Enterprise-Grade Security. No Compromises.
Xovron protects your financial documents and sensitive data with world-class security protocols, trusted by businesses in 100+ countries.
Our Core Security Commitments
AES-256-GCM Encryption
All your data, both in transit and at rest, is secured with industry-leading AES-256-GCM encryption standards.
Isolated Storage Buckets
Each workspace operates with its own dedicated MinIO storage bucket, ensuring zero shared storage between clients.
Zero-Knowledge Architecture
Your sensitive financial data is processed without Xovron or Joorus Inc. having access to the raw content.
GDPR + PIPEDA + UK GDPR
We are fully compliant with major global data privacy regulations, safeguarding your personal information.
SOC-Ready Infrastructure
Our systems are built with security best practices, ready for SOC 2 Type II auditing and compliance.
Two-Factor Authentication
Enhance account security with flexible 2FA options, including email One-Time Passcodes and TOTP apps.
How Xovron Protects Your Data
Data in Transit
Secured with TLS 1.3 encryption, ensuring secure communication between your browser and our servers.
Data at Rest
Protected with AES-256-GCM encryption, safeguarding all stored financial documents and metadata.
Isolated Workspaces
Each customer workspace has its own dedicated MinIO storage bucket, preventing data co-mingling.
Database Security
PostgreSQL Row-Level Security (RLS) is enforced for all database queries, ensuring data access is strictly limited to authorized users.
Audit Trails
A comprehensive audit trail logs all significant activities, providing transparency and accountability for data access and modifications.
Global Compliance & Privacy
Xovron, developed by Joorus Inc., is committed to adhering to the highest standards of data protection and privacy regulations worldwide.
GDPR
General Data Protection Regulation — full data subject rights, data portability, and right to erasure.
PIPEDA
Personal Information Protection and Electronic Documents Act — lawful purpose, accountability, and consent.
UK GDPR
UK General Data Protection Regulation — same GDPR rights, UK-specific data controller obligations.
SOC-Ready
Infrastructure built to SOC 2 Type II standards — availability, confidentiality, and processing integrity.
Robust Access Controls
Secure Authentication
- Email One-Time Passcodes (OTP) for frictionless, secure login.
- Time-based One-Time Password (TOTP) for enhanced Two-Factor Authentication.
- Comprehensive session management to monitor and control active sessions.
Role-Based Access Control (RBAC)
Grant users only the necessary permissions with granular Role-Based Access Control. Define roles and assign specific privileges to ensure that sensitive financial data is accessed only by authorized personnel within your organization.
Your Data, Your Control
We empower you with full control over your data lifecycle, from creation to deletion.
Data Retention & Deletion
Upon account closure, all customer data is securely purged from our systems within 90 days, ensuring no residual data remains.
Data Exportability
You can export all your financial data at any time through your Xovron Settings → Data section, giving you complete portability.
Responsible Disclosure
At Xovron, security is a shared responsibility. We encourage security researchers to report any vulnerabilities found in our systems. Please direct all security concerns to:
(Please do not send support requests to this address. Use the in-app chat for customer support.)
Trust & Compliance
Transparency about our infrastructure, sub-processors, and security commitments.
Sub-processors
Services that process your data on our behalf. We notify customers 30 days before adding any new sub-processor.
| Provider | Purpose | Region | Data accessed |
|---|---|---|---|
| Tier-1 AI provider | AI document extraction | US | Document content (encrypted in transit) |
| Stripe | Payment processing | US/EU | Billing email, last 4 of card |
| Cloudflare | CDN + DDoS protection | Global | IP, request metadata |
| Email delivery (Workspace) | US | Recipient email, message body | |
| Postmark | Transactional email backup | US | Recipient email, message body |
| Tier-1 EU/NA cloud | Hosting infrastructure | Multiple | All app + DB data |
Sub-processors
We rely on the following sub-processors to deliver our service. All process data under appropriate DPAs. Last updated: May 2026.
| Sub-processor | Purpose | Location | Data processed |
|---|---|---|---|
| Hetzner Online GmbH | VPS hosting (databases, app, worker) | Germany (EU) | All platform data |
| Anthropic, PBC | AI document extraction (Claude API) | USA | Invoice/receipt images (transient, not stored by Anthropic) |
| Stripe, Inc. | Subscription billing | USA | Business email, plan, billing country |
| Redis Ltd. | Session store, queue (self-hosted on Hetzner) | Germany (EU) | Session tokens, job IDs |
| MinIO (self-hosted) | Document storage | Germany (EU) | Uploaded financial documents |
| PostHog, Inc. | Product analytics | EU cloud | Anonymised usage events (no PII) |
| SMTP relay (self-hosted) | Transactional email | Germany (EU) | Email address, notification content |
Vulnerability Disclosure Policy
We welcome responsible disclosure of security vulnerabilities. If you believe you have found a security issue in Xovron, please email [email protected] with details. We aim to respond within 48 hours and to resolve confirmed critical issues within 7 days.
- Please do not publicly disclose until we have had 90 days to remediate.
- Do not access or modify data belonging to other users.
- Do not perform denial-of-service testing.
- Automated scanners used without permission will be blocked.
Researchers who responsibly disclose valid findings are acknowledged in our hall of fame. Our machine-readable disclosure policy is at /.well-known/security.txt.
Request a DPA or BAA
Enterprise customers and regulated industries (healthcare, finance, legal) can request a Data Processing Agreement (DPA) or Business Associate Agreement (BAA). Email us with your company name and jurisdiction and we will respond within 2 business days.
Request DPA / BAA →DPA template (GDPR Article 28 compliant) available on request. SOC 2 Type II in progress — report available under NDA.
Security Acknowledgments
No researchers to acknowledge yet. Be the first — see our disclosure policy above.
Ready to Experience Secure Financial Automation?
Join thousands of businesses worldwide who trust Xovron and Xova AI to handle their financial operations with unparalleled security.