Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.xpander.ai/llms.txt

Use this file to discover all available pages before exploring further.

xpander.ai is SOC 2 Type II certified. ISO 27001, HIPAA, and FedRAMP are in progress. For frameworks not yet formally certified, deploying inside your own VPC or air-gapped environment lets you bring agents under your existing compliance program without waiting for a vendor attestation.

Certification status

FrameworkStatusHow to obtain documentation
SOC 2 Type IICertifiedReport available under NDA
GDPRCompliantDPA available with enterprise contracts
ISO 27001In progressContact us for current state and timeline
HIPAAIn progressBAA available on request for eligible deployments
FedRAMPIn progressContact us if a federal deployment is on your roadmap
For audit reports, attestation letters, and signed agreements (DPA, BAA), contact our team. NDA required before sensitive documentation is shared.

SOC 2 Type II

xpander.ai is SOC 2 Type II certified. The audit covers the Trust Services Criteria for Security, Availability, and Confidentiality, meaning an external auditor evaluated the platform’s controls over a period of time, not just on a single date, and confirmed they operated as designed. The report covers logical and physical access, encryption in transit and at rest, change management, incident response, backup and disaster recovery, and vendor management. The full report is available to current and prospective enterprise customers under NDA. Request the SOC 2 report.

GDPR

The platform supports GDPR requirements for organizations processing EU resident data. Data residency is determined by deployment choice. In a self-hosted, VPC, or air-gapped configuration, all runtime data (task execution, memory, knowledge base contents, audit logs) stays in the region you operate. xpander Cloud customers can request region-specific deployment for their workspace. Right to erasure and portability are exposed through the API and dashboard: conversation history, knowledge base documents, and user memories can be deleted on request; agent configurations and task history can be exported in standard formats. Privacy by design is enforced at the agent level via PII detection and masking. Both inputs and outputs can be automatically redacted before they reach the model or downstream tools. Controller relationships depend on the deployment model. For Managed Runtime customers (xpander Cloud), xpander is the data processor and the customer is the controller. For Unmanaged Runtime customers using their own AI service provider with private connectors, the customer is the controller and xpander’s privacy policy doesn’t extend to those processing activities. See the Privacy Policy for the full breakdown. DPAs and sub-processor lists are available with enterprise contracts.

HIPAA, ISO 27001, FedRAMP

These three are in progress. While formal attestation is being completed, customers commonly bring xpander.ai under their own compliance program by deploying in their own infrastructure.
  • HIPAA: technical controls for handling PHI (encryption at rest and in transit, audit logging of all data access, isolation of customer data) are in place under SOC 2 coverage. Formal HIPAA attestation and Business Associate Agreement program in progress. For healthcare deployments, contact us about BAA availability and deployment configuration (typically VPC or air-gapped).
  • ISO 27001: most control families overlap with SOC 2 Type II coverage. Certification in progress.
  • FedRAMP: federal customers commonly deploy xpander.ai inside their own VPC or air-gapped environment under their existing Authority to Operate (ATO) while formal authorization is being completed.
Contact us for current state and timeline on any of these.

Deployment patterns by industry

Common deployment patterns for regulated industries:
IndustryTypical deploymentWhy
Financial servicesVPCData residency, per-agent audit log, RBAC for segregation of duties
HealthcareVPC or air-gappedKeep PHI inside the customer environment, storage-layer encryption, scoped BAA
Government / defenseAir-gappedFull data sovereignty, no external dependencies
Critical infrastructureVPC with PrivateLinkOutbound-only model keeps traffic off the public internet
The platform isn’t the compliance boundary; your deployment configuration is. The platform provides the technical controls. Deployment choice determines which compliance program owns them.

Supporting documentation

DocumentAvailability
SOC 2 Type II reportUnder NDA, on request
Data Processing Agreement (DPA)Enterprise contracts
Sub-processor listOn request
HIPAA Business Associate Agreement (BAA)On request, for eligible deployments
Penetration testing summaryUnder NDA, on request
Architecture and security whitepaperOn request
Privacy PolicyPublic
Terms of ServicePublic
To request anything from this list, contact our team and describe what your security or compliance review needs. Enterprise customers receive ongoing access to compliance updates as new certifications complete.