XOPS

The Platform  /  Security & Compliance

Governable
by design.

Deterministic operations are materially easier to govern, audit, and certify than architectures built on probabilistic autonomous execution. The certifications follow from how XOPS works.

Certifications maintained

Four standards.
One architectural foundation.

Information security, privacy in the cloud, AI management, and operational controls — certified to the standards enterprise risk teams already use to evaluate vendors.

ISO/IEC 27001:2022

Information security management

The international standard for information security management systems. Covers policy, risk management, access control, cryptography, secure development, supplier relationships, and incident response. The 2022 revision aligns the controls catalog with modern cloud-native operations.

ISO/IEC 27018

Privacy in the cloud

The standard for protection of personally identifiable information processed in public cloud environments. Addresses data subject rights, consent handling, transparency of processing, retention, deletion, and breach notification — the controls regulated enterprises require from cloud-native processors.

ISO/IEC 42001

AI management systems

The first international standard for AI management systems — a risk-based framework for responsible AI development, deployment, monitoring, and governance. Published in 2023; still rare among AI vendors. Maps to AI risk requirements regulators are increasingly demanding.

SOC 2

Operational controls

Trust services criteria covering security, availability, processing integrity, confidentiality, and privacy. Independently audited. The control posture most enterprise procurement, security, and risk teams require as table stakes before vendor onboarding.

Audit letters, scope statements, and certification details available through the Trust Center.

AI governance

Built deterministic.
Certified for AI.

ISO 42001 is a risk-based framework. The vendors that find it hardest to certify are the ones whose AI execution is fundamentally non-deterministic — outputs that vary, actions that can’t be reliably reproduced, intent that drifts. XOPS doesn’t have that problem.

Bounded

Actions never exceed declared policy.

Every action XOPS can take is bounded by Configuration as Code. The platform cannot act outside the surface of declared policy — not because we hope it won’t, but because the execution engine compiles against that surface.

Replayable

Same inputs, same outputs, every time.

Outcome execution is reproducible. The same operational state plus the same policy produces the same plan. Audit teams can replay any production run and verify the result without re-running it against live systems.

Reversible

Every action ships with a compensation.

State-mutating actions are paired with their inverse. The Backstep Saga unwinds partial executions cleanly. No half-states, no orphaned mutations, no forensic cleanup tickets after a failure.

Audit-ready by architecture

Every action, traceable to source.
Audit becomes a query.

Most enterprise estates treat audit as a forensic exercise: reconstruct what happened from per-system logs that don’t join. XOPS produces audit-grade evidence as a side effect of how it runs — not as a quarterly cleanup project.

  • Declared intent vs. observed reality. Configuration as Code holds the policy. The Living Knowledge Graph holds the state. Drift is detected continuously, not at the next audit window.
  • Identity-attributed actions. Every state mutation carries the identity that triggered it, the Outcome it served, and the policy it executed against. No anonymous writes, no shared service-account ambiguity.
  • Cross-system event correlation. One operational history across every system in scope. Reconstructing what happened to an entity is a query against the graph, not a week of joining per-system logs.
  • Evidence on demand. Compliance teams can produce SOC 2 evidence, ISO control mappings, and regulator-ready timelines without raising an internal report request. The data is already structured.

For risk, security, and compliance teams

Risk-evaluation ready. Audit-evidence native.

Certifications, scope statements, control mappings, and audit letters — in one place. Built for the people who have to defend it inside your enterprise.

Visit the Trust Center Request demo