Security Overview

Data Encryption

All data transmitted between your devices and Xobuya is encrypted using TLS 1.2 or higher (256-bit encryption). Data stored in our databases is encrypted at rest using AES-256, managed by Google Cloud's encryption infrastructure. Encryption keys are managed through Google Cloud KMS and are rotated automatically.

Infrastructure Security

Xobuya runs on Google Cloud Platform (GCP) and Firebase, which maintain the following certifications and compliance standards:

• SOC 1, SOC 2, and SOC 3 reports
• ISO 27001, ISO 27017, and ISO 27018
• PCI DSS Level 1 (for payment-related services)

Our services are deployed across multiple regions (Australia and United States) with automatic failover and load balancing. Google Cloud's infrastructure includes physical security, hardware lifecycle management, and network security that exceed most on-premises deployments.

Authentication & Access Control

• User authentication is handled through Firebase Authentication with secure token management
• Passwords are hashed and salted — we never store plain-text passwords
• Role-based access control: account owners assign team members to predefined roles (Admin, Manager, Sales, Install, Office), each with access scoped to their function
• Session tokens expire automatically and are refreshed securely
• All API endpoints require authenticated requests with validated tokens

Payment Security

Xobuya integrates with Stripe and BPoint for payment processing. Both are PCI DSS Level 1 certified — the highest level of payment security certification. Credit card details are transmitted directly to the payment provider and are never stored on Xobuya's servers. Sensitive payment tokens are managed entirely by the payment provider.

Data Backups & Recovery

• Automated daily backups of all Firestore databases
• Point-in-time recovery capability
• Backup data retained for 60 days
• File storage (Cloud Storage) is replicated across multiple availability zones
• Regular recovery testing to ensure backup integrity

Application Security

• Security headers enforced on all responses (HSTS, X-Content-Type-Options, X-Frame-Options, etc.)
• Input validation and sanitisation across all user-facing endpoints
• Firestore Security Rules enforce data access at the database level
• Cloud Functions run in isolated, stateless containers
• Dependencies are regularly audited for known vulnerabilities

Offline Security

Xobuya's mobile apps support full offline functionality. Data stored locally on devices is encrypted using the platform's native encryption (iOS Data Protection, Android EncryptedSharedPreferences). Offline data syncs securely when connectivity is restored, with conflict resolution handled automatically.

Data Isolation

Xobuya is a multi-tenant platform. Each customer's data is logically isolated at the database level using unique company identifiers. Security Rules enforce strict access boundaries — users can only query and modify data belonging to their own organisation. No customer can access another customer's data.

Incident Response

In the event of a security incident, we follow a structured response process:

• Immediate containment and investigation
• Assessment of scope and impact
• Notification of affected customers within 72 hours (or sooner as required by law)
• Remediation and implementation of preventive measures
• Post-incident review and documentation

Responsible Disclosure

If you discover a security vulnerability in Xobuya, we encourage you to report it responsibly. Please email security@xobuya.io with details of the vulnerability. We will acknowledge your report within 48 hours and work with you to understand and address the issue. We will not take legal action against researchers who report vulnerabilities in good faith.

Questions

For security-related enquiries, contact us at security@xobuya.io.

See also: Privacy Policy · Sub-Processors · Service Level Agreement