Security & Data Handling Principles
Last updated: February 9, 2026
1. Security Philosophy
At Exelor, we believe security should be simple, transparent, and practical — not a marketing buzzword. The EAAF platform is built for small and medium businesses that need reliable automation without enterprise complexity. Our security approach reflects this:
- No hidden risks: We clearly explain what we protect, how we protect it, and where responsibilities lie.
- Shared responsibility: Exelor secures the platform; you secure your account and integrations. We provide tools and guidance to make this easy.
- Practical over perfect: We implement proven, cost-effective controls rather than chasing certifications we cannot yet maintain.
- Transparency first: If a security incident occurs, we will notify affected customers within 24 hours — no hiding, no delays.
This document describes our actual security practices. It is not a sales pitch. For contractual obligations, please refer to our Terms of Service.
2. Data Protection
Encryption in Transit
All data moving between your device and the EAAF platform is protected with TLS 1.3 (or TLS 1.2 as fallback). This includes:
- Web browser sessions (HTTPS)
- Mobile app connections
- API calls from your systems to EAAF
- Email notifications and webhooks
We use certificates from trusted providers (Let’s Encrypt / DigiCert) with automatic renewal. Certificate pinning is implemented in our mobile apps.
Encryption at Rest
All customer data stored on our servers is encrypted using AES-256:
- Database records (user accounts, process definitions, integration configs)
- Uploaded files (BPMN diagrams, SOP documents, images)
- Backup snapshots
Encryption keys are managed by our cloud providers (AWS KMS / Google Cloud KMS). We do not store unencrypted customer data on any disk or backup medium.
What We Do Not Encrypt (and Why)
- Searchable text fields (e.g., process names, descriptions) are encrypted at rest but temporarily decrypted in memory during search operations. This is required for platform functionality. We never log or store these decrypted values outside of active memory.
- Metadata for analytics (e.g., process execution timestamps) is stored in minimally identifiable form to enable performance reporting. This data cannot be linked to specific individuals without additional context stored separately.
3. Authentication & Access Control
Multi-Factor Authentication (MFA)
MFA is available for all user accounts and required for administrators. Supported methods:
- Time-based one-time passwords (TOTP) via Google Authenticator, Authy, or Microsoft Authenticator
- Security keys supporting FIDO2/WebAuthn (YubiKey, SoloKey)
- SMS codes (available but not recommended for high-security environments)
You can enforce MFA for all users in your organization via the Admin Console.
Single Sign-On (SSO)
Enterprise customers can connect EAAF to their existing identity provider:
- SAML 2.0 (Okta, Azure AD, OneLogin, Ping Identity)
- OpenID Connect (Google Workspace, GitHub)
SSO setup includes Just-in-Time (JIT) provisioning — users are created automatically on first login.
Role-Based Access Control (RBAC)
We provide granular permissions to ensure users access only what they need:
| Role | What You Can Do |
| Administrator | Full access to all platform features; Create and delete user accounts; Assign roles to other users; Manage billing and subscriptions; Configure security settings (MFA, SSO) |
| Process Owner | Full control over assigned processes; Edit BPMN diagrams and SOPs; View analytics for owned processes; Invite collaborators to specific processes; Approve/reject process changes |
| Manager | Edit process definitions and documentation; Create new versions of workflows; Run test executions of automations; Cannot delete processes or change ownership |
| Viewer | Read-only access to processes; View analytics dashboards; Export reports (PDF, CSV); Cannot make any changes |
All access decisions follow the principle of least privilege. Admins can review active sessions and revoke access instantly from the Security Dashboard.
4. Hosting & Data Location
Where Your Data Lives
EAAF runs on infrastructure provided by Amazon Web Services (AWS) and Google Cloud Platform (GCP). By default, your data is stored in one of these regions based on your signup location:
Re
| Region Selection | Physical Location | Cloud Provider |
| European Union (EU) | Plovdiv, Bulgaria | AWS eu-central-1 |
| European Union (EU) | Bulgaria | Google Cloud europe-west1 |
| United States (US) | Atlanta, USA | AWS us-east-1 |
Data Isolation
Your data is logically separated from other customers:
- Each organization has a unique database schema
- API keys and authentication tokens are scoped to your organization only
- Network traffic between organizations is isolated at the virtual network level
- We conduct regular tests to ensure no cross-tenant data leakage is possible
On-Premise Option
For organizations with strict data sovereignty requirements (government, healthcare, finance), we offer a self-hosted version of EAAF that runs entirely within your infrastructure. Contact [email protected] for details.
5. Backup & Recovery
We maintain multiple layers of data protection:
| Backup Type | Frequency | Retention | Purpose |
| Database snapshots | Every 4 hours | 7 days | Point-in-time recovery |
| File version history | On every save | 30 days | Restore previous document versions |
| Configuration backup | Daily | 90 days | Rebuild platform after infrastructure failure |
| Log archives | Continuous | 12 months | Security investigations and compliance audits |
Recovery Objectives
| Metric | Target |
| Recovery Point Objective (RPO) | Less than 4 hour |
| Recovery Time Objective (RTO) | Less than 4 hours |
| Maximum Tolerable Downtime | 24 hours |
In the event of a regional cloud outage, we can restore service in an alternate region within 4 hours using our cross-region backup strategy.
6. Monitoring & Threat Detection
What We Monitor
Our systems continuously watch for suspicious activity:
- Failed login attempts (brute force detection)
- Unusual geographic access patterns (e.g., login from new country)
- API abuse (excessive request rates)
- Integration anomalies (e.g., workflow executing at 3 AM when normally idle)
- Data export attempts exceeding normal volume
How We Respond
When our systems detect potential threats:
- Suspicious sessions are automatically logged out
- Affected users receive an email alert within 5 minutes
- Our security team investigates within 30 minutes during business hours
- For critical threats (e.g., credential theft), we may temporarily suspend affected accounts until identity is verified
Audit Logs You Can Access
Every action in EAAF is logged. As an administrator, you can view:
- User login history (time, IP address, device)
- Process modifications (who changed what and when)
- Integration executions (which workflow ran, inputs/outputs)
- Data exports (who exported what and when)
- Role changes and permission updates
Logs are retained for 12 months and can be exported as CSV for your own audits.
7. Compliance Status
We are committed to responsible data handling, but we are transparent about our current certification status:
| Compliance Area | Status | Notes | Purpose |
| GDPR | Fully compliant (EU General Data Protection Regulation) | We act as a data processor under Article 28; Data Processing Addendum available upon request | Point-in-time recovery |
| CCPA/CPRA | Compliant for California residents | We honor “Do Not Sell” and deletion requests | Restore previous document versions |
| PCI DSS | Not applicable | We do not store or process raw payment card data — all billing is handled by Stripe and PayPal (both PCI DSS Level 1 compliant) | Rebuild platform after infrastructure failure |
| ISO 27001 | Not certified | We follow ISO 27001 controls as a best practice framework, but have not undergone formal certification | Security investigations and compliance audits |
| SOC 2 | Not certified | Planned for 2027 as we scale; currently using SOC 2 criteria for internal audits | |
| EU-U.S. Data Privacy Framework | Not applicable | We offer EU data residency by default; no need for cross-border transfer mechanisms |
We provide a Data Processing Addendum (DPA) to all customers upon request, which formalizes our GDPR obligations as a data processor.
8. Incident Response
Our Process When an Incident Occurs
- Detection — via monitoring tools, user reports, or third-party alerts
- Containment — isolate affected systems within 15 minutes
- Assessment — determine scope and impact within 2 hours
- Notification — inform affected customers within 24 hours
- Remediation — fix root cause and restore service
- Review — document lessons learned and update controls within 7 days
What You Will Receive in a Notification
If your organization is affected by a security incident, we will send an email to your account administrators containing:
- Date and time of detection
- Type of incident (e.g., “unauthorized access attempt”, “data exposure”)
- Systems and data affected
- Actions we have taken to contain it
- Actions you should take (e.g., “reset passwords”, “review integration logs”)
- Contact person for follow-up questions
Reporting Vulnerabilities
Found a security issue in EAAF? We appreciate responsible disclosure:
📧 Email: [email protected]
⏱ Response time: We acknowledge all reports within 48 hours
🛡 Safe harbor: We will not take legal action against researchers who:
- Report vulnerabilities privately first
- Do not exploit vulnerabilities beyond proof-of-concept
- Do not disclose details publicly before we fix the issue
9. Third-Party Services
We rely on trusted providers to deliver core platform capabilities. All partners sign data processing agreements and undergo security reviews before integration.
| Category | Provider(s) | Purpose |
| Cloud Hosting | AWS, Google Cloud | Infrastructure, servers, storage and networking |
| Database | PostgreSQL (managed) | Structured data storage for processes and users |
| File Storage | AWS S3, Google Cloud Storage | Documents, BPMN diagrams, SOP files and media |
| Payment Processing | Stripe, PayPal | Secure subscription billing (we never store card numbers) |
| Email Delivery | SendGrid, Amazon SES | Transactional emails and notifications |
| Analytics | Mixpanel, Google Analytics | Platform usage insights and product improvement |
| Customer Support | Intercom, Zendesk | Help desk and live chat |
| Integration Engine | n8n (self-hosted) | Workflow automation and system integrations |
We do not sell, rent, or share your business process data with any third party for advertising or marketing purposes. Third parties only access data necessary to deliver the specific service they provide (e.g., SendGrid only sees email addresses and message content needed for delivery).
A complete list of subprocessors is available upon request to enterprise customers.
10. Our Data Handling Principles
Data Minimization
| Category | We Collect | We Do NOT Collect |
| Identity Data | Name, email, job title; • Company name; • Phone number (optional) | Biometric data; • Government ID numbers; • Social security numbers |
| Process Data | BPMN diagrams; • SOP documents; • Workflow configurations; • Integration settings | — |
| Integration Data | API keys (encrypted); • Webhook URLs; • Connection metadata | Full database exports; • Passwords to your systems; • Raw authentication tokens |
| Usage Data | Login timestamps; • Pages visited; • Actions performed; • Error reports | Keystroke logging; • Screenshots; • Content of private messages |
| Personal Data | Contact details of users you provide | Health information; • Religious beliefs; • Political opinions; • Sexual orientation; • Criminal records |
| Financial Data | Billing address; • Invoice history | Credit card numbers (processed by Stripe/PayPal); • Bank account passwords |
Data Retention
| Data Type | Retention Period | What Happens After |
| Active accounts | While subscription is active | Data remains fully accessible |
| Closed accounts | 3 years | Data archived, available on request for legal/compliance |
| Deletion requests | 30 days | Permanent deletion from all systems and backups |
| Security logs | 12 months | Kept for audit and incident investigation |
| Backup snapshots | 7 days | Point-in-time recovery available |
| File version history | 30 days | Previous versions of documents and process diagrams |
When you request account deletion:
- We anonymize personal data (user names replaced with “Deleted User”, emails removed)
- We delete process configurations, integration secrets, and API keys
- We retain only aggregated, non-identifiable usage statistics required by law
Data Portability
You own your data. At any time, you can export:
- BPMN diagrams as XML files (standard BPMN 2.0 format)
- SOP documents as PDF or Markdown
- Process metrics as CSV or JSON
- Full account data via our API (requires admin privileges)
Export tools are available in the Settings → Data Export section of the platform.
11. Security Recommendations for Your Organization
To get the most secure experience from EAAF, we recommend:
| Priority | Area | Action Item |
| CRITICAL | Account Security | Enable Multi-Factor Authentication (MFA) for all users, especially admins |
| HIGH | Account Security | Use strong passwords (12+ characters, mix of letters, numbers, symbols) |
| HIGH | Account Security | Remove access for former employees immediately after departure |
| HIGH | Integration Security | Use API keys with minimal permissions (never use admin-level keys for bots) |
| HIGH | Process Security | Apply Role-Based Access Control (RBAC) to sensitive processes (finance, HR) |
| MEDIUM | Account Security | Review user access list quarterly and remove inactive accounts |
| MEDIUM | Integration Security | Rotate API keys and secrets every 90 days |
| MEDIUM | Process Security | Classify processes by sensitivity: Public / Internal / Confidential |
| MEDIUM | Process Security | Enable version history for all critical processes to track changes |
| LOW | Training | Train employees to recognize phishing emails that impersonate EAAF |
This document describes our current security practices as of February 9, 2026. We update it quarterly as our platform evolves. It is provided for informational purposes and does not constitute a legally binding commitment beyond the terms in your Service Agreement with Exelor.