Security & Compliance

Encryption, residency, audit posture, and how to request compliance artifacts.

Threat model

Xcity defends against three primary threats:

Credential theft from sub-products — mitigated by never sharing Stripe/GoTrue/LiteLLM secrets with sub-products. The worst-case compromise yields short-lived inference keys, not the user’s account.
Inference key abuse — mitigated by plan whitelists and per-request budget envelopes enforced at the gateway. A leaked key can’t drain a month’s budget in a single call and can’t access models outside the plan.
Webhook impersonation — mitigated by HMAC signature checks on every Stripe event.

Encryption

Layer	At rest	In transit
GoTrue Postgres	AES-256 (Railway managed)	TLS 1.3
LiteLLM Postgres	AES-256 (Railway managed)	TLS 1.3
Stripe data	(managed by Stripe — PCI-DSS Level 1)	TLS 1.3
Object storage (audit)	AES-256-GCM	TLS 1.3
Cloudflare Pages	(managed by Cloudflare)	TLS 1.3

Data residency

Domain	Region	Notes
Identity (GoTrue)	San Juan, AR (primary)	DR mirror in EU
Inference logs (LiteLLM)	San Juan, AR	DR mirror in EU
Billing (Stripe)	US (Stripe-managed)	Required by PCI scope
Audit object storage	San Juan + EU mirror	Customer-pinnable on Enterprise

Enterprise customers may pin a single region — see Enterprise: Data Residency.

Audit log

Every privileged action (key rotation, plan override, admin login) is recorded with: actor, timestamp, source IP, action, target, result. Retained 365 days. Enterprise customers can request an export via their account team.

Compliance posture

Standard	Status
SOC 2 Type II	Q4 2026 target
GDPR	DPA available — see DPA
HIPAA	Roadmap; contact for BAA discussion
ISO 27001	Q1 2027 target

Vulnerability reporting

Email security@xcity.one. We aim for first-response within 24h, fix or mitigation within 30 days for critical issues. We do not currently run a public bounty program.

Subprocessors

Listed at /legal. Updated within 30 days of any change.

Last updated: May 15, 2026