Security you can verify.

Certifications and Standards

SOC 2 Type II

Xerotier.ai operates inside colocation facilities that hold their own SOC 2 Type II attestations covering the security, availability, and confidentiality Trust Services Criteria for the physical environment. Xerotier.ai's own SOC 2 attestation is in progress; the report is not yet issued.

Scope: physical environment (attested by the colo provider). Application-layer SOC 2 attestation in progress; expected report fiscal-year 2026.

Planned

GDPR

Aligned with the General Data Protection Regulation. The platform implements data-subject controls including right-to-erasure, data export for portability, and anonymization. Contact contact@xerotier.ai to request a Data Processing Agreement.

Aligned

CCPA

Consumer rights for California residents are honored through the same data-subject controls used to satisfy GDPR (access, deletion, and portability). A dedicated CCPA "Do Not Sell or Share" workflow is planned; in the meantime requests sent to contact@xerotier.ai are honored within thirty days.

Aligned

ISO 27001

Our information security management system is designed to align with the ISO 27001 control families. Formal ISO 27001 certification is planned and not yet issued.

Planned

Security Practices

• Encryption in transit: TLS 1.2 minimum on every public endpoint; TLS 1.3 preferred. Internal router-to-agent communication uses CURVE-encrypted ZeroMQ transport with mutual authentication via Curve25519 keys for every router-agent connection.
• Encryption at rest: AES-256-GCM authenticated encryption on persistent storage. Key rotation is operator-controlled per deployment.
• Access control: Three role tiers (operator, admin, project member) plus per-endpoint API-key scopes. Least-privilege defaults; no implicit cross-project visibility.
• Monitoring and incident response: Operational monitoring and incident response procedures are maintained by the operator of each deployment.
• Vulnerability management: Dependency and platform CVEs are tracked against the build graph and patched on the next router release after disclosure.

Trust and Safety

• Child safety: We prohibit CSAM and report apparent CSAM to NCMEC on actual knowledge, with evidence preservation. An optional automated scanning surface can be activated per deployment. The minimum age is 18.
• Non-consensual intimate imagery: We operate a notice-and-removal process; report to contact@xerotier.ai.
• Content reporting: Users can report content in-product or at contact@xerotier.ai; an admin review queue triages reports.

Copyright

We respond to DMCA notices and terminate repeat infringers. See /dmca for our designated agent and the notice and counter-notice process.

Sanctions and Export

Use of the service is subject to US sanctions and export-control law. Denied-party and sanctioned-destination screening of accounts, payments, and model uploads can be activated per deployment; the control floor ships in every release.

Data Residency

Xerotier.ai allows you to choose where your data is stored by giving you full access to Xerotier Inference Microservice (XIM) nodes. Shared services are operated in the United States.

Enterprise customers can request XIM infrastructure with custom data residency requirements.

Data Processing Agreement

We provide a Data Processing Agreement (DPA) for customers who need to comply with GDPR and other data protection regulations. Contact contact@xerotier.ai to request a DPA; we respond within five business days.

Reporting Security Issues

If you discover a security vulnerability, report it to contact@xerotier.ai. We acknowledge responsible disclosure within one business day and aim to triage within five. A coordinated-disclosure window is negotiated per report.

Automated scanners and security researchers can fetch the machine-readable disclosure metadata at /.well-known/security.txt (RFC 9116).