Governance & Compliance
SOC 2

SOC 2 Compliance

Xilos aligns with SOC 2 (System and Organization Controls 2) Trust Service Criteria.

Trust Service Categories

Security

Xilos protects against unauthorized access through:

  • Bearer token authentication for all API access
  • Role-based access control (SuperAdmin, Org Admin, User)
  • Virtual keys with budget and rate limits
  • Encrypted data storage

Availability

  • Managed SaaS deployment includes automated backups and disaster recovery
  • Recovery Time Objective (RTO): 4 hours
  • Recovery Point Objective (RPO): 1 hour
  • Stateless architecture enables rapid recovery

Processing Integrity

  • Every query is logged with the full processing pipeline: routing decision, governance actions, model selection, and response
  • Quality scores (faithfulness, answer relevance, context relevance) are computed for each response
  • Audit trail captures all governance actions with timestamps

Confidentiality

  • PII detection and masking before queries reach the LLM
  • Data residency enforcement to control where data is processed
  • Organization-level data isolation
  • Restriction rules to block sensitive data from processing

Privacy

  • Audit trail tracks all data access and processing
  • User data can be deleted on request
  • SIEM export enables external compliance monitoring
  • Data residency controls prevent unauthorized data movement

Audit Support

Xilos provides the following for SOC 2 audits:

  • Audit logs with immutable timestamps
  • SIEM export for continuous monitoring
  • Role-based access control documentation
  • Data residency configuration records
  • Query processing pipeline documentation