Security & trust

How we run the platform.

We are a CMMC-readiness firm. The bar we hold customers to is the bar we hold ourselves to. Every claim on this page links to the underlying evidence — published, dated, and refreshable.

Subprocessors

Live

Every third party that touches customer data, what they do, and where they operate.

View subprocessors→

Software Bill of Materials

Live

CycloneDX SBOM for the Consigliere firmware, signed with cosign and verifiable against our published key.

View software bill of materials→

CMMC self-attestation

Live

Quarterly-refreshed self-attestation against CMMC L2 + NIST SP 800-171 rev 3.

View cmmc self-attestation→

Privacy Policy

Live

How we handle data we receive about you and your end users.

View privacy policy→

Terms of Service

Live

The agreement that governs access to and use of the platform.

View terms of service→

Reporting a vulnerability

Email security@xpoose.com with a description of the issue. We acknowledge within one business day and aim to resolve high-severity issues within 30 days. We don’t currently run a paid bounty; we publish a named-acknowledgement for valid findings on this page once the fix has shipped.