XP One// ENC_01
In transit
TLS 1.2+
All traffic between your browser, the XP One app, and our APIs is encrypted with TLS 1.2 or higher. TLS 1.3 preferred. HSTS enabled. Strict transport security policy enforced at the Cloudflare edge.
XP One is built for enterprise-grade security. EU data residency by default. TLS 1.2+ in transit. AES-256 at rest. GDPR-compliant from day one. SOC 2 Type II audit in progress for Q3 2026. Full transparency on sub-processors, encryption, and disclosure policy below.
EU-hosted by default. Custom regional setups available on enterprise plans.
| Tier | Default region | Provider | Optional region |
|---|---|---|---|
| Solo | EU (Frankfurt) | AWS eu-central-1 | — |
| Growth | EU (Frankfurt) | AWS eu-central-1 | — |
| Scale | EU (Frankfurt) | AWS eu-central-1 | US (N. Virginia) — AWS us-east-1, on request |
All customer data — leads, sequences, conversations, integrations, billing — is stored on EU-hosted infrastructure by design. Formal EU data-residency certification (AWS Frankfurt) is planned for Q3 2026.
All traffic between your browser, the XP One app, and our APIs is encrypted with TLS 1.2 or higher. TLS 1.3 preferred. HSTS enabled. Strict transport security policy enforced at the Cloudflare edge.
All customer data at rest — databases, file storage, backups, logs — is encrypted with AES-256. Encryption keys are managed by AWS KMS with automatic rotation. Keys never leave the EU residency region.
OAuth tokens, LinkedIn cookies, SMTP credentials, and integration API keys are encrypted with a per-tenant data key, wrapped by a master key in AWS KMS. Credentials are never logged, never displayed, never accessible to XP One staff in plaintext.
Honest, current, no overclaiming.
| Standard | Status | Notes |
|---|---|---|
| GDPR (EU 2016/679) | ✓ Compliant | Compliant from day one. EU data residency. DPA available on request. |
| CCPA (California) | ✓ Compliant | Right to access, delete, opt-out of sale honored. We do not sell personal data. |
| SOC 2 Type II | In progress | Audit window opened Q1 2026. Type II report targeted for Q3 2026. Type I letter available on request. |
| ISO 27001 | On roadmap | Roadmap item for 2027. Not yet certified. Do not represent us as ISO 27001 certified. |
| HIPAA | Not supported | XP One is not a HIPAA-eligible product. Do not process PHI through XP One. |
| UK Data Protection Act 2018 | ✓ Compliant | Compliant. LeadsMind AI LTD is registered in the UK. |
Full transparency. Every sub-processor, what they do, where they sit.
| Sub-processor | Purpose | Data processed | Region |
|---|---|---|---|
| Amazon Web Services (AWS) | Application hosting, database, storage, KMS | All customer data | EU Frankfurt (default) |
| Cloudflare | CDN, edge security, DDoS protection | HTTP request metadata, IP addresses | Global edge · EU/US routing |
| Stripe | Billing, subscriptions, tax | Customer name, email, billing address, card data (Stripe-hosted) | EU (Ireland) · US |
| Postmark | Transactional email (signup, password reset, invoices) | Customer email, transactional content | US (with EU options on request) |
| OpenAI | LLM inference for AI agent features (drafting, classification) | Sequence content, reply content — opt-out available on request | US · zero data retention agreement |
We notify customers in advance of any new sub-processor via email and changelog. Customers may object to new sub-processors before they go live. The full, current sub-processor list is available on request.
Email/password for everyone. SSO/SAML for enterprise.
Passwords are hashed with bcrypt (cost factor 12). Minimum 10 characters. Common-password rejection. Rate-limited login. Email-based recovery only.
TOTP-based 2FA (Google Authenticator, 1Password, Authy) available on all tiers. Recommended for all admin accounts. Enforced at account-owner discretion.
SAML 2.0 single sign-on for Okta, Azure AD, Google Workspace, JumpCloud. SCIM provisioning supported. Just-in-time user creation. Available on Growth tier.
Found a security issue? Tell us first. We'll respond within 48 hours.
Report vulnerabilities directly to [email protected]. Include a clear description, steps to reproduce, and impact. PGP key available on request.
We acknowledge receipt within 48 hours. We will not pursue legal action against researchers acting in good faith. We will credit you in a public disclosure (or keep you anonymous, your choice).
We ask researchers to wait up to 90 days from the date of report before any public disclosure, to allow us time to ship a fix and notify affected customers.
Social engineering, physical attacks, DDoS, attacks on third-party services we don't operate, and reports requiring a rooted/jailbroken device are out of scope.
A GDPR-compliant DPA is available on request. Standard Contractual Clauses (SCCs) included for international transfers. Counter-signature within 5 business days. Email [email protected].
We complete SIG, CAIQ, and custom security questionnaires for Scale-tier customers. Turnaround: 5 business days for standard questionnaires, 10 days for custom. Email [email protected].
The current sub-processor list is published on this page. Customers may subscribe to advance email notifications of any change. Scale-tier customers have a 30-day objection window.
XP One does not yet run a paid bug bounty. A public program with HackerOne is planned for the second half of 2026, contingent on SOC 2 Type II completion. Until then, responsible disclosure is rewarded with public credit and XP One swag.
A real-time status page at status.xp-one.io is being built. It will publish uptime, incident history, scheduled maintenance, and sub-processor health. Subscribe via email or RSS once live.
For security reports, DPA requests, sub-processor questions, and procurement reviews.
Data protection: [email protected] · Privacy policy: /legal/privacy · DPA: /legal/dpa