Security

How X2AI Protects You and your Data

Security, compliance, and privacy is the number one priority at X2AI. Naturally, we are HIPAA-compliant, and have engineered our architecture to handle sensitive information from the ground up, meaning that we vastly-exceed regulatory specifications in most areas. We ensure that you are kept completely safe, secure, and invisible to others.

Security is an evolution, and not just something that is installed. We constantly update our threat profiles, patch our software, and regularly penetration-test our servers. Our philosophy is to assume a breach; thus we implement an aggressive defense-in-depth security strategy that includes everything from effective password hashing to complex countermeasures. It is important to remember that compliance does not imply security; good security is always compliant.

We secure all data in transit via TLS, and use the latest technology to ensure data security. The independent SSL audit authority Qualys has rated our servers A+, and our HTTP (security) headers have been rated A. We also allow patients to access our AI via Tor, allowing effective cloaking of IP address and DNS information. We encrypt all data with at least 256-bit asymmetric or 4096-bit symmetric keys, and backup around the planet. Scroll down for more details.

  • Highly restricted server access
    User Access Policy
    We combine multiple firewalls and techniques with a strict "need to know" access policy
  • Latest security and standards
    Constant updating
    We use the latest configurations and regularly penetration-test our servers
  • Aggressive Password Policy
    Enforcing local security
    All employees are required to regularly change credentials, including SSH keys
  • Verbose logging and monitoring
    Transparent audit trail
    Our systems keep a record of all events that occur for use in defense and audit trails
  • Secure data I/O and deletion
    Latest encryption tools
    We encrypt all transport and force secure wiping of files where necessary
  • Regular redundant encrypted backups
    Secure and safe backups
    We perform sub-hourly, geographically-redundant, symmetric-key encrypted backups
  • Heightened physical security protocols
    Team and device security
    We work in a secured environment and all employees are security cleared
  • Emergency Protocols with continuation
    AI self-continuance
    On command, our AI have the ability to emergency lock-down and clean-regenerate

Security protocol

Below you will find details of our security protocol and adopted standards that have been cleared for public release for the sake of transparency.

We secure all Internet traffic using TLS and X.509 certificates, and enforce this through HTTP Strict Transport Security (HSTS) in combination with a variety of other techniques. We make sure that we are always using the most recent standards, so that we are immune to attacks such as BEAST, Heartbleed, and CVE-2016-2107. Currently, we use the following cipher suite:
EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EDH+aRSA+AESGCM EECDH+ECDSA+AES EECDH+aRSA+AES EDH+aRSA+AES RSA+3DES
Our X.509 certificates are transparent and issued by DigiCert, Inc.. They are Extended Validation, meaning that X2AI has been thoroughly verified by DigiCert prior to issuance. As a result, all X2AI Inc. official websites have a green address bar, similar to the following:
We use SHA-256 for hashing, 4096-bit RSA keys, and have implemented HTTP Public Key Pinning (HPKP) to combat certificate fraud and some MITM attacks. For more information, you can refer to a Qualys SSL audit, a summary of our current http headers, and checking the absence of malware.
Direct access to our servers is strictly prohibited, unless you are both an employee of X2AI Inc., and you have authorization, or if you are a client and want to send us some data directly (see "Can I connect to one of your servers"). Authorization is granted on a need-to-know, time-limited basis, and access is restricted to air-gapped machines physically located in X2AI's offices. These machines are heavily logged and do not have access to components such as the Internet or USB storage.
As part of our defense-in-depth strategy, we use multiple firewalls, including a WAF. Whilst, for obvious reasons, further details are not available, you could try and detect which WAF we use:
nmap -p443 --script http-waf-detect --script-args="http-waf-detect.aggro" x2.ai
However, you are unlikely to discover much. You could try evasion techniques, or using p0f, or even the following, given that you can locate, install and update vulscan to use the latest CVE data:
nmap -PN -sS -sV --script=vulscan -p443 x2.ai
Again, you are unlikely to discover much, and you are very likely to be blacklisted by our servers.

We regularly pentest our servers using a variety of attack vectors and payloads. For basic attacks, we use Detectify, who currently give our servers a CVSS score of 0.0.
All passwords have the following conditions:

  • At least 20 characters in length
  • Contain at least one non-alphanumeric character
  • Contain at least one capitalized alpha character
  • Contain at least one numeric character
  • Must not contain the agent's name, username, or date of birth in any form.
  • Must not have been used prior.
  • Passes a simple brute-force dictionary attack
Passwords are never be written down, stored, or disclosed to anyone. All passwords (including SSH keys) are required to be changed each month, or after a potential security breach, or after significant handling of ePHI at the request of the Security Officer, whichever is sooner. We are beginning to trial functional passwords, coupled with two-factor authentication for all handling of ePHI.

Regarding patient-generated passwords, these are hashed using bcrypt (using a high cost value), and not MD5 or SHA-1, and also not SHA-2 or PBKDF2.
Our offices are air-gapped; removable media is forbidden, and all notes, documents, and all derived content, in whatever form, must remain within the office. Authorized electronic devices must vetted prior to arrival. Employee access to X2AI offices require personal identification by security staff (24/7), and the presence of an authorized employee holding a non-duplicable electronic access key.
All PHI that is no longer required for the intended and agreed upon scope is deleted immediately and securely (i.e. not by conventional means). For secure printed data deletion, we enforce the use of a Security Level P-5 shredder, although documents with a high sensitivity are incinerated. For secure data deletion (i.e. at least US DoD 5220.22-M) we use a combination of shred, scrub, and encrypt and forget methods, depending on the use-case. In any case, rm is disabled.
Email is one of the most abused protocols on the Internet. We use a variety of methods to provide greater identity assurance for email from X2AI and to mitigate any fraudulent email. For transparency, you can confirm that our IP is not blacklisted using Robtex and Spamhaus, and you can verify our SPF records and DMARC records.

FAQ

Below are the answers to common concerns we've heard from patients, psychologists, and lawyers.

Yes, so long as you are on X2AI's network. This includes x2.ai, tess.ai, and karim.ai, but does not cover any communication through third-party channels, such as SMS, Facebook Messenger, and WhatsApp (Signal by Open Whisper Systems is the only exception to this rule). Our servers that handle patient health information are dedicated. For more information, please refer to part 160, part 162, and part 164 of the United States Code of Federal Regulations.
Yes. In the EU, we comply with Directive 95/46/EC (official link not secure) and Regulation (EU) 2016/679 (official link not secure), and in the UK we comply with the UK Data Protection Act 1998 (official link not secure).
Yes. Our deliberately-simple API ensures that integrating Tess into any existing platform is a very easy and quick process.
Yes. We do not store real names, or exact birth dates in our databases (even in an encrypted form). If you are accessing our services via self-sign-up, then you are able to enter an anonymous identifier. For extra anonymity, you are able to access our services via the Tor network, which effectively cloaks your IP address and (if configured correctly) your DNS information.
Yes. We have private networks in both the US and in the EU, and we restrict data transfer between our servers if they are in different regions.
Yes, if you are able to comply with our security protocol. Assuming that you are authorized to do so, for example, for transfer for ePHI, this means at least being able to execute the correct procedure to initiate a connection to our servers, authenticating using public-key cryptography (providing your own public key - must be at least 4096-bit), being able to verify received data, being able to decrypt data, and being able to execute all transactions within a predetermined time window. We are able to provide extensive help to make this process extremely easy for you.
Use our Brief Exposure Check, safe in the knowledge that your data will not be collected. Be careful with websites offering similar checks, many harvest your information. Remember, this data is a best guess, and can vary from browser to browser.
The current Security Officer of X2AI Inc. is Eugene Bann (e@x2.ai).