — encrypted, isolated, auditable, and safe-by-default.
Platform controls
Encrypted at rest + in transit
TLS 1.3 everywhere. AES-256 at rest on managed Postgres + object storage. Per-tenant encryption keys via the platform KMS.
Strict tenant isolation
Row-level security on every multi-tenant table. The service role never crosses workspace boundaries in application code.
Least-privilege secrets
API keys are hashed (Argon2id) before storage. Plaintext is shown once at creation and never recoverable. Per-key scopes + revocation.
EU-region data residency
All scan data, evidence, reports, and backups stay in EU regions. No cross-region replication without explicit opt-in.
Webhook signing
Every outgoing webhook is signed with HMAC-SHA256 (X-Xalgorix-Signature). Replay window: 5 minutes.
Audit log
Team plan and above: every credential rotation, scan start, finding export, and member change is recorded with actor + IP + UA.
MFA + SSO
TOTP MFA for all plans. SAML SSO via Google Workspace on Team plans; Okta/Azure AD on Enterprise.
Vendor sub-processors
Short, public list. We notify customers 30 days before adding a new sub-processor.
Compliance
Current posture and what's on the audit calendar.
DPA, sub-processor list, and pen-test summary letter available on request — security@xalgorix.com.
Safe in production
The hardest part of any active scanner is staying safe against real traffic. These are the guardrails we ship by default.
Responsible disclosure
Found something? We'd genuinely like to hear it. Send a PoC tosecurity@xalgorix.com. PGP key at /.well-known/security.txt. We respond within 24h, coordinate on a 90-day window, and credit you publicly unless you'd rather stay anonymous.