Legal
Security
Working version - last reviewed 2026-06-03
Hosting: Supabase Postgres in EU (Ireland). Vercel edge + serverless functions, EU + US regions per route. All web traffic over TLS 1.2+ with HSTS.
Tenant isolation: every tenant-scoped table carries Row Level Security policies enforcing tenant_id match. Service-role admin queries cross-check tenant scope at the application layer (defence-in-depth). No cross-tenant data leakage in any audit so far.
Authentication: Supabase Auth with JWT validation on every server request. Magic-link sign-in by default. Public magic-link share tokens (brief flow) carry per-token expiry + revocation (mig 0225).
Integration tokens: OAuth tokens for Meta, Google, TikTok, Klaviyo, Shopify stored encrypted at rest with per-tenant scope. Refresh tokens rotated automatically; revocation propagates within 60 seconds.
Model providers: Anthropic + OpenAI requests use zero-retention API paths - prompts and outputs are not retained by the provider for training. We rate-limit per-tenant by plan tier and cap by daily spend.
Backups: Supabase point-in-time recovery (7 days) + daily encrypted snapshots (30-day retention). Tested quarterly.
Compliance: GDPR-compliant by design (EU-only hosting, lawful basis = contract, full data-subject rights). SOC 2 Type I in progress (target: post first paid pilots). Source- code escrow available on Enterprise tier.
Incident response: 24-hour notification to affected tenants for any confirmed data breach. Status page at /status for ongoing platform health.
Report a vulnerability: please email security@exo-ai.ai with reproduction steps. We respond within 48 hours and credit disclosers in release notes (with consent).
The full legal document lands when EXO Ltd incorporates. The summary above describes how we actually operate today.
Questions, data-subject requests, or enterprise-specific addendums: hello@exo-ai.ai