Our Commitment to Security
At Xische OS, we take the security of your data seriously. We implement industry-standard security measures to protect your information and ensure the integrity of our Service.
Encryption
Encryption at Rest
All data stored in our database is encrypted at rest using AES-256 encryption. This ensures that even if physical storage is compromised, your data remains protected.
Encryption in Transit
All data transmitted between your device and our servers is encrypted using TLS 1.3. This protects your data from interception during transmission over the internet.
Weekly Backups
We perform automated weekly backups of all tenant data. Backups are:
- Stored in encrypted storage
- Retained for 90 days
- Tested regularly to ensure recoverability
- Accessible only to authorized personnel
Row-Level Security (RLS)
Our database implements Row-Level Security policies that ensure:
- Each tenant can only access their own data
- Users can only perform actions permitted by their role
- Data isolation is enforced at the database level
- Unauthorized access attempts are automatically blocked
Access Control
We implement multiple layers of access control:
- Authentication: Google OAuth for secure login
- Authorization: Role-based access control (RBAC)
- Session Management: Secure session tokens with expiration
- API Security: All API requests require authentication
Role-Based Permissions
Access to features and data is controlled by user roles:
- Admin: Full access to tenant data and settings
- Project Manager: Access to projects, suppliers, and procurement
- General User: Limited access to assigned projects and leads
- Timesheet Only: Access only to timesheet functionality
Incident Management Procedures
In the event of a security incident, we follow these procedures:
- Detection: Automated monitoring and alerting systems
- Assessment: Immediate evaluation of the incident scope
- Containment: Rapid action to prevent further impact
- Notification: Affected users notified within 72 hours
- Remediation: Fix vulnerabilities and restore services
- Review: Post-incident analysis and improvements
Infrastructure Security
Our infrastructure is built on secure, industry-leading platforms:
- Supabase: SOC 2 Type II compliant database and storage
- Vercel: Secure hosting with DDoS protection
- Stripe: PCI DSS Level 1 compliant payment processing
Security Monitoring
We continuously monitor our systems for:
- Unauthorized access attempts
- Unusual activity patterns
- System vulnerabilities
- Performance anomalies
Vulnerability Management
We maintain a proactive vulnerability management program:
- Regular security audits
- Dependency updates and patches
- Penetration testing
- Security best practices compliance
Data Breach Notification
In the unlikely event of a data breach affecting your personal information, we will:
- Notify affected users within 72 hours
- Provide details of what information was affected
- Explain steps taken to address the breach
- Offer guidance on protective measures
- Comply with applicable data breach notification laws
Your Role in Security
You can help keep your account secure by:
- Using a strong, unique password for your Google account
- Enabling two-factor authentication on your Google account
- Not sharing your account credentials
- Logging out when using shared devices
- Reporting suspicious activity immediately
Reporting Security Issues
If you discover a security vulnerability, please report it to us immediately at:
Email: security@xischeos.com
Please include:
- Description of the vulnerability
- Steps to reproduce (if applicable)
- Potential impact
We appreciate responsible disclosure and will work with you to address any security concerns.
Compliance
While we aim for best-in-class security practices, Xische OS MVP currently focuses on:
- Basic GDPR compliance (data export and deletion rights)
- Industry-standard encryption and access controls
- Secure authentication and authorization
Future phases may include SOC 2, ISO 27001, or other certifications as needed.