Security, compliance, and privacy is the number one priority at X2AI. Naturally, we are HIPAA-compliant, and have engineered our architecture to handle sensitive information from the ground up. We ensure that you are kept completely safe, secure, and invisible to others.

Security is an evolution, and not just something that is installed. We constantly update our threat profiles, patch our software, and regularly penetration-test our servers. Our philosophy is to assume a breach; thus we implement an aggressive defense-in-depth security strategy that includes everything from effective password hashing to complex countermeasures. It is important to remember that compliance does not imply security; good security is always compliant.

We secure all data in transit via TLS, and use the latest technology to ensure data security. The independent SSL audit authority Qualys has rated our servers A+, and our HTTP (security) headers have been rated A.

SECURITY PROTOCOL

Below you will find details of our security protocol and adopted standards that have been cleared for public release for the sake of transparency.

X.509 / TLS (SSL IS OLD TLS)

We secure all data in transit via TLS, and use the latest technology to ensure data security.

SERVER ACCESS

The independent SSL audit authority Qualys has rated our servers A+

ADMINISTRATION / CUSTOMIZATION PLATFORM ACCESS

All systems log the date and time for all failed user attempts and for all successful user attempts to access the system.

PHYSICAL SECURITY ELEMENTS

Our offices have a security guard at the entrance and require badge access or visitor registration upon entry.  Our computers are password protected and can be wiped remotely if needed.

DATA DELETION

All PHI that is no longer required for the intended and agreed upon scope is deleted immediately and securely. For secure printed data deletion, we enforce the use of a Security Level P-5 shredder, although documents with a high sensitivity are incinerated.

FAQ

Below are the answers to common concerns we've heard from patients, psychologists, and lawyers.

ARE YOU HIPAA-COMPLIANT?

Yes, so long as you are on X2AI's network. This includes x2.ai, tess.ai, and karim.ai, but does not cover any communication through third-party channels, such as SMS, Facebook Messenger, and WhatsApp (Signal by Open Whisper Systems is the only exception to this rule). Our servers that handle patient health information are dedicated. For more information, please refer to part 160, part 162, and part 164 of the United States Code of Federal Regulations.

DO YOU COMPLY WITH DATA PROTECTION REGULATIONS?

Yes, we are HIPAA-compliant, and have engineered our architecture to handle sensitive information from the ground up, meaning that we vastly-exceed regulatory specifications in most areas. We encrypt all data with at least 256-bit asymmetric or 4096-bit symmetric keys.

DOES THIS SERVICE COMPLY WITH ESTABLISHED STANDARDS?

Yes, we are HIPAA-compliant, and have engineered our architecture to handle sensitive information from the ground up, meaning that we vastly-exceed regulatory specifications in most areas.

CAN YOU INTEGRATE WITH OUR EHR or HR CRM?

Yes

ARE MY CONVERSATIONS ANONYMOUS?

This is possible if you refrain from saying your name, and you’re using Tess on the web. Other communication protocols require information such as a phone number or a Facebook profile.

HOW CAN I TELL IF I AM LEAKING INFORMATION ?

Use our Brief Exposure Check, safe in the knowledge that your data will not be collected. Be careful with websites offering similar checks, many harvest your information. Remember, this data is a best guess, and can vary from browser to browser.

RESPONSIBLE DISCLOSURE POLICY

Data security is a top priority for X2AI, and X2AI believes that working with skilled security researchers can identify weaknesses in any technology.If you believe you've found a security vulnerability in X2AI’s service, please notify us; we will work with you to resolve the issue promptly.

DISCLOSURE POLICY

- If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at security@x2ai.com. We will acknowledge your email promptly.
- Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. 
- Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the X2AI service. Please only interact with accounts you own or for which you have explicit permission from the account holder.

EXCLUSIONS

While researching, we’d like you to refrain from:

- Distributed Denial of Service (DDoS)
- Spamming
- Social engineering or phishing of X2AI employees or contractors.
- Any attacks against X2AI’s physical property or data centers

Thank you for helping to keep X2AI and our users safe!

CHANGES

DISCIPLINARY ACTION

Employees who violate this policy may face disciplinary consequences in proportion to their violation. X2AI management will determine how serious an employee’s offense is and take the appropriate action.

RESPONSIBILITY

It is the X2AI InfoSec team's responsibility to see if this policy is enforced.

We may revise these guidelines from time to time. The most current version of the guidelines will be available at www.x2ai.com/securityX2AI is always open to feedback, questions, and suggestions. If you would like to talk to us, please feel free to email us at security@x2ai.com.