Security

How we protect your data

We're a focused engineering team, not an enterprise. These are the honest, practical measures we have in place to keep your data secure.

Last reviewed: June 2026·contact@xenorylabs.com
Encryption in transit

All traffic between your browser and our servers is encrypted via TLS 1.2+. We enforce HTTPS on every endpoint.

TLS 1.2+
Encryption at rest

Your data is stored in a managed PostgreSQL database (Neon) with encryption at rest enabled by default on all storage volumes.

AES-256
Access controls

Production systems are accessible only to core team members via MFA-protected accounts. No shared passwords, no standing root access.

MFA enforced
Dependency monitoring

We use automated dependency scanning to catch known vulnerabilities in third-party packages before they reach production.

Automated scanning
Incident response

If a security incident occurs that affects your data, we will notify you within 72 hours with a description of what happened and what we've done about it.

72-hour notification
Responsible disclosure

Found a vulnerability? Email us at contact@xenorylabs.com with details. We will acknowledge within 48 hours and work to resolve it promptly.

We respond in 48h

Infrastructure

Our website and APIs are hosted on Vercel's managed edge infrastructure. Our database runs on Neon's managed PostgreSQL service. Both providers maintain SOC 2 Type II certification and handle physical security, network isolation, and redundancy at the infrastructure level.

Authentication

Passwords stored in our system are hashed using bcrypt with an appropriate cost factor — plaintext passwords are never stored. Admin accounts require a strong password policy. Sessions are managed via signed JWT tokens with short expiry windows.

Data minimisation

We collect only the data needed to deliver our service. We do not aggregate, profile, or sell personal data. Contact and audit form data is retained for up to 24 months and then deleted. See our Privacy Policy for the full picture.

Third-party services

We use a small, audited set of third-party services. Each is selected partly based on their own security posture:

  • Vercel — edge hosting, SOC 2 Type II certified
  • Neon — managed PostgreSQL, SOC 2 Type II certified
  • Resend — transactional email, GDPR compliant
  • Vercel Blob — file storage with signed URLs and access controls

What we don't claim

We are a small team, not an enterprise security operation. We do not hold ISO 27001 certification or run a formal SOC programme. We apply good engineering practices diligently — and we're transparent about the level we operate at.

Report a vulnerability

If you believe you've found a security issue in our site or infrastructure, please email contact@xenorylabs.com with as much detail as possible. We ask that you give us a reasonable window to investigate and fix before any public disclosure. We appreciate responsible researchers and will credit you if you'd like.

Xenory Labs · contact@xenorylabs.com · Security page last reviewed June 2026.