Legal
Security
Last updated:
Sep 22, 2025
Security at Agency Xcelerator
Every day, agencies and creators rely on Xcelerator to plan work, move content, and understand revenue. Your work is valuable, and we design our systems so your privacy, safety, and data are never compromised. This page explains what we do and what you can expect. For custom enterprise controls and questionnaires, contact support@xcelerateagency.com.
At a glance
Hosting: Google Cloud, multi-AZ, encrypted storage
Encryption: TLS 1.2+ in transit, AES-256 at rest (KMS-managed keys)
Access: SSO/2FA, least-privilege RBAC, logged & reviewed admin access
Backups: Continuous, immutable backups; routine restore tests
Monitoring: Centralized logs, SIEM, alerting, 24×7 on-call
Testing: Automated code scanning + regular third-party pentests
Privacy: DPA with SCCs, CPRA “service provider,” GDPR processor posture
Safety: Zero tolerance for under-18, non-consensual, or exploitative content
Incident response: Formal IR plan; customer notifications per law & contract
Compliance & privacy posture
GDPR / UK GDPR. We act as processor for workspace data. Our DPA (with EU SCCs/UK Addendum) is available on request.
CPRA/CCPA. We act as a service provider. We honor opt-out signals (including Global Privacy Control) for ad/marketing tags on public surfaces.
Security frameworks. We align our controls to SOC 2 and ISO 27001 practices (risk management, access control, change management, vendor security). If you require formal reports, we can share our latest security overview and roadmap under NDA.
Data Processing Addendum (DPA). Includes subprocessors, transfer mechanisms, and breach/DSR support. Email support@xcelerateagency.com.
Subprocessors. We maintain a live list and notify of material changes. (Link:
/subprocessors)
We don’t make claims we haven’t earned. If/when independent certifications (e.g., SOC 2 Type II, ISO 27001) are completed, we will publish the details and make reports available to Enterprise customers under NDA.
Data hosting & residency
Cloud provider: Google Cloud. Services are deployed across multiple availability zones for resilience.
Residency: Default hosting in [insert region]. Enterprise customers can request regional data hosting preferences (subject to feature availability).
Separation of environments: Production, staging, and development are isolated (network, accounts, credentials).
Data classification & confidentiality
We classify data to apply the right controls:
Confidential: Customer workspace data (creators/models, content, analytics, finance views), credentials, and keys.
Internal: Operational runbooks, system metrics.
Public: Marketing site content and documentation.
Access to Confidential data is role-based, least-privilege, and granted on a need-to-know basis with manager + security approval and time limits where possible.
Encryption & key management
In transit: TLS 1.2+ with strong ciphers; HSTS on public domains to prevent downgrade attacks.
At rest: AES-256 for databases, object storage, and backups.
Keys & secrets: AWS KMS for key generation/rotation; Parameter Store/Secrets Manager for secrets. Access is restricted and audited.
Product security (SDLC)
Secure development lifecycle: Threat modeling for sensitive changes; security sign-off required for auth, storage, or data-flow changes.
Code reviews & CI/CD: All changes via pull requests with peer review and automated checks before merge.
Automated scanning: SAST, dependency/SBOM scanning, container and IaC checks, secret-leak detection in CI.
Runtime protection: Read-only containers where possible, principle of least privilege, scoped IAM roles.
Monitoring, logging & detection
Centralized logging: App, database, and infrastructure logs are aggregated and retained per policy.
SIEM & alerting: Event correlation and alerting for auth anomalies, privilege changes, data-export spikes, and other indicators.
Cloud audit: CloudTrail/Config (or equivalent) for API calls and configuration drift.
On-call: 24×7 response rotation for critical alerts.
Network & infrastructure security
Segmentation: Multi-account AWS strategy; VPC segmentation; security groups/NACLs; least-exposed surfaces.
Edge protection: Managed WAF/DDoS protections; rate limiting on sensitive endpoints.
External attack surface: Publicly reachable services are limited to the app and APIs. Continuous monitoring flags unexpected exposures.
Transport security: Enforced HTTPS; HSTS preloaded on production domains.
External testing & bounty
Third-party penetration tests: Full-scope application & cloud pentests at least annually and after major changes. Findings are risk-ranked, triaged, and remediated. Executive summaries available under NDA.
Vulnerability disclosure: If you discover a security issue, email support@xcelerateagency.com with steps to reproduce. We’ll confirm receipt within 2 business days and keep you updated. (If you need to encrypt, request our PGP key.)
Private bounty (invite-only): We invite select researchers after an initial valid report.
Backup, continuity & disaster recovery
Backups: Continuous backups for critical data stores; cross-AZ redundancy; point-in-time recovery where supported.
Testing: Routine restore tests (at least quarterly) to verify integrity and RTO/RPO objectives.
BC/DR plan: Documented procedures for cloud outages, data corruption, and vendor incidents; post-mortems for any material event.
Endpoint & corporate security
Device management: Company endpoints (e.g., Mac) are MDM-enrolled with full-disk encryption, screen-lock, firewall, and enforced auto-updates.
EDR & patching: Endpoint detection/response and a defined patch cadence for OS and critical software.
Password & identity: SSO + enforced MFA; phishing-resistant factors recommended where supported.
Organizational security
Security training: Required for all employees; role-specific secure-coding and data-handling modules for engineers and support.
Access reviews: Quarterly audits of production access and administrative roles.
Background checks: Per local law and role sensitivity.
Policies: Access control, acceptable use, encryption, change management, incident response, vendor risk, vulnerability management, DR/BCP, and secure development—reviewed annually.
Incident response
IR plan: Defined severity levels, runbooks, and communication protocols.
Customer notification: If we determine that your data is affected by a breach of security, we will notify your account contacts without undue delay and provide updates as we investigate and remediate, consistent with legal obligations and our DPA.
Post-incident reviews: Root-cause analysis with corrective actions and timelines.
Content safety (industry-specific)
Xcelerator supports lawful adult creator businesses. To protect people and brands:
Zero tolerance for any content involving minors (under 18), non-consensual acts, exploitation, or trafficking. Suspected material is suspended immediately and may be reported to authorities.
Age/consent verification: Agencies are responsible for verifying age/consent and meeting any record-keeping laws. If you enable ID capture, store it in restricted folders with short retention and limited access.
Confidentiality: Creator identities, stage names, and content remain inside your private workspace with RBAC and audit logs. We do not share them with other customers.
Deep-link attribution: We track event-level clicks for campaign attribution (post → click → subscription). We do not access fans’ OnlyFans account data.
Privacy controls
Role-based access (RBAC): Granular permissions for admins, managers, editors, creators.
Workspace isolation: Each customer’s data is logically isolated.
Creator & Staff Privacy Guide: Plain-English guide on what’s tracked and why.
Cookie & Tracking Policy: Consent banner and preferences center; we honor GPC.
Data subject rights: We assist controllers with access/correction/deletion requests per our DPA.
Enterprise features
SSO & SCIM: SAML/OIDC SSO with major IdPs; optional SCIM for automated provisioning.
Advanced RBAC: Custom roles, approval flows, and “break-glass” accounts with additional logging.
Private integrations: VPC peering/private links (where supported), custom data retention, and regional hosting preferences.
Legal & procurement: Security addenda, DPAs, and vendor forms under NDA.
Shared responsibility
Security is a partnership. We secure the platform; you secure how you use it.
You manage:
Strong passwords/SSO, MFA for all admins
Least-privilege roles and regular access reviews
Lawful content; age/consent verification; recordkeeping
Reasonable retention for sensitive files (e.g., IDs)
Disclosures/consents for deep-links and analytics on your public channels
We manage:
Platform security (infra, app, encryption, monitoring)
Availability, backups, and incident response
Subprocessor vetting and contractual safeguards
Privacy mechanisms (DPA/SCCs, cookie consent, opt-out handling)
Questions, reports, and requests
Security: support@xcelerateagency.com
Privacy & DPA: privacy@xcelerateagency.com
Legal: legal@xcelerateagency.com
We respond to security reports within 2 business days and will keep you updated through remediation.
Last updated
20/09/2025
Legal
Security
Last updated:
Sep 22, 2025
Security at Agency Xcelerator
Every day, agencies and creators rely on Xcelerator to plan work, move content, and understand revenue. Your work is valuable, and we design our systems so your privacy, safety, and data are never compromised. This page explains what we do and what you can expect. For custom enterprise controls and questionnaires, contact support@xcelerateagency.com.
At a glance
Hosting: Google Cloud, multi-AZ, encrypted storage
Encryption: TLS 1.2+ in transit, AES-256 at rest (KMS-managed keys)
Access: SSO/2FA, least-privilege RBAC, logged & reviewed admin access
Backups: Continuous, immutable backups; routine restore tests
Monitoring: Centralized logs, SIEM, alerting, 24×7 on-call
Testing: Automated code scanning + regular third-party pentests
Privacy: DPA with SCCs, CPRA “service provider,” GDPR processor posture
Safety: Zero tolerance for under-18, non-consensual, or exploitative content
Incident response: Formal IR plan; customer notifications per law & contract
Compliance & privacy posture
GDPR / UK GDPR. We act as processor for workspace data. Our DPA (with EU SCCs/UK Addendum) is available on request.
CPRA/CCPA. We act as a service provider. We honor opt-out signals (including Global Privacy Control) for ad/marketing tags on public surfaces.
Security frameworks. We align our controls to SOC 2 and ISO 27001 practices (risk management, access control, change management, vendor security). If you require formal reports, we can share our latest security overview and roadmap under NDA.
Data Processing Addendum (DPA). Includes subprocessors, transfer mechanisms, and breach/DSR support. Email support@xcelerateagency.com.
Subprocessors. We maintain a live list and notify of material changes. (Link:
/subprocessors)
We don’t make claims we haven’t earned. If/when independent certifications (e.g., SOC 2 Type II, ISO 27001) are completed, we will publish the details and make reports available to Enterprise customers under NDA.
Data hosting & residency
Cloud provider: Google Cloud. Services are deployed across multiple availability zones for resilience.
Residency: Default hosting in [insert region]. Enterprise customers can request regional data hosting preferences (subject to feature availability).
Separation of environments: Production, staging, and development are isolated (network, accounts, credentials).
Data classification & confidentiality
We classify data to apply the right controls:
Confidential: Customer workspace data (creators/models, content, analytics, finance views), credentials, and keys.
Internal: Operational runbooks, system metrics.
Public: Marketing site content and documentation.
Access to Confidential data is role-based, least-privilege, and granted on a need-to-know basis with manager + security approval and time limits where possible.
Encryption & key management
In transit: TLS 1.2+ with strong ciphers; HSTS on public domains to prevent downgrade attacks.
At rest: AES-256 for databases, object storage, and backups.
Keys & secrets: AWS KMS for key generation/rotation; Parameter Store/Secrets Manager for secrets. Access is restricted and audited.
Product security (SDLC)
Secure development lifecycle: Threat modeling for sensitive changes; security sign-off required for auth, storage, or data-flow changes.
Code reviews & CI/CD: All changes via pull requests with peer review and automated checks before merge.
Automated scanning: SAST, dependency/SBOM scanning, container and IaC checks, secret-leak detection in CI.
Runtime protection: Read-only containers where possible, principle of least privilege, scoped IAM roles.
Monitoring, logging & detection
Centralized logging: App, database, and infrastructure logs are aggregated and retained per policy.
SIEM & alerting: Event correlation and alerting for auth anomalies, privilege changes, data-export spikes, and other indicators.
Cloud audit: CloudTrail/Config (or equivalent) for API calls and configuration drift.
On-call: 24×7 response rotation for critical alerts.
Network & infrastructure security
Segmentation: Multi-account AWS strategy; VPC segmentation; security groups/NACLs; least-exposed surfaces.
Edge protection: Managed WAF/DDoS protections; rate limiting on sensitive endpoints.
External attack surface: Publicly reachable services are limited to the app and APIs. Continuous monitoring flags unexpected exposures.
Transport security: Enforced HTTPS; HSTS preloaded on production domains.
External testing & bounty
Third-party penetration tests: Full-scope application & cloud pentests at least annually and after major changes. Findings are risk-ranked, triaged, and remediated. Executive summaries available under NDA.
Vulnerability disclosure: If you discover a security issue, email support@xcelerateagency.com with steps to reproduce. We’ll confirm receipt within 2 business days and keep you updated. (If you need to encrypt, request our PGP key.)
Private bounty (invite-only): We invite select researchers after an initial valid report.
Backup, continuity & disaster recovery
Backups: Continuous backups for critical data stores; cross-AZ redundancy; point-in-time recovery where supported.
Testing: Routine restore tests (at least quarterly) to verify integrity and RTO/RPO objectives.
BC/DR plan: Documented procedures for cloud outages, data corruption, and vendor incidents; post-mortems for any material event.
Endpoint & corporate security
Device management: Company endpoints (e.g., Mac) are MDM-enrolled with full-disk encryption, screen-lock, firewall, and enforced auto-updates.
EDR & patching: Endpoint detection/response and a defined patch cadence for OS and critical software.
Password & identity: SSO + enforced MFA; phishing-resistant factors recommended where supported.
Organizational security
Security training: Required for all employees; role-specific secure-coding and data-handling modules for engineers and support.
Access reviews: Quarterly audits of production access and administrative roles.
Background checks: Per local law and role sensitivity.
Policies: Access control, acceptable use, encryption, change management, incident response, vendor risk, vulnerability management, DR/BCP, and secure development—reviewed annually.
Incident response
IR plan: Defined severity levels, runbooks, and communication protocols.
Customer notification: If we determine that your data is affected by a breach of security, we will notify your account contacts without undue delay and provide updates as we investigate and remediate, consistent with legal obligations and our DPA.
Post-incident reviews: Root-cause analysis with corrective actions and timelines.
Content safety (industry-specific)
Xcelerator supports lawful adult creator businesses. To protect people and brands:
Zero tolerance for any content involving minors (under 18), non-consensual acts, exploitation, or trafficking. Suspected material is suspended immediately and may be reported to authorities.
Age/consent verification: Agencies are responsible for verifying age/consent and meeting any record-keeping laws. If you enable ID capture, store it in restricted folders with short retention and limited access.
Confidentiality: Creator identities, stage names, and content remain inside your private workspace with RBAC and audit logs. We do not share them with other customers.
Deep-link attribution: We track event-level clicks for campaign attribution (post → click → subscription). We do not access fans’ OnlyFans account data.
Privacy controls
Role-based access (RBAC): Granular permissions for admins, managers, editors, creators.
Workspace isolation: Each customer’s data is logically isolated.
Creator & Staff Privacy Guide: Plain-English guide on what’s tracked and why.
Cookie & Tracking Policy: Consent banner and preferences center; we honor GPC.
Data subject rights: We assist controllers with access/correction/deletion requests per our DPA.
Enterprise features
SSO & SCIM: SAML/OIDC SSO with major IdPs; optional SCIM for automated provisioning.
Advanced RBAC: Custom roles, approval flows, and “break-glass” accounts with additional logging.
Private integrations: VPC peering/private links (where supported), custom data retention, and regional hosting preferences.
Legal & procurement: Security addenda, DPAs, and vendor forms under NDA.
Shared responsibility
Security is a partnership. We secure the platform; you secure how you use it.
You manage:
Strong passwords/SSO, MFA for all admins
Least-privilege roles and regular access reviews
Lawful content; age/consent verification; recordkeeping
Reasonable retention for sensitive files (e.g., IDs)
Disclosures/consents for deep-links and analytics on your public channels
We manage:
Platform security (infra, app, encryption, monitoring)
Availability, backups, and incident response
Subprocessor vetting and contractual safeguards
Privacy mechanisms (DPA/SCCs, cookie consent, opt-out handling)
Questions, reports, and requests
Security: support@xcelerateagency.com
Privacy & DPA: privacy@xcelerateagency.com
Legal: legal@xcelerateagency.com
We respond to security reports within 2 business days and will keep you updated through remediation.
Last updated
20/09/2025