Security Architecture
Security Pillars
🔐 Authentication
Multi-factor authentication, API key management, and JWT-based session security
🛡️ Data Protection
AES-256 encryption at rest, TLS 1.3 in transit, and HSM key storage
📊 Audit & Compliance
Complete audit trails, compliance certifications, and regular security assessments
🚨 Threat Detection
Real-time monitoring, anomaly detection, and automated incident response
🔒 Key Management
Hardware Security Module (HSM) integration with automatic key rotation
🌐 Network Security
DDoS protection, WAF, and IP whitelisting capabilities
Authentication
API Key Authentication
All API requests require two headers for authentication:API Key Security
Key Management Best Practices
JWT Session Tokens
For interactive sessions (dashboard), XentFi uses JWT tokens:Data Protection
Encryption at Rest
Encryption in Transit
Key Management
API Security
Request Validation
Security Headers
Every API response includes these security headers:Rate Limiting
Idempotency
Prevent duplicate requests usingIdempotency-Key header:
Infrastructure Security
DDoS Protection
Web Application Firewall (WAF)
Network Segmentation
Monitoring & Detection
Security Monitoring
Alert Types
Audit Logging
Every security-relevant event is logged:Compliance Certifications
Current Certifications
In Progress
Vulnerability Management
Security Testing
Bug Bounty Program
Incident Response
Incident Response Process
Response Times
Business Continuity
Disaster Recovery
Backup Strategy
Security Best Practices
- Use environment variables - Never hardcode API keys
- Enable MFA - Require multi-factor for dashboard access
- Rotate keys regularly - Schedule key rotation every 90 days
- Monitor audit logs - Review logs for suspicious activity
- IP whitelisting - Restrict API access to trusted IPs (Enterprise)
- Least privilege - Grant minimum required permissions
Customer Responsibilities
Reporting Security Issues
Vulnerability Disclosure
If you discover a security vulnerability, please report it immediately: Email:security@xentfi.com
PGP Key: Download public key
What to Include
Disclosure Policy
Security FAQs
Where are private keys stored?
Where are private keys stored?
Private keys are encrypted with AES-256-GCM and stored in AWS KMS. Keys never leave the HSM and are never accessible to XentFi employees.
How are API keys protected?
How are API keys protected?
API keys are hashed using bcrypt before storage. The plaintext key is only shown once at creation and never stored.
What happens if there's a security breach?
What happens if there's a security breach?
We follow our incident response plan: detect, contain, eradicate, recover, and notify affected customers within 72 hours.
Are you GDPR compliant?
Are you GDPR compliant?
Yes, XentFi is fully GDPR compliant. We process data only for legitimate purposes and provide data export/deletion capabilities.
How often are security audits performed?
How often are security audits performed?
External penetration tests quarterly, internal audits continuously, and full security audits annually.
Related Resources
API Reference
API security implementation details
Authentication
Authentication best practices
Webhook Security
Securing webhook endpoints
Contact Security Team
- 📧 Security Email: security@xentfi.com
- 🔒 PGP Key: Download
- 🐛 Bug Bounty: bugbounty@xentfi.com
- 📞 Emergency: +1 (555) 123-4567 (24/7)

