At xAI, we prioritize the responsible management of data and the trust our users place in our technology.
For more information please visithttps://trust.x.ai
Data privacy and security are fundamental to our mission of empowering businesses with responsible AI solutions.
We understand the importance of transparency and accountability in the field of AI, and we actively embrace open communication and ethical practices. Our commitment to trust is reflected in our:
We believe that trust is built through open communication and continuous improvement. Our Trust Portal provides detailed information about our security measures, certifications, and data handling practices.
Explore the xAI Trust Portal to:
We are committed to building trust through responsible AI. Let us know how we can help you achieve your business goals with transparency and accountability.
xAI offers an in-app 90 day Audit Trail for Business Tier accounts. Audit logs can be exported on demand via the admin console.
We provide a status page outlining the health of our services and current uptime availablehere.
xAI includes a suite of Privacy tools to help your organization comply with regulations like HIPAA, the GDPR, and the CCPA.
Please refer to our privacy policy to learn more.
Information about Team Management capabilities within the xAI Enterprise Platform can be foundhere.
Access Management roles are available in the xAI Enterprise Platform.
Additionally, predefined security groups are used to assign role-based access privileges and segregate access to systems and data in the production environment.
xAI supports Single Sign On for Business Tier accounts. You can use any SAML-based Identity Provider (IdP), for example Okta, X, OneLogin, or use GSuite to serve as your identity provider, delegating access to the application based on rules you create in your central identity management solution.
xAI retains security logs, which include application, tooling, and access logs, for 180 days. Data access logs are maintained for 365 days.
Backups of in-scope systems are performed on a regularly scheduled basis.
Snapshot backups of critical databases are performed on a daily basis. Database snapshot backups are restored on at least a semi-annual basis to help ensure that processes and tools function as expected.
xAI customers are able to export or delete their data/content using the self-service features of the enterprise platform.
Customer archive data stored in S3 is encrypted at rest using server-side encryption with Amazon S3 managed keys (SSE-S3).
The xAI web application and enterprise API are configured to use the TLS encryption protocol to encrypt communication sessions.
xAI data centers are equipped with full time security personnel, defense-in-depth access controls, and 24/7 monitoring solutions. All data center staff undergo comprehensive background checks and security training. Physical access to the data centers is restricted to only those requiring access to complete their job functions.
Our cookie policy is available within the broader Privacy Notice and can be foundhere.
At least once per year, our employees must complete security and privacy training which covers our security policies, security best practices, and privacy principles.
Our Security Incident Notification process is outlined in the Data Protection Addendum.
We follow the principles of least privilege and need-to-know basis.
Firewalls, network access controls, identity and access management (IAM) controls, and other techniques are used that are designed to prevent unauthorized access to systems processing customer data.
We retain security logs, which include application, tooling, and access logs, for 180 days.
We adhere strictly to the guidelines set forth in NIST Special Publication 800-63B, ensuring that our password security policies align with the latest standards and best practices for digital identity and authentication.
xAI has a public bug bounty program that is utilized to encourage responsible disclosure of system security issues identified by external parties and to enable continuous assessment of product security.
xAI utilizes Cloudflare WAF, and Wiz to bolster our application's resilience and security. Cloudflare ensures fast and secure content delivery, and also provides robust protection against DDoS attacks. Complementing these, Wiz offers continuous threat detection, helping us proactively identify and address potential security issues.
Secure coding and configuration guidelines have been established for the development and deployment of systems and services, and include requirements around logical access control, cryptography, and system configurations.
xAI has a documented and management-approved SDLC and change management standards which are communicated and available to all personnel. The standards are reviewed on an annual basis as per the documented Policy and Standards review process.
System vulnerability scans are performed on at least a weekly basis.
All in-scope systems and applications are patched or replaced per documented processes and standards.
xAI uses Cloudflare WAF to shield our application from potential web threats. It helps us identify and block harmful traffic, enhancing our application's security.
An appropriate business continuity and disaster recovery plan is maintained, as well as processes to help ensure failover redundancy in systems, networks, and data storage.
A capacity management standard is in place to guide personnel in the capacity management process, including planning and forecasting, monitoring, and infrastructure auto-scaling. xAI’s production infrastructure is designed to use auto-scaling functionality to manage infrastructure capacity in real-time, helping to help ensure the availability of services.
The computing systems, network technologies, and associated infrastructure supporting xAI’s enterprise services have been built using cloud-first architectures supported primarily by Amazon Web Services (AWS).
The system uses various infrastructure components provided natively by the cloud service providers that include, but are not limited to, the following:
xAI utilizes a dedicated datacenter with dedicated capacity and support for our systems, and networking.
The computing systems, network technologies, and associated infrastructure supporting xAI’s enterprise services have been built on trusted hardware, and Cloud Native Computing Foundation best practices to produce a private cloud environment.
Dell and HPE servers - We utilize cutting edge, American-made server hardware from Dell and Hewlett-Packard Enterprise to minimize the risk of supply chain attacks. All servers include an intelligent platform management interfaces to allow for monitoring and maintenance.
Kubernetes - An open-source system for automating deployment, scaling, and management of containerized applications.
Core production infrastructure is deployed across multiple active availability zones at the cloud service provider, and the core systems are duplicated in an idle state in a separate availability region for quick deployment during an availability event.
Further, customer archive data stored in Amazon S3 is automatically replicated by AWS, and xAI has configured bucket versioning to help prevent unintended modification or deletion.
Our production environment is logically segregated from non-production environments.
Full disk encryption is enabled on company laptops via our MDM solution.
Access to production systems requires the use of a company issued VPN. VPN access is provided after workstation integrity has been verified.
A cloud-based anti-malware solution is deployed on xAI-owned laptops and is configured to analyze endpoint activities and behavior on a real-time basis to determine if malicious software is present.
The security team is alerted of any identified endpoint security events.
A device management tool is in place to manage company-owned employee laptops, and is configured to enforce certain configurations including, but not limited to, the following:
At xAI, while we operate in a cloud-first environment, we ensure robust perimeter security measures akin to traditional firewalls. Our security architecture integrates advanced cloud-native protections, delivering equivalent or enhanced security functionalities expected from conventional firewall systems.
Logging and monitoring software are configured to collect data from system components to monitor system events (including security events / IDS events), performance, and resource utilization.
The security team is alerted of unusual or suspicious security events that are detected.
Inbound external network traffic terminates in the public virtual private cloud (VPC), and security groups are in place to filter unauthorized network traffic from the internet and public VPC into the private VPC (e.g., firewall).
Within xAI office spaces, we use encrypted wireless connections to ensure secure internal communications. However, these wireless networks are not involved in the actual delivery of our application services.
At least once per year, our employees must complete security and privacy training which covers our security policies, security best practices, and privacy principles.
A formal incident management framework has been established that defines roles, responsibilities, escalation paths, and internal and external communication requirements in the event of incidents that impact the security or availability of the system.
xAI uses Single Sign-On (SSO) to manage access to our internal applications. Our access management strategy includes the use of WebAuthn for secure authentication. Alongside SSO, we deploy hardware-based Multi-Factor Authentication (MFA), in the form of USB security keys, to enhance the security of our system access. This approach ensures robust protection against unauthorized access.
xAI management engages with a third-party specialist to conduct external penetration testing of the production application at least annually.
xAI’s temporary bug bounty program can be found athttps://hackerone.com/x/policy_scopes, reports can also be sent tosecurity@x.ai