Security isn't a feature. It's the product.
200+ brand credentials live in xuly.io. We designed every layer assuming someone is trying to steal them.
All brand credentials encrypted at rest via Supabase Vault (pgsodium). TLS 1.3 in transit. Never logged.
Every user query is scoped by org_id via Postgres RLS. One misconfigured policy cannot leak cross-tenant data.
TOTP apps and WebAuthn passkeys. Mandatory on Business and Enterprise. SSO (SAML) on Enterprise.
Scoped keys, optional IP allowlists, per-key rate limits, one-click revocation, last-use tracking.
Default region is eu-central-1 (Frankfurt). US region available on request. GDPR data exports on demand.
SOC 2 Type II in progress. PCI scope minimised (Stripe handles all cards). DPA signed for every paid org.
Compliance & certifications
- SOC 2 Type IIIn progress
- GDPR (EU 2016/679)Compliant
- CCPACompliant
- PCI-DSS SAQ-ACompliant
Responsible disclosure
Found a vulnerability? Email security@xuly.io. We reply within 24 hours and reward valid reports via our bug bounty.
- Safe-harbour for good-faith research
- PGP key available
- Rewards up to €5,000 for critical issues