Security & Compliance
How we protect client data, what we are certified against, and what to expect during a vendor review.
Our security posture
Security is owned at the principal level, not delegated to a checkbox role. We run a defense-in-depth program built on zero-trust principles: every request authenticated, every privilege minimal, every action logged. We assume breach, design for blast-radius containment, and run regular tabletop exercises to test what would happen if we were wrong about something. This page describes the controls in production today. A full security review pack, including our controls documentation, network diagrams, and policy excerpts under NDA, is available from security@xperion.ai.
Compliance posture
We are a small senior firm and we are honest about where we are: we build to recognised control frameworks and are working toward formal certification, rather than claiming badges we don't yet hold.
- SOC 2 Type II: we operate to the Security, Availability, and Confidentiality trust-service criteria; formal Type II certification is on our roadmap. Our controls documentation is available under NDA today.
- HIPAA aligned: administrative, physical, and technical safeguards implemented to support clients operating under HIPAA. We will execute a Business Associate Agreement (BAA) where the engagement involves Protected Health Information.
- ISO 27001 mapped: our information security management system is mapped to ISO 27001:2022 controls, with certification planned for a future audit cycle.
- PCI DSS aware: we do not store, process, or transmit cardholder data ourselves. Payment processing is delegated to a PCI DSS Level 1 provider. Where a client engagement touches PCI scope, we work within the client's CDE boundaries and follow their requirements.
- GDPR and UK GDPR: we operate as a data processor under written client instructions, with a data processing addendum, Standard Contractual Clauses for international transfers, and a published Privacy Policy.
- CCPA / CPRA: we honour California consumer rights and do not sell or share personal data.
Data protection
Encryption in transit
All inbound and outbound traffic to xperion.ai and our internal systems uses TLS 1.2 or higher, with TLS 1.3 preferred. HSTS is enabled. Internal service-to-service traffic uses mutual TLS where supported.
Encryption at rest
Customer data and our own production data are encrypted at rest with AES-256, using cloud-provider managed keys backed by hardware security modules. Database backups and object storage inherit the same encryption.
Key management
Keys are rotated on a documented schedule. Access to key material is restricted to a small number of named operators, requires multi-factor authentication, and is logged. We do not store key material on developer laptops or in source code.
Data classification and handling
Data is classified as Public, Internal, Confidential, or Restricted. Restricted data (for example, customer secrets, source code, PII) is handled in approved systems only, never on personal devices or unsanctioned tools. AI tools used by our team are restricted to enterprise plans with logging and zero-retention training settings where available.
Access controls
- Single sign-on (SSO) with SAML/OIDC for every business system that supports it.
- Multi-factor authentication (MFA) required for all employee accounts, with phishing-resistant factors (hardware keys, platform passkeys) preferred over TOTP.
- Role-based access control (RBAC) with documented role definitions, mapped to the principle of least privilege.
- Just-in-time elevation for production access, with approval workflows and time-boxed grants.
- Quarterly access reviews on systems holding Confidential or Restricted data, with sign-off by data owners.
- Joiner-mover-leaver automation: provisioning and deprovisioning are triggered from the HR system of record, with same-day revocation on termination.
Network and infrastructure
Our infrastructure runs on hyperscale cloud providers with mature security baselines. Production environments are isolated from development and staging by separate accounts and network boundaries. Public endpoints sit behind a Web Application Firewall and a DDoS-protected edge. Internal services are not reachable from the public internet. Configuration drift is detected through infrastructure-as-code reviews and runtime posture management.
Application security
- Secure development lifecycle: threat modelling on new services, peer code review for every change, automated linting and security scanning in CI.
- Static and dependency scanning: SAST and SCA tools run on every pull request; high-severity findings block merge.
- Secrets management: no secrets in source control; secrets injected at runtime from a managed secret store.
- Branch protection: production branches require review, signed commits, and passing checks.
Vulnerability management
- Patching: critical vulnerabilities patched within 7 days, high within 14, medium within 30, measured from disclosure or vendor advisory.
- Penetration testing: independent third-party tests at least annually against external attack surface and client-facing applications, plus on significant architectural changes.
- Coordinated disclosure: a responsible disclosure channel at security@xperion.ai, with a 90-day disclosure window and safe harbour for good-faith research.
- Bug bounty: a private bug bounty programme is in operation; scope and rewards are shared with invited researchers.
Incident response
We maintain a written incident response plan with defined severities, escalation paths, and roles (incident commander, scribe, communications lead, customer liaison). Detection is fed by centralised logging, endpoint detection and response (EDR) on every managed device, and cloud-native threat detection.
- Notification: clients affected by a confirmed security incident involving their data are notified within 24 hours of confirmation, with a preliminary impact assessment.
- Containment and eradication: priorities are to stop ongoing harm, preserve evidence, and remove the cause.
- Post-incident review: a written root-cause analysis with corrective actions and timelines is produced for every Sev 1 and Sev 2 incident and shared with affected clients on request.
- Drills: tabletop exercises run at least twice a year against realistic scenarios.
Business continuity and disaster recovery
- Backups: production data backed up daily, encrypted, with backups stored in a separate region from the primary.
- Restoration testing: backup restores are tested quarterly to confirm recoverability.
- RTO and RPO targets: Recovery Time Objective of 4 hours and Recovery Point Objective of 1 hour for tier-1 services.
- Continuity plan: a documented business continuity plan covers personnel, suppliers, and infrastructure failures, reviewed annually.
Subprocessor governance
We use a small, deliberately chosen set of subprocessors to operate our business and deliver client work. Each is reviewed before onboarding for security posture, contractual protections, data residency, and incident notification commitments. The current subprocessor list, plus 30 days' notice of material changes, is available on request via security@xperion.ai for clients with an active engagement.
Employee security
- Background checks on hire, where permitted by local law.
- Confidentiality agreements signed before access to client systems.
- Security awareness training at hire and at least annually, with phishing simulations on a regular cadence.
- Managed endpoints: every device used for client work is enrolled in mobile device management, with full-disk encryption, EDR, and automatic patching enforced.
- Acceptable use policy: enforced policy governing the use of personal devices, public networks, and generative AI tools.
Physical security
We are a distributed company with no public-access offices holding client data. All client data resides in audited cloud facilities. Where private workspaces are used by our team, they require badge or key access and clean-desk practices for printed materials.
Logging and monitoring
Application, infrastructure, and identity logs are centralised in a tamper-evident log store with retention appropriate to each log class. Alerting rules are tuned to reduce noise without missing the signal. On-call engineers respond to security alerts on a 24x7 rota.
Client responsibilities
Security is shared. To get the benefit of the controls described here, we ask clients to:
- Designate an owner on their side for security decisions on the engagement.
- Provide credentials and access only through approved channels, never plain-text email or chat.
- Promptly notify us of personnel changes that affect access on the engagement.
- Notify us within 24 hours of any suspected incident involving shared systems or our personnel.
- Maintain their own backups and disaster recovery for systems we are not operating in full.
Reporting a security concern
If you believe you have found a vulnerability in our site or services, or if you have a security concern about an engagement, email security@xperion.ai. Encrypt sensitive material with our PGP key, available on request. We aim to acknowledge within 1 business day and to provide a substantive update within 5 business days.
Request the security review pack
For prospective or current clients running a vendor assessment, we will share the full security review pack, including our controls documentation, penetration test summary, network architecture, and policy documents, under a mutual NDA. Email security@xperion.ai with the name of your organisation and a short description of the engagement scope.