Skip to main content
On this page

Security

Last updated:

Xcape Valuate processes sensitive valuation work that supports IRS Form 8854 filings. Security is core to our roadmap.

Data protection

  • TLS 1.2+ in transit, HSTS enforced.
  • AES-256 at rest in managed Postgres.
  • Sensitive identifiers encrypted at the column level.
  • Encrypted backups, 30-day point-in-time recovery.

Access controls

  • Better Auth role-based access with optional 2FA.
  • Privileged operator actions are logged and reviewed.
  • Cross-app traffic uses short-lived signed tokens.

Infrastructure

  • SOC 2-compliant cloud hosting.
  • Network isolation between auth, app, and analytics tiers.
  • Continuous dependency scanning and quarterly pen tests.

Incident response

We follow a written response plan. Affected users are notified within 72 hours of a confirmed incident, with remediation steps.

Reporting a vulnerability

Disclose responsibly. Email support@xcapesuite.com with reproduction steps. We acknowledge within one business day.