Compliance & Data Protection
How responsibilities are split between Xelon and you, which platform features support your compliance obligations, and how to obtain audit reports for your own auditors.
Shared Responsibility Model
Cloud security is a shared responsibility. The split below makes clear which controls Xelon operates on your behalf and which controls remain with you. Most compliance findings come from misunderstandings of this split, so it is worth reviewing before you map a regulatory requirement to a platform feature.
| Layer | Xelon's responsibility | Your responsibility |
|---|---|---|
| Physical infrastructure | Data centers, hardware, network fabric, physical access control, power, cooling | — |
| Hypervisor & storage layer | vSphere, Ceph, network virtualization, OS hardening on Xelon-managed hosts, hypervisor patching | — |
| Platform services | Xelon HQ application security, authentication system, RBAC framework, platform-wide audit logging | — |
| Virtual machine OS | — | OS patching, hardening, in-VM firewall configuration, antivirus, kernel-level security |
| Application data | Block-level resilience of provisioned storage | Data classification, encryption choices (client-side or future SSE), backup scheduling, retention policy |
| Identity & access | Authentication system, multi-factor authentication mechanisms (TOTP, SMS), session management | User provisioning, permission assignment, MFA enforcement on your accounts, key and secret rotation |
| Network policies | Underlying network isolation between tenants, platform-level DDoS protection | Firewall rule configuration, IP restrictions, segregation rules, VPN setup, public exposure decisions |
| Compliance evidence | Maintains audit reports and attestations; provides them under NDA | Maps your regulatory obligations to platform features; presents the resulting evidence to your auditors |
Platform Features That Support Your Compliance Obligations
Xelon HQ provides specific features that map to common regulatory and audit requirements. Configure them according to the controls your framework demands.
| Compliance need | Xelon feature | Where to configure |
|---|---|---|
| Immutable backups (ransomware resilience, regulatory retention) | Object Lock on S3 buckets in COMPLIANCE mode | Object Storage |
| Restrict bucket access to known IP ranges | IP Restrictions per bucket | Object Storage > IP Restrictions |
| Encrypt data at rest with keys you control | Client-side encryption (OpenSSL / GPG / rclone / Veeam) | Object Storage > Encryption at Rest |
| Audit trail for every API call and configuration change | Activity logs at user, organization, device, and cluster level, plus a unified logs view | Activity Logs |
| Least-privilege access control | Role-based permissions, granular per-feature permissions, service tokens with limited scope | Roles & Permissions |
| Multi-factor authentication | TOTP and SMS one-time passcodes | Profile & Security > 2FA |
| Restricting access by allowed email domains | Allowed email domains per organization | Organizations |
| Backup and disaster recovery | Scheduled backups with cross-site replication, file-level restore, DRaaS | Backup Jobs · Disaster Recovery |
| Workload isolation between tenants or sensitivity levels | Segregation rules (placement constraints), sub-organization hierarchy | Segregation Rules · Organizations |
| Active session monitoring and revocation | Active sessions list with manual termination | Profile & Security > Active Sessions |
Compliance Attestations
Xelon maintains audit reports and compliance attestations relevant to Swiss financial-services workloads, international information-security frameworks, and service-organization controls. Reports are released under non-disclosure agreement.
For active customers, contact your account manager. For prospective customers without an active engagement, contact sales@xelon.ch with a brief description of your use case and the specific framework you need to evidence (ISO 27001, ISAE 3402, etc.). The current scope, validity dates, and deliverable format will be shared along with the NDA.
Data Protection (GDPR / revDSG)
For workloads subject to the EU General Data Protection Regulation (GDPR) or the revised Swiss Federal Act on Data Protection (revDSG), the relevant contractual instrument is a Data Processing Agreement (DPA) between you, as data controller, and Xelon, as data processor. The applicable terms, the current sub-processor list, and the procedure for handling data-subject requests are provided as part of the contractual documentation when you engage with Xelon. Contact your account manager (or sales@xelon.ch if you do not have one assigned) to request the current versions for review.
Reporting a Security Incident
If you observe a security incident affecting your Xelon resources or suspect a breach of platform security, contact support@xelon.ch immediately and mark the message as security-relevant so it is routed to the appropriate response team. Notification timelines and procedures applicable to confirmed incidents are documented in your contractual agreements with Xelon.