Security & Trust
XFACTOR VERIFIED protects sensitive supply-chain and regulatory information on behalf of our clients. This page summarizes how we keep that information safe and where we stand on formal certification. We would rather show you exactly where we are than overstate it — that is the standard we hold our clients' suppliers to, and the one we hold ourselves to.
SOC 2 — Where We Stand
XFACTOR VERIFIED does not yet hold a completed SOC 2 attestation. A SOC 2 report is an independent audit conducted over a 6–12 month observation window, and as a young company we are early in that journey. We are transparent about this by design.
What we have done is build the platform to the SOC 2 Trust Services Criteria from day one — so the controls an auditor tests are already in place and operating. Security and compliance attestation is our core domain: XFACTOR TRUSTED helps clients reach SOC 2, ISO 27001, GDPR, and PIPEDA readiness, and we hold our own platform to that same standard. A formal SOC 2 audit is on our near-term roadmap, and existing clients will be the first to receive the report.
How We Protect Your Data
Encryption
All data is encrypted in transit (TLS) and at rest (AES-256). Connections are served exclusively over HTTPS.
Authentication & Access
Client accounts are protected by two-factor authentication, and repeated failed sign-in attempts trigger an automatic account lock with owner notification. Access follows the principle of least privilege — every user, and every part of the system, is granted only the access it needs.
Data Isolation
The platform enforces strict tenant isolation: one client's data is never accessible to another. Isolation is enforced at multiple layers of the system, and the browser is never granted direct access to the database — every request is checked and scoped on our servers before any data is returned.
Infrastructure
XFACTOR VERIFIED runs on enterprise-grade infrastructure (Vercel and Supabase) with managed edge protection, automatic certificate management, and continuously patched, monitored database systems.
Sub-Processors
We work with a small number of trusted service providers. Sensitive supplier data resides only in our primary database; the only information shared with our email provider is the recipient address required to deliver a message.
| Provider | Purpose | Region |
|---|---|---|
| Supabase | Database, authentication & file storage | United States |
| Vercel | Application hosting & global edge / CDN | Global edge |
| Resend | Transactional email (sign-in codes, notifications) | United States |
| Anthropic | AI inference (Morpheus guidance assistant) | United States |
| Fish Audio | Text-to-speech (Morpheus voice) | United States |
Privacy & Compliance
Our full Privacy Policy documents how we collect, use, and protect personal information in alignment with PIPEDA (Canada) and the GDPR (EU). For client engagements, XFACTOR operates as a data processor, handling supplier data under the client's direction. A Data Processing Agreement (DPA) is available on request as part of enterprise onboarding.
Control Snapshot
| Control area | Status |
|---|---|
| Two-factor authentication & secure session management | In place |
| Least privilege & tenant data isolation | In place |
| Encryption in transit & at rest | In place |
| Reviewed change-management & deployment pipeline | In place |
| Published Privacy Policy (PIPEDA / GDPR) | In place |
| Data Processing Agreement & data-retention policy | On roadmap |
| Independent SOC 2 Type II audit | On roadmap |
Working With Your Security Team
We are glad to complete your security questionnaire, walk your team through any control above, and execute a DPA for your engagement. To request our detailed Security & Trust Overview, or to report a security concern, contact customercare@xfactorverified.com.
Last updated June 22, 2026 · XFACTOR COMMAND