Skip to main content

Security & Compliance

The Algorithm of Trust.™
Built into every layer.

X.R.A.Y. is built for veteran-owned businesses operating in regulated industries — GovCon, healthcare, finance, and federal contracting. Security is not an add-on. It is the foundation.

AWS us-east-1AES-256TLS 1.3WCAG 2.2 AAARCEB ChainRLS Enforced

Certifications & Compliance

SOC 2 Type I

In Progress · Aug 2026

Trust Services Criteria — Security, Availability, Confidentiality. Audit partner engaged. Evidence collection active via ARCEB chain. Type II audit follows.

FedRAMP Moderate

Roadmap · 2027

AWS GovCloud us-gov-west-1 infrastructure path. Required for federal agencies and prime contractors on CMMC Level 3+ programs.

CMMC Level 2

Roadmap · 2027

Cybersecurity Maturity Model Certification. Required for DoD subcontractors handling CUI. GovCon zone includes CMMC gap analysis.

WCAG 2.2 AA

Live

All platform interfaces meet Web Content Accessibility Guidelines 2.2 Level AA. Minimum 8.5:1 contrast ratios. Screen reader tested.

GDPR Compliant

Live

European data subject rights enforced. Data residency options available. DPA available on request via info@25xray.ai.

CCPA Compliant

Live

California Consumer Privacy Act rights enforced. Opt-out of sale. Data deletion within 30 days of request.

Infrastructure Stack

Cloud ProviderAWS Commercial — us-east-1 (N. Virginia)
ComputeECS Fargate — serverless container execution
DatabaseAmazon RDS PostgreSQL — Multi-AZ, automated backups
StorageAmazon S3 — server-side AES-256 encryption
Encryption at restAES-256 — all data stores
Encryption in transitTLS 1.3 enforced — all API and browser connections
Auth providerWorkOS — SOC 2 Type II certified
Payment processorStripe — PCI DSS Level 1 certified
Secrets managementAWS Secrets Manager — zero plaintext credentials
Audit trailARCEB chain — immutable, signed, tamper-evident
Vulnerability scanningContinuous — integrated into CI/CD pipeline
Penetration testingAnnual third-party assessment

Security Policies

Row-Level Security

Every tenant table enforces PostgreSQL RLS. No cross-tenant data leakage is architecturally possible. Audited on every release.

Zero Plaintext Secrets

No credentials, API keys, or tokens exist in code or environment files. All secrets managed via AWS Secrets Manager and injected at runtime.

Immutable Audit Chain

ARCEB (Audit-Ready Cryptographic Evidence Block) chain logs every platform action. Signed, timestamped, and tamper-evident. Exportable for compliance audits.

Veteran Data Isolation

DD-214 and VA documentation are stored in a separate, elevated-access data store with additional encryption and access controls beyond standard platform data.

Incident Response

4-hour detection SLA. 24-hour customer notification for material incidents. Full post-mortem published to affected tenants within 5 business days.

Access Control

Principle of least privilege enforced across all systems. MFA required for all admin access. Role-based access control per zone, per tenant.

Responsible Disclosure

Found a vulnerability?

We take security reports seriously. If you believe you've found a security vulnerability in X.R.A.Y., please report it responsibly to our security team. We respond within 24 hours.

Report a Vulnerability →

info@25xray.ai · Subject: Security Vulnerability Report