Security & Trust
Last updated: June 5, 2026
XCreos handles sensitive financial and property data — rent rolls, T-12 statements, offering memoranda, and deal models. This page summarizes the practices that protect that data. For a security review or vendor questionnaire, contact security@xcreos.io.
Authentication & access
Sign-in, passwords, multi-factor authentication, and session management are handled by Clerk, a dedicated identity provider. Access is scoped to your organization, and administrative capabilities are gated behind explicit platform-admin roles.
Tenant data isolation
XCreos is multi-tenant. Every record is scoped to the organization that owns it, and data-access paths enforce that boundary so one customer's deals, documents, and analyses are never visible to another.
Encryption
All traffic is served over HTTPS with HTTP Strict Transport Security. Data at rest is encrypted by our managed database and object-storage providers.
Infrastructure & hosting
The application runs on Vercel; the PostgreSQL database and document storage run on Microsoft Azure. We rely on these providers' physical and network security controls.
Backups & recovery
The production database uses automated backups with point-in-time recovery, so data can be restored to a recent moment if needed.
Application hardening
The application sets modern security response headers — including HSTS, MIME-sniffing protection, clickjacking protection, and a Content Security Policy — validates input at trust boundaries, and applies rate limiting and abuse protection to sensitive and resource-intensive endpoints.
Secrets management
Credentials and API keys are stored in a managed secrets vault (Azure Key Vault) and injected at deploy time. Secrets are never committed to source control.
Your documents & privacy
Documents you upload are processed to produce your analyses and are retained as part of your workspace. We minimize personal information in operational telemetry — tenant-level identifiers from rent rolls and similar files are redacted before any error or diagnostic data leaves the application. See our Privacy Policy for details.
Subprocessors
We use a small set of vendors to operate the platform: Clerk (authentication), Vercel (application hosting), Microsoft Azure (database and document storage), Anthropic (AI-assisted document extraction), and Sentry (error monitoring, with personal identifiers redacted before transmission). This list may change as the platform evolves; material changes will be reflected here.
Responsible disclosure
If you believe you have found a security vulnerability, please email security@xcreos.io. A machine-readable contact is also published at /.well-known/security.txt. We appreciate good-faith reports and will work with you to confirm and address valid issues.
Compliance
XCreos is not yet SOC 2 certified. We follow the practices described on this page and are glad to discuss our controls, complete security questionnaires, and sign appropriate agreements for enterprise customers. Reach us at security@xcreos.io.