How it works

From your first email to a reviewer-signed customer record —
in three stages · about seven minutes · one trust ask.

The rest is earned through demonstrated value, never asked up front as a menu.

The 30-second version

Give us your work email. We do the rest.

Your team uses Claude, Copilot, Cursor — and meanwhile your client wants confidence in what shipped. Xlooop sits alongside the work and keeps an honest record: what each AI was asked, what changed in review, what the team approved, what the customer received. When the inevitable "show me how this got built and signed off" question comes up — from a client, an auditor, or a regulator — the answer is ready. You don’t have to reconstruct anything.

No new tools for your team. No data leaves Australia by default. No model lock-in. Use Claude · GPT · Gemini · local models — Xlooop watches them all.

The 3-stage onboarding flow

Identity sweep · One OAuth · Four short questions.

STAGE 1~30 SECONDS BACKEND · <5 SECONDS WAITL0 — Publicly discoverable only

Identity sweep

You enter your work email or domain. We pull legal-entity + sector + headcount + cyber baseline + AI-readiness pre-read from public sources only.

ABN Lookup / Companies House / EDGAR / Handelsregister / INSEE — whichever applies to your home regime. You confirm a one-screen identity card in a single click. We don’t ask for ANY private data. We don’t touch your customer data. We don’t send marketing email beyond your initial confirmation.

STAGE 1~30 SECONDS BACKEND · <5 SECONDS WAITL0 — Publicly discoverable only

Identity sweep

You enter your work email or domain. We pull legal-entity + sector + headcount + cyber baseline + AI-readiness pre-read from public sources only.

ABN Lookup / Companies House / EDGAR / Handelsregister / INSEE — whichever applies to your home regime. You confirm a one-screen identity card in a single click. We don’t ask for ANY private data. We don’t touch your customer data. We don’t send marketing email beyond your initial confirmation.

STAGE 2~60 SECONDS · READ-ONLY · REVOCABLEL2 — Authority-safe

One accounting OAuth — the one trust ask

You connect one of Xero / MYOB / QuickBooks Online — read-only. We unlock financial health, ATO Small Business Benchmark, aged-receivables + creditor-risk signals.

Why one OAuth, not five? Because accounting data answers the five fundamental questions about a regulated SMB — revenue, customer concentration, working capital, creditor risk, benchmark posture — in a single trust ask. Every other integration is earned by a specific finding in your first-pass report. Fallback paths: BAS upload (last 4 quarters as PDF) or accountant-mediated invite (your accountant gets a one-time read-only link; you never share credentials).

STAGE 3~5 MINUTES · IN-PRODUCT CHATL2 — Authority-safe

Four short questions

Four answers. No drill-downs. No multi-choice mazes.

Strategic intent · customer concentration · cyber disclosure · growth posture. Your answers anchor the first-pass report’s "top 3 next actions" to YOUR pain — and shape the L0–L5 progression path.

Then — the first-pass report

One page · ~2 minutes after Stage 3.

  1. 01Your words firstthe strategic-intent answer paraphrased, no editorial
  2. 02ATO Small Business Benchmarkyour firm vs. ANZSIC peers
  3. 03Cyber gateDMARC / TLS / HIBP / public posture; pass / warn / fail
  4. 04AI-Readiness pre-readyour L0–L5 level across 6 dimensions (policy · governance · review · source · workflow · controls)
  5. 05Top 3 next actionsspecific to your firm; tied to evidence in the report
  6. 062–3 earn-the-right promptseach justified by a specific finding above

no menu of "100 things we could connect to" · no upsell · just three concrete next actions tied to YOUR evidence.

The earn-the-right escalation pattern

Every next ask justified by a finding you’ve already seen.

Most SaaS asks for everything in the first 5 minutes. We don’t. We ask for one OAuth (accounting). Every subsequent integration is earned by a specific finding in your first-pass report.

FINDING IN FIRST-PASS REPORTEARN-THE-RIGHT NEXT ASK
Your top customer is 40% of revenue→ Connect HubSpot or your CRM read-only so we can produce a customer-concentration heatmap
Your DMARC posture is failing→ Grant DNS read-only or paste your DMARC record so we can produce a cyber-gate remediation plan
You haven’t documented your AI acceptable-use policy→ Connect your Google Drive or Notion read-only so we can draft a policy from your existing docs
Your accounts-receivable aged-debt risk is high→ Connect Stripe / Square read-only so we can cross-reference invoice ageing
The L0–L5 path

Where you start. Where you can go.

We meet you at your level. We walk forward at your pace. You pull back at any time.

※ The 6-role multi-user collaboration model underneath L3+ is patented · US 11,604,641 (24 claims; granted 2023) · European decision Oct 2026.

L0Publicly discoverable

You’re on the internet. You haven’t started with AI yet.

Rare for regulated SMBs in 2026

L1Sterile backbone

You have AI policies + acceptable-use documented.

Starting point for ~35% of pilots

L2Authority-safe

Humans review AI outputs before customer delivery.

Most common starting point — ~45%

L3Source-connected

AI has scoped, consented access to your customer data.

Where ~70% of pilots land after 8 weeks of watch-mode

L4Workflow intelligence

AI workflows are documented, discoverable, audited.

Production POC tier

L5Controlled operations

AI runs governed end-to-end with circuit breakers.

Annual licence tier

The 6-role AI panel

Your team alongside our team.

From Stage-3-completion onwards, six AI agents work on your workspace by name. Each role is bounded. Each action is audit-logged. Humans hold the authority gate.

Chief of Staff

Single point of contact; routes your questions; orchestrates the rest of the panel.

Ecosystem Risk Officer

Monitors cross-boundary data flows; flags privacy / IP / regulatory exposure.

DevSecOps

Owns access · secrets · tenant isolation; the gatekeeper of your private data.

Knowledge Architect

Structures your audit-grade evidence; makes records discoverable.

Domain Operator

Sequences workflows; clean agent-to-agent handoffs.

Commercial Claim Reviewer

Blocks unsupported claims before they reach your customer.

What we never do during onboarding

Seven things we won’t do — by design.

  • Send you to a marketing automation system — no "drip" emails.
  • Sell your data, your contact details, or your customer data.
  • Train AI models on your data (contractually; see privacy policy §4.2).
  • Auto-enrol you in a paid plan.
  • Hide cancellation paths.
  • Charge you anything until you sign a paid engagement.
  • Touch your customer-facing tools — your CRM · email · Slack stays yours.
At the end of 7 minutes

What you have in your hand.

  • A first-pass report for your firm — your strategic intent · ATO benchmark · cyber gate · L0–L5 pre-read · top 3 actions
  • A sterile workspace at <yourcompany>.xlooop.com — yours to provision or sterile-teardown
  • A 6-role AI panel ready to run in watch-mode
  • Three concrete earn-the-right next steps tied to specific findings
  • Australian-resident data by default (or your home region on Pilot+ tier)
  • Zero financial commitment
Three ways to start

Pick the one that matches your readiness.

COLD INBOUND

Check your AI readiness — 5 min

5 minFree
WARM INBOUND

Book a 30-min walkthrough

30 minFree
PRE-SOLD

Book Discovery (A$8–15k)

90 minA$8–15k
?Need help?