Skip to main content
Sign in
Updated: May 15, 20263 min read7 sections

Security & Trust

How we protect customer data and the platform itself.

1. Overview

Exoserva is built on a multi-tenant SaaS architecture that isolates every customer's data at the application layer (PostgreSQL row-level tenant scoping) and at the infrastructure layer (per-tenant encryption keys for sensitive fields). This page is the trust posture summary; granular controls are documented per-feature in our Privacy Policy and Sub-processor list.

2. Encryption

  • Encryption at rest: all customer data is stored on AWS-managed PostgreSQL with AES-256 disk-level encryption (RDS encryption); object storage uses S3 server-side encryption. Database backups and snapshots inherit the same encryption envelope.
  • Encryption in transit: every HTTPS endpoint terminates at TLS 1.2 or higher with modern cipher suites; HTTP requests are unconditionally redirected to HTTPS. Internal service-to-service traffic between application and database uses TLS as well.
  • Per-tenant key envelope: sensitive fields (API tokens, webhook secrets, recorded voice content) are envelope-encrypted with a per-tenant data key derived from AWS KMS so a single-tenant compromise cannot expose other tenants' payloads.

3. Authentication & Access

  • Passwords: Argon2id hashing with per-account salts; minimum 12 characters; common-password blocklist on signup and reset. Plaintext passwords are never stored or logged.
  • Two-factor authentication (2FA): TOTP-based MFA is available to every account from Settings → Security; enterprise tenants may require 2FA for all members.
  • Role-based access control: each tenant defines roles with scoped permissions; the application enforces tenant isolation on every query (multi-tenancy is a hard architectural invariant, not a runtime check).
  • Single Sign-On (SSO): SAML 2.0 SSO is available on the Enterprise tier.

4. Data Residency

Customer data is processed and stored in the United States (AWS us-west-2 primary; us-east-1 disaster-recovery). Data residency outside the US for regulated tenants is available on the Enterprise tier on request. The full list of vendors with whom customer data is shared, along with their jurisdictions, is on the Sub-processors page.

5. Incident Response

Security incidents are triaged within one business hour during business hours, four hours overnight. Confirmed customer-data incidents trigger written notification to affected tenants within 72 hours, in line with GDPR Article 33. Our breach-notification procedure is summarised in Privacy Policy §11 and applies regardless of tenant jurisdiction.

6. Vulnerability Disclosure

If you believe you have found a security vulnerability, please report it to security@exoserva.com. We will acknowledge within two business days and aim to communicate a remediation timeline within seven days for high-severity reports. Good-faith research is welcome; do not access data beyond what is necessary to demonstrate the issue.

7. Compliance Roadmap

The platform is built to the requirements that map to SOC 2 Type II, ISO 27001, and HIPAA Business Associate-compatible controls. Audit attestations and customer-facing reports become available as we complete each framework; this page is the canonical place to find them.