Security
XeroML is designed with security as a first-class concern. This page covers the security features available, data handling practices, and guidance for compliance-sensitive deployments.
Data Regions (Cloud)
XeroML Cloud is available in two regions:
| Region | Base URL |
|---|---|
| EU (Frankfurt) | https://cloud.xeroml.com |
| US (Virginia) | https://us.cloud.xeroml.com |
Data is stored exclusively in the selected region. Choose the region that satisfies your data residency requirements before creating a project — projects cannot be migrated between regions.
Authentication & SSO
XeroML supports multiple authentication methods:
| Method | Available on |
|---|---|
| Email / password | Cloud + Self-hosted |
| Google OAuth | Cloud + Self-hosted |
| GitHub OAuth | Cloud + Self-hosted |
| SAML 2.0 SSO | Enterprise (Cloud + Self-hosted) |
| OIDC (Okta, Azure AD, etc.) | Self-hosted |
SSO configuration is available in Organization Settings → Security.
Role-Based Access Control
XeroML supports project-level roles:
| Role | Permissions |
|---|---|
| Owner | Full access, billing, member management |
| Admin | Full project access, member management |
| Member | Read/write access to traces, prompts, evaluations |
| Viewer | Read-only access |
Data Masking
For deployments that handle PII or sensitive data, XeroML supports data masking on the self-hosted platform. Configure masking rules to redact specific fields from traces before they’re stored.
Encryption
At rest: All data is encrypted at rest using AES-256 (cloud) or your cloud provider’s encryption (self-hosted with managed databases).
In transit: All communication uses TLS 1.2 or later. The OTLP ingestion endpoint and API endpoints both require HTTPS.
Client-side encryption: For maximum sensitivity, you can encrypt trace payloads before sending to XeroML. Encrypted payloads are stored as-is and not readable by XeroML.
Network Security (Self-Hosted)
For self-hosted deployments running inside a VPC:
- The XeroML web application only needs inbound access on port 3000 (or 443 via reverse proxy)
- All database, Redis, and ClickHouse connections are outbound from the XeroML containers
- No inbound connections from XeroML to your application are required
- SDK calls go outbound from your application to XeroML’s ingestion endpoint
Audit Logs
Enterprise self-hosted deployments have access to audit logs that record:
- User login and logout events
- Project settings changes
- API key creation and deletion
- Member permission changes
- Prompt version deployments
Responsible Disclosure
If you discover a security vulnerability in XeroML, please report it to security@xeroml.com. We aim to respond within 48 hours and will work with you to understand and resolve the issue responsibly.
Do not disclose security vulnerabilities publicly until we’ve had an opportunity to address them.
Compliance
XeroML Cloud operates with the following compliance frameworks:
- SOC 2 Type II — available on request
- GDPR — data processing agreements available for EU customers
- HIPAA — Business Associate Agreements available for enterprise customers
For compliance documentation, contact sales@xeroml.com.