Legal
Security Overview
Effective Date: January 1, 2026 | Last Updated: March 1, 2026
xpdOffice is designed as a secure, AI-native operating system for government contractors and professional services teams. Security, compliance, and data integrity are embedded in the platform architecture.
Core Principles
- Security by design
- Least-privilege access
- Transparency and auditability
Infrastructure and Data Protection
- AWS U.S. region hosting with tenant isolation
- AES-256 encryption at rest and TLS 1.2+ in transit
- Network segmentation, monitoring, and threat detection
- Encrypted backups and controlled snapshot handling
Access and Application Security
- Role-based access controls and least-privilege administration
- MFA for administrative access and SSO/SAML support for enterprise customers
- Secure SDLC, code review, dependency scanning, and penetration testing
Compliance Alignment
Security controls align with FISMA Moderate, NIST SP 800-53 Rev. 5, NIST SP 800-171, CMMC Level 2 practices, and SOC 2 Type II controls. xpdOffice is not FedRAMP authorized, but architectural controls are designed to align with FedRAMP Moderate expectations.
Incident Response
xpdOffice maintains a formal incident response process with defined escalation paths, containment procedures, and customer notification without unreasonable delay in accordance with applicable law and contract terms.