Documentation

Security & Compliance.

A summary of how XCOM.DEV is built, run, and audited. The legal-scope NIS2 statement lives at /legal/nis2.

Last updated 2026-04-27

Version 1.0

Owner XCOM.DEV

Platform controls

TLS everywhere — Caddy automation, modern ciphers only.
API authentication — server-side X-API-Key injection at the edge; keys never reach the browser.
Capability sandboxes — agent tool calls run inside bounded executors.
Audit chain — every contract execution is logged append-only.
Circuit breakers — runaway agents are isolated, not retried blindly.

Compliance positioning

NIS2 — see /legal/nis2.
GDPR — see /legal/privacy.
EU AI Act — system cards and post-market monitoring on the roadmap for general-purpose AI obligations (Aug 2026 deadlines).

Responsible disclosure

Email security@xcom.dev. We acknowledge within 24 hours and credit researchers who follow coordinated disclosure.

Threat model

Top concerns: prompt injection, tool-call exfiltration, supply-chain compromise. Mitigations: signed contracts, allow-listed tool catalogues, pinned dependencies, reproducible builds.