Skip to main content

Security Architecture

Security Pillars

🔐 Authentication

Multi-factor authentication, API key management, and JWT-based session security

🛡️ Data Protection

AES-256 encryption at rest, TLS 1.3 in transit, and HSM key storage

📊 Audit & Compliance

Complete audit trails, compliance certifications, and regular security assessments

🚨 Threat Detection

Real-time monitoring, anomaly detection, and automated incident response

🔒 Key Management

Hardware Security Module (HSM) integration with automatic key rotation

🌐 Network Security

DDoS protection, WAF, and IP whitelisting capabilities

Authentication

API Key Authentication

All API requests require two headers for authentication:

API Key Security

Key Management Best Practices

JWT Session Tokens

For interactive sessions (dashboard), XentFi uses JWT tokens:

Data Protection

Encryption at Rest

Encryption in Transit

Key Management

API Security

Request Validation

Security Headers

Every API response includes these security headers:

Rate Limiting

Idempotency

Prevent duplicate requests using Idempotency-Key header:

Infrastructure Security

DDoS Protection

Web Application Firewall (WAF)

Network Segmentation

Monitoring & Detection

Security Monitoring

Alert Types

Audit Logging

Every security-relevant event is logged:

Compliance Certifications

Current Certifications

In Progress

Vulnerability Management

Security Testing

Bug Bounty Program

Incident Response

Incident Response Process

Response Times

Business Continuity

Disaster Recovery

Backup Strategy

Security Best Practices

  • Use environment variables - Never hardcode API keys
  • Enable MFA - Require multi-factor for dashboard access
  • Rotate keys regularly - Schedule key rotation every 90 days
  • Monitor audit logs - Review logs for suspicious activity
  • IP whitelisting - Restrict API access to trusted IPs (Enterprise)
  • Least privilege - Grant minimum required permissions

Customer Responsibilities

Reporting Security Issues

Vulnerability Disclosure

If you discover a security vulnerability, please report it immediately: Email: security@xentfi.com PGP Key: Download public key

What to Include

Disclosure Policy

Security FAQs

Private keys are encrypted with AES-256-GCM and stored in AWS KMS. Keys never leave the HSM and are never accessible to XentFi employees.
API keys are hashed using bcrypt before storage. The plaintext key is only shown once at creation and never stored.
We follow our incident response plan: detect, contain, eradicate, recover, and notify affected customers within 72 hours.
Yes, XentFi is fully GDPR compliant. We process data only for legitimate purposes and provide data export/deletion capabilities.
External penetration tests quarterly, internal audits continuously, and full security audits annually.

API Reference

API security implementation details

Authentication

Authentication best practices

Webhook Security

Securing webhook endpoints

Contact Security Team