1. Encryption
All Firm Data is encrypted at rest using AES-256 and in transit using TLS 1.3 (minimum). Customers on the Firm subscription tier may use bring-your-own-key (BYO-key) encryption via AWS KMS or Azure Key Vault. Under BYO-key, Xycora holds no plaintext copy of stored matter documents — decryption requires a key that only the customer controls.
2. Access Control
Access to all Xycora systems — including the platform application, infrastructure, and operational tooling — is governed by role-based access control (RBAC) aligned to the principle of least privilege. Platform roles (Owner, Admin, Attorney, Paralegal, Client) and firm-level permissions are independently configurable. Every API call to the platform is authenticated using a short-lived JWT access token (60-minute expiry), with token refresh handled via a 7-day rotating refresh token. Production infrastructure access by Xycora employees requires MFA and is subject to quarterly access reviews.
3. Authentication
Passwords are stored using Argon2id, a memory-hard hashing algorithm recommended by OWASP. Multi-factor authentication (MFA) is available to all platform users and is enforced for all Xycora employees with access to production systems. Sessions are immediately invalidated on logout and subject to absolute expiry after 7 days regardless of activity.
4. Audit Logging
Every AI call, document access, role assignment, login event, failed authentication attempt, and administrative action is captured in an immutable, append-only audit log. Each log entry records the event type, timestamp, hashed user identifier, session identifier, and relevant event metadata. The audit log cannot be modified or deleted by any platform user, including Xycora administrators. Customers can export audit logs at any time from the platform's compliance dashboard.
5. Incident Response
Xycora maintains documented incident response procedures. In the event of an actual or reasonably suspected security incident affecting customer data, Xycora will provide initial notification within 24 hours of becoming aware and a detailed written report within 72 hours. Security incidents can be reported to [email protected]. Xycora operates a responsible disclosure programme for security researchers.
6. Penetration Testing
Annual third-party penetration testing is conducted against all production infrastructure by an independent security firm. Critical findings are remediated within 72 hours of identification; high-severity findings within 30 days. A summary of the most recent penetration test results is available to customers on request under NDA by contacting [email protected].
7. Secure Development Lifecycle
Security is integrated throughout the software development lifecycle. Automated dependency scanning and secret scanning run on every build in CI. An OWASP top-10 review is conducted on every release. All code changes require review by a second engineer before merging to main. The engineering team undergoes secure coding training annually.
8. Secrets Management
All credentials, API keys, and service tokens used in production are stored in a dedicated secrets manager. No credentials are stored in source code repositories, build pipelines, or environment variable stores in production systems. All secrets are rotated on a quarterly cadence, and immediately on any suspected exposure.
9. Employee Training and Access Provisioning
All Xycora employees with access to systems that process customer data undergo annual security awareness training and complete background screening prior to employment. Access to production systems is provisioned on a least-privilege basis from an employee's first day and de-provisioned within 24 hours of departure. Internal access rights are subject to quarterly review and certification.
This document was last reviewed on April 2026. For redlines against your template, contact [email protected].