XDC Gateway Trust Center
We take security seriously. This Trust Center provides transparent access to our security practices, compliance status, infrastructure design, and audit reports — everything you need to confidently build on XDC Gateway.
Security Overview
Our defense-in-depth strategy combines encryption, access controls, monitoring, and continuous testing to protect your data and infrastructure.
Data Encryption
ActiveAll data in transit encrypted with TLS 1.3. Data at rest uses AES-256 encryption across all storage tiers including database backups.
Access Management
ActiveRole-based access control (RBAC) with MFA enforced for all admin accounts. API keys are hashed using SHA-256 before storage.
Audit Logging
ActiveComprehensive audit trails for all administrative actions, API access, and configuration changes. Logs retained 365 days.
Intrusion Detection
ActiveReal-time anomaly detection via Fail2Ban and custom rate-limiting rules. Automated IP blocking on suspicious patterns.
Vulnerability Management
ActiveWeekly automated dependency scans via npm audit and Dependabot. Critical patches applied within 24 hours of disclosure.
Network Segmentation
ActivePrivate VPC with strict inbound/outbound firewall rules. Database and internal services isolated from public internet.
DDoS Mitigation
ActiveCloudflare-backed DDoS protection with automatic traffic scrubbing. Rate limiting enforced at both edge and application layers.
Security Testing
In ProgressAnnual third-party penetration tests. Internal red-team exercises quarterly. Bug bounty program in planning.
Responsible Disclosure Policy
If you discover a security vulnerability, please report it to security@xdcrpc.com. We commit to acknowledging reports within 48 hours and providing regular updates. We do not pursue legal action against researchers acting in good faith.
Compliance Status
We continuously work toward industry-standard certifications and compliance frameworks. Download available reports and assessments below.
ISO/IEC 27001
Information Security Management System
Gap assessment completed March 2026. Formal certification audit scheduled Q3 2026. 78% of controls implemented.
SOC 2 Type II
Trust Services Criteria
SOC 2 readiness assessment underway. Targeting Type I audit Q2 2026 and Type II completion Q4 2026.
GDPR
General Data Protection Regulation
Data Processing Agreements available for enterprise customers. No PII stored outside EU-compliant infrastructure. Privacy policy updated Jan 2026.
Penetration Testing
Third-Party Security Assessment
Full-scope penetration test completed by independent security firm. Scope covers web app, API, network, and smart contracts.
Infrastructure
Built for reliability and scale. Our multi-region infrastructure ensures low latency, automatic failover, and zero single points of failure.
Regional Availability
Technology Stack
Global anycast routing, DDoS protection, WAF, SSL termination across 200+ PoPs
Health-aware load balancing across 4 eRPC instances. Automatic failover < 100ms
Ubuntu 22.04 LTS on dedicated hardware. No hypervisor overhead. PM2 process management
PostgreSQL 16 with daily encrypted backups. Redis for session/rate-limit caching with AOF persistence
Dedicated full nodes for XDC Mainnet & Apothem. Peered with 15+ additional EVM networks
Secrets stored in encrypted environment files. No hardcoded credentials. Rotation every 90 days
Service Level Agreements
| Metric | Target | Current | Status |
|---|---|---|---|
| API Availability | 99.99% | 99.97% | Met |
| P50 Response Time | < 50ms | 32ms | Met |
| P99 Response Time | < 500ms | 218ms | Met |
| Incident Response | < 15 min | 8 min avg | Met |
| Data Recovery (RTO) | < 4 hours | < 2 hours | Met |
Transparency
We believe in open communication about incidents, security updates, and our sub-processor relationships. Here's what we share publicly.
Incident Log
Elevated RPC Latency — US East
Identified memory pressure on eRPC-0 node. Increased heap limit and restarted process. No data loss.
Rate Limit Misconfiguration
Configuration push incorrectly lowered rate limits for enterprise tier. Rolled back and re-deployed correct config.
Database Connection Pool Exhaustion
Surge in dashboard traffic exhausted PostgreSQL connection pool. Scaled pool size and added PgBouncer connection pooler.
Security & Compliance Changelog
Removed TLS 1.2 support across all endpoints. Improved cipher suite configuration.
Third-party consultant completed full gap assessment. Remediation roadmap published internally.
New regional node reduces latency for European users by 40%. Automatic geo-routing enabled.
TOTP-based MFA now mandatory for all users with admin or billing roles.
Data retention schedules, processor agreements, and right-to-erasure flows updated.
Sub-processor Registry
| Provider | Purpose | Region | Certification |
|---|---|---|---|
| Cloudflare | CDN, DDoS, WAF | Global | SOC2 Type II |
| Hetzner Cloud | Compute Infrastructure | EU / US | ISO 27001 |
| Postmark | Transactional Email | US | SOC2 Type II |
| Telegram | Ops Notifications | Global | Privacy Shield |
Contact & Resources
Reach the right team directly. We're committed to transparent communication and rapid response on all security and compliance matters.
Security Issues
security@xdcrpc.comReport vulnerabilities, suspected breaches, or security concerns. We follow responsible disclosure. Acknowledge within 48h.
Compliance & Legal
legal@xdcrpc.comData Processing Agreements, GDPR requests, compliance documentation, sub-processor questions.
General Trust Inquiries
trust@xdcrpc.comQuestions about our security program, policy documents, or to request a security questionnaire review.
Enterprise Support
enterprise@xdcrpc.comDedicated account management, custom SLAs, white-label agreements, and enterprise security reviews.
Available Documents
Ready to build with confidence?
Start with our free tier — 100K requests/month. Upgrade to enterprise for dedicated SLAs, custom compliance documentation, and 24/7 support.