Security is foundational to everything we build. This page provides transparency into how we protect your data, code, and accounts.
All data in transit is encrypted using TLS 1.3. HSTS headers enforce HTTPS connections.
Only ports 22 (SSH), 80 (HTTP), and 443 (HTTPS) are open. All other ports are blocked.
Automated intrusion detection. SSH brute-force attempts result in 2-hour IP bans after 3 failed attempts.
Nginx rate limiting: 30 requests/minute for APIs, 5 requests/minute for authentication endpoints.
Hosted on Hetzner Online GmbH in Falkenstein, Germany. ISO 27001 certified data center.
Ubuntu Pro with Extended Security Maintenance. Automatic security patches via unattended-upgrades.
JWT token-based auth with automatic expiry checks every 60 seconds. Tokens are stored client-side only.
Minimum 8 characters. Bcrypt hashing with salt. Account lockout after 5 failed login attempts (15-minute cooldown).
All user prompts are sanitized to prevent XSS, script injection, and command injection attacks.
API access restricted to xandhi.com origin only. Cross-origin requests from unauthorized domains are blocked.
Payments processed by Razorpay (PCI DSS Level 1). We never store card numbers, CVVs, or banking credentials.
Database credentials encrypted. .env files restricted to root-only access (chmod 600). Secrets never exposed in client code.
Your prompts are sent to AI providers (via OpenRouter) for code generation. We do not use your prompts to train AI models. Generated code belongs to you. Build data is stored in PostgreSQL with encrypted connections. Redis is used for session caching with automatic expiry. Database backups run daily at 3 AM UTC.
If you discover a security vulnerability, please report it responsibly to security@xandhi.com. We offer recognition and may offer bounties for critical vulnerabilities. We commit to acknowledging reports within 24 hours and providing resolution timelines within 72 hours. We do not pursue legal action against good-faith security researchers.
Self-hosted on Hetzner Cloud (Falkenstein, Germany). TLS 1.3 on every endpoint. Automated daily database backups. Per-route rate limiting at the nginx layer. JWT-based authentication. Encrypted secrets at rest, root-only .env files. No card data ever touches our servers — all payments are tokenized through Razorpay.
Information Technology Act, 2000 (India) compliant. GDPR-aware data handling practices. Working toward SOC 2 Type I readiness in the medium term. We do not currently hold SOC 2, ISO 27001, or PCI DSS certifications — the PCI DSS Level 1 status of Razorpay applies to their payment processing, not to us directly. We will update this page as our compliance posture evolves.