Our approach: We minimize what we collect, encrypt everything in transit and at rest, and never store data we don't need. If you find a security issue, we want to hear about it.
How we protect your data
Encryption
All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256 via the database provider's managed encryption. API tokens and GitHub access tokens are encrypted before storage and never logged in plaintext.
Infrastructure
xsbl runs on Supabase (managed PostgreSQL on AWS) and Netlify's edge network. Both providers maintain SOC 2 Type II compliance. Our edge functions run in isolated Deno environments with no shared state between tenants. Headless browser instances used for scanning are ephemeral — they're created for each scan and destroyed immediately after.
Authentication & access
User authentication is handled by Supabase Auth with bcrypt-hashed passwords, JWT session tokens, and optional OAuth via GitHub and Google. Admin access to production infrastructure requires multi-factor authentication. Database access is restricted by row-level security policies — users can only access data belonging to their organization.
What we scan — and what we don't
xsbl scans the publicly rendered HTML of your web pages — the same content any visitor's browser would see. We do not install agents, inject scripts, or modify your website in any way. When you connect GitHub, we read source files only at the moment of generating a fix and do not persist repository contents. We do not scan pages behind authentication or access private resources.
Data retention & deletion
Scan results are retained for the life of your account. When you delete a site, all associated scans, issues, and reports are queued for deletion within 30 days. When you close your account, all data is purged within 30 days except billing records required by law. GitHub tokens are revoked and deleted immediately upon disconnection.
Responsible disclosure
If you discover a security vulnerability in xsbl, please report it responsibly. We take all reports seriously and will respond within 48 hours.
Email: security@xsbl.io
When reporting, please include:
- A description of the vulnerability and its potential impact
- Steps to reproduce or a proof of concept
- Your contact information for follow-up
We ask that you do not publicly disclose the vulnerability until we've had reasonable time to address it (typically 90 days). We do not pursue legal action against researchers who report in good faith and comply with this policy.
Security headers
All xsbl pages are served with security headers including X-Frame-Options: DENY, X-Content-Type-Options: nosniff, and Referrer-Policy: strict-origin-when-cross-origin. These prevent clickjacking, MIME-type confusion, and limit referrer information leakage.
Incident response
In the event of a data breach or security incident, we will notify affected users within 72 hours via email with details of the incident, what data was affected, steps we're taking, and recommendations for protecting yourself. We maintain internal incident response procedures and conduct post-incident reviews for all security events.
Compliance
Our infrastructure providers (Supabase and Netlify) maintain SOC 2 Type II compliance. xsbl generates compliance evidence for our customers (audit logs, scan history, VPAT documents) — the same tools we use internally to maintain our own security posture.
Questions
Security questions or concerns? Contact us at security@xsbl.io or through our contact page.