Security, compliance, and privacy is the number one priority at X2AI. Naturally, we are HIPAA-compliant, and have engineered our architecture to handle sensitive information from the ground up, meaning that we vastly-exceed regulatory specifications in most areas. We ensure that you are kept completely safe, secure, and invisible to others.
Security is an evolution, and not just something that is installed. We constantly update our threat profiles, patch our software, and regularly penetration-test our servers. Our philosophy is to assume a breach; thus we implement an aggressive defense-in-depth security strategy that includes everything from effective password hashing to complex countermeasures. It is important to remember that compliance does not imply security; good security is always compliant.
We secure all data in transit via TLS, and use the latest technology to ensure data security. The independent SSL audit authority Qualys has rated our servers A+, and our HTTP (security) headers have been rated A. We also allow patients to access our AI via Tor, allowing effective cloaking of IP address and DNS information. We encrypt all data with at least 256-bit asymmetric or 4096-bit symmetric keys, and backup around the planet. Scroll down for more details.
Below you will find details of our security protocol and adopted standards that have been cleared for public release for the sake of transparency.
EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EDH+aRSA+AESGCM EECDH+ECDSA+AES EECDH+aRSA+AES EDH+aRSA+AES RSA+3DESOur X.509 certificates are transparent and issued by DigiCert, Inc.. They are Extended Validation, meaning that X2AI has been thoroughly verified by DigiCert prior to issuance. As a result, all X2AI Inc. official websites have a green address bar, similar to the following:
SHA-256for hashing, 4096-bit RSA keys, and have implemented HTTP Public Key Pinning (HPKP) to combat certificate fraud and some MITM attacks. For more information, you can refer to a Qualys SSL audit, a summary of our current http headers, and checking the absence of malware.
nmap -p443 --script http-waf-detect --script-args="http-waf-detect.aggro" x2.aiHowever, you are unlikely to discover much. You could try evasion techniques, or using
p0f, or even the following, given that you can locate, install and update
vulscanto use the latest CVE data:
nmap -PN -sS -sV --script=vulscan -p443 x2.aiAgain, you are unlikely to discover much, and you are very likely to be blacklisted by our servers.
bcrypt(using a high cost value), and not
SHA-1, and also not
US DoD 5220.22-M) we use a combination of
scrub, and encrypt and forget methods, depending on the use-case. In any case,
Below are the answers to common concerns we've heard from patients, psychologists, and lawyers.