Security

XcapeSuite handles tax-sensitive information for individuals expatriating from the United States. Security is foundational to every product decision we make.

Data protection

• All traffic is served over TLS 1.2+ with HSTS enabled.
• Data at rest is encrypted using AES-256 in our managed Postgres database.
• Sensitive fields (SSN, ITIN, account numbers) are stored encrypted at the column level.
• Backups are encrypted and retained for 30 days with point-in-time recovery.

Access controls

• Role-based access enforced through Better Auth with optional two-factor authentication.
• Production access is limited to a small on-call group; every privileged action is logged.
• Service-to-service calls authenticate with short-lived signed tokens issued by the auth server.

Infrastructure

• Hosted on SOC 2-compliant cloud providers.
• Network isolation between auth, application, and analytics workloads.
• Continuous dependency scanning and quarterly penetration tests.

Incident response

We maintain a documented incident response plan. In the event of a confirmed incident, affected users are notified within 72 hours alongside remediation steps.

Reporting a vulnerability

Please disclose suspected vulnerabilities responsibly. Email support@xcapesuite.com with reproduction steps; we acknowledge reports within one business day.