x12port is built with security-first architecture. Every transaction, partner connection, and document is encrypted, audited, and access-controlled so your supply chain data stays yours.
All data moving between your systems and x12port is encrypted with TLS 1.3. Older protocol versions (TLS 1.0, 1.1) are disabled at the edge. HTTPS is enforced on every endpoint; HTTP connections are permanently redirected.
EDI documents, mapping configurations, trading partner data, and all database records are encrypted at rest using AES-256. Encryption keys are managed separately from data and rotated on a defined schedule.
Passwords are hashed with bcrypt (cost factor 12) and never stored in plaintext. API keys are hashed before storage. Plaintext values are only shown once at creation time and cannot be recovered.
Application secrets (SMTP passwords, webhook signing keys, Stripe keys) are stored in environment-level secret stores, not in source code or config files. Secrets are injected at runtime and never logged.
Every user is assigned a role: Owner, Admin, Developer, Logistics, or Client. Each role is granted minimum necessary privileges. Sensitive admin functions require elevated roles and cannot be performed by standard accounts.
TOTP-based 2FA (compatible with Google Authenticator, Authy, 1Password) is available to all users and strongly recommended. Admins and owners can enforce 2FA organisation-wide. Backup codes are provided at setup.
Sessions are signed with a secret key, expire after inactivity, and are invalidated server-side on logout. Concurrent session limits prevent credential-sharing between multiple users on a single account.
API keys can be scoped to specific operations (read-only, write, admin). Keys carry no user privileges beyond their granted scope. Compromised keys can be revoked instantly from the developer dashboard without affecting other keys.
All production infrastructure runs in US-based data centres. Each customer's data is logically isolated at the database level. No cross-tenant data access is possible by design.
The production database is backed up daily. Point-in-time recovery is available. Backup files are encrypted at rest and stored in a geographically separate location. Restoration is tested on a quarterly basis.
x12port targets 99.9% monthly uptime for the API and web application. Scheduled maintenance windows are announced at least 48 hours in advance via the status page and registered email.
Third-party dependencies are pinned to specific versions and reviewed for CVEs on a weekly basis. Security patches are applied within 72 hours of a critical advisory. Dependency updates go through the same deployment pipeline as code changes.
| Standard | Status | Notes |
|---|---|---|
| GDPR | Compliant | Data processing agreements available on request. Right-to-deletion honoured within 30 days. |
| CCPA | Compliant | California consumer data rights respected. No sale of personal data to third parties. |
| SOC 2 Type I | In progress | Controls audit underway. Report expected Q3 2026. |
| SOC 2 Type II | Planned | Scheduled to begin observation period following Type I completion. |
| HIPAA | Not applicable | x12port does not process Protected Health Information (PHI) in standard plans. Contact sales for healthcare EDI requirements. |
| PCI DSS | Scoped out | Payment processing is handled entirely by Stripe (PCI DSS Level 1). x12port never touches raw card data. |
| AS2 / AS4 | Supported | Secure AS2 message signing and encryption for partner connectivity on Professional and Enterprise plans. |
x12port operates a responsible disclosure programme. If you discover a security vulnerability in our platform, please report it privately so we can investigate and fix it before public disclosure. We do not pursue legal action against good-faith researchers who follow this process.
What to include: a description of the vulnerability, steps to reproduce, potential impact, and any proof-of-concept code.
📧 Email: security@x12port.com — we aim to acknowledge reports within 1 business day and resolve critical issues within 7 days.
Our team is happy to provide a security questionnaire, architecture overview, or data processing agreement for enterprise procurement.