On this page
Security
Last updated:
Xcape Valuate processes sensitive valuation work that supports IRS Form 8854 filings. Security is core to our roadmap.
Data protection
- TLS 1.2+ in transit, HSTS enforced.
- AES-256 at rest in managed Postgres.
- Sensitive identifiers encrypted at the column level.
- Encrypted backups, 30-day point-in-time recovery.
Access controls
- Better Auth role-based access with optional 2FA.
- Privileged operator actions are logged and reviewed.
- Cross-app traffic uses short-lived signed tokens.
Infrastructure
- SOC 2-compliant cloud hosting.
- Network isolation between auth, app, and analytics tiers.
- Continuous dependency scanning and quarterly pen tests.
Incident response
We follow a written response plan. Affected users are notified within 72 hours of a confirmed incident, with remediation steps.
Reporting a vulnerability
Disclose responsibly. Email support@xcapesuite.com with reproduction steps. We acknowledge within one business day.