Six guarantees. One audit-grade operating model.
Multi-jurisdictional coverage. Sovereign by default.
We tell the truth about where we are. Audit-grade evidence about ourselves precedes audit-grade evidence we promise customers.
Baked into how Xlooop works.
Each guarantee maps to a concrete mechanism - published here so a buyer can verify it during due diligence, not just take our word.
Audit-grade evidence
Every AI output traces back to the request that started it. Every edit, sign-off, and re-version is captured in a write-only ledger. Reviewer-ready by default; no post-hoc evidence reconstruction.
HOW WE GUARANTEE ITBuilt on a write-only audit ledger the founder runs Xlooop itself on — and trusts with his own most sensitive records — through many iterations of real operating use. The ledger cannot be edited after-the-fact; only superseded with a new artefact + reason.
Customer-facing
Your customer can review the same record you do - without seeing your private workspace. We produce a portable, scoped, redacted record for each customer-facing engagement.
HOW WE GUARANTEE ITEvery output that crosses your authority gate is reviewed by the Commercial Claim Reviewer agent (see AI Team). Customer-facing exports cannot contain internal pointers, secrets, or out-of-scope content — a pre-transmission redaction scan enforces this before anything leaves your workspace.
Sterile boundary
Your customer data stays scoped + consented. Xlooop never touches what it shouldn't.
HOW WE GUARANTEE ITThe 6-role AI panel enforces boundaries; the L0-L5 authority framework maps every action to an explicit consent level; OAuth scopes are read-only by default; write actions require explicit per-action authority grants.
Compliance-aware
Designed for TPB · ATO · AUSTRAC · NSW Fair Trading · building defect liability · APES 110 · NDIA / ADHA provider audits and similar regulatory regimes. Multi-jurisdictional terms cover AU + EU + UK + US.
HOW WE GUARANTEE ITLegal pages 06 Privacy + 07 Terms + 08 Data Sovereignty at v2.1-FINAL. AU-qualified legal practitioner sign-off is the publication gate (non-negotiable; operator-committed). EU + UK + US practitioner sign-off pre-respective-region GTM.
Model-agnostic
Claude · GPT · Gemini · local models. Switch any time. Your evidence trail survives.
HOW WE GUARANTEE ITThe audit ledger captures the prompt + the output + the model + the version + the parameters for every AI action. Switching model providers does not break your historical audit trail - and the trail itself is not tied to any single provider's infrastructure.
Patented IP foundation
The multi-user, role-based collaboration model that makes this work is patented — US 11,604,641 (granted March 14, 2023 · 24 claims · 2 independent). The bi-directional code↔UI engine is our own architecture, built on top of that patented foundation. European decision due October 2026.
HOW WE GUARANTEE ITClaim 1 covers multi-user collaborative roles (project initiator + administrator + project manager) plus chat-bot integration. The patent is held by Adevi IP Holding Company Pty Ltd; ADEVI Pty Ltd (trading as Xlooop) is the operating company. Read the granted patent on Google Patents: https://patents.google.com/patent/US11604641B2
Want the trust evidence pack?
Sub-processor register · per-region residency map · breach-response runbook · cyber posture attestation. Delivered under NDA on request.
We'd rather lose your demo slot now than lose your trust later.
- ✓You have 5+ staff who already use AI tools in their daily work.
- ✓Your customers are regulated, audited, or contractually entitled to evidence of how their work was done.
- ✓You operate in a regime where an enforcement action could end the business (accounting, building inspection, advisory, legal-adjacent, healthcare-adjacent, professional services).
- ✓You are past pilot-curiosity - you need a record that survives a regulator letter, an insurer review, or a customer dispute.
- —Your team is <5 people OR does not yet use AI tools for customer-facing work.
- —Your customers are not asking for evidence yet - and will not for at least 12 months.
- —You want a developer-AI tool, an internal portal, or a SOC 2 / ISO checklist generator.
- —You are looking for "general AI strategy" advisory - we are an operating layer, not consulting.
Per-region residency · encryption · cross-border mechanism.
Multi-region availability: Cloudflare R2 (object) + Cloudflare D1 (metadata) + Cloudflare Workers (compute) - region-pinned at engagement.
full data-residency posture (storage · processing · backup · sub-processor list · region-pinning controls) - see Data Sovereignty.
Eight sub-processors disclosed. No data brokers. No tracking.
We engage sub-processors only where necessary. Every sub-processor is bound to our DPA + GDPR Article 28 obligations. 30 days' notice before any change that affects your data; terminate without penalty if you disagree.
What actually happens on every AI action.
- 01Your workspace captures the prompt (locally in your tenant).
- 02Prompt + immediate context goes to the AI inference provider (Anthropic / OpenAI / Google) over TLS 1.3.
- 03Inference provider returns the output back to your workspace.
- 04Output + prompt + model + version + parameters are written to your audit ledger (in your tenant).
- 05Inference provider RETAINS NO TRAINING-DATA RIGHT to your prompt / output.
- 06Inference provider may retain a temporary cache for ~30 days for abuse / safety monitoring (contractual; see DPA § "AI inference").
You can opt for local-model inference (Ollama / vLLM / llama.cpp on your-region infrastructure) on Production POC + Annual licence tiers to keep all inference in-region.
Continuously monitored. Honestly disclosed.
We do not claim certifications we haven't earned. SOC 2 and ISO 27001 are explicit roadmap items, not present-tense claims.
Cyber baseline (operator-locked)
- ✓DMARCstrict reject policy on xlooop.com + adevi.com.au domains
- ✓TLSTLS 1.3 minimum; HSTS preloaded
- ✓HIBPcredentials monitored; no exposed credentials on file
- ✓CSPstrict Content-Security-Policy on all marketing surfaces
- ✓DNSDNSSEC-aligned; Cloudflare-protected
- ⚠SOC 2 Type IIaspirational - not currently audited; on roadmap
- ⚠ISO 27001aspirational - not currently certified; on roadmap
SLA by tier
Multi-jurisdictional breach-notification posture.
- 01
Notifiable Data Breaches scheme (AU)
Breaches involving personal information likely to result in serious harm are notified to affected individuals + the OAIC within statutory windows.
- 02
EU GDPR Article 33
Supervisory authority notification within 72 hours; data subject notification without undue delay if high risk.
- 03
UK GDPR Article 33
ICO notification within 72 hours.
- 04
US state laws
CCPA + state-specific breach-notification laws.
- 05
Incident dashboard
Operator-bound (Trust Center surface; v2).
The questions buyers ask in due diligence.
Designed with AU regulation in mind.
Switch region in the top nav to see the equivalents in your market. Full 5-country matrix →
5-country GTM split.
EU coverage beyond DE+FR: legal framework remains EU-wide; sign-customers-on-request for other EU Member States under EU GDPR + EU AI Act framework. Full regional matrix →
United States
IRS Circ. 230 · FTC §5 · NIST AI RMF · CCPA/CPRA · state patchwork · Colorado AI Act 2026 · CPPA ADMT · SOC 2 (aspirational)
United Kingdom
ICO · FCA · UK GDPR · DPA 2018 · DUAA 2025 · AISI · HMRC
Germany
BfDI + Lander DPAs · BaFin · BStBK · BDSG + DSGVO + EU AI Act
France
CNIL · ACPR · OEC · Loi Informatique et Libertes + RGPD + EU AI Act
The one-page version.
Entity: ADEVI PTY LTD (trading as Xlooop) · ABN 80 627 916 698 · ACN 627 916 698 · Australia (NSW jurisdiction). Multi-jurisdictional terms apply per Terms of Service; data-residency posture per Data Sovereignty; AI disclosure per Privacy Policy §4.
What it actually does.
Each line above maps to a concrete mechanism — published here so a buyer can verify it during due diligence, not just take our word.
Audit-grade ledger
Append-only · hash-chained · per-tenant. Every prompt, output, review event carries a provenance triple (request_id, prompt_hash, output_hash). The chain breaks loudly if anything is tampered with — silent corruption is detectable.
mechanism · argon2id · KMS-managed pepper · per-tenant key
Sterile teardown
A one-click action assembles an export bundle, then schedules deletion within 30 days. Backups expire on a rolling 90-day cycle. A proof-of-deletion certificate is emailed to the workspace owner.
mechanism · pre-transmission redaction scan · scheduled purge · KMS key destruction
Region-bound residency
Locked at provisioning. AU → AU edge; UK → UK; DE / FR → EU Frankfurt; US → US-East. No cross-region migration without explicit operator approval + customer notice.
mechanism · per-tenant Cloudflare Access app · region-bound Sanity dataset
Read-only by default
Every OAuth scope is read-only at first request. Write scopes are granted per-workflow, per-customer, on the cockpit’s explicit request, and they appear in the audit ledger with full reasoning.
mechanism · Google Drive Picker · OneDrive Files.Read.Selected · Xero read-only
No model-training
Your content is never used to train external AI models. Not now, not later, not as a default. The vendor contracts with all model providers we use prohibit training on inference inputs.
mechanism · contract enforcement + no-train HTTP headers on every model call
Cyber baseline
DMARC enforced (reject); TLS 1.3 minimum; HIBP daily check on admin emails; HSTS + CSP + X-Content-Type-Options on every response. ASD Essential 8 (AU) / NCSC Cyber Essentials (UK) / NIST CSF (US) / BSI IT-Grundschutz (DE) / SecNumCloud baseline (FR).
mechanism · daily DMARC/TLS scan · weekly HIBP check · monthly cyber attestation
Want the trust evidence pack?
Sub-processor register · per-region residency map · breach-response runbook · cyber posture attestation. Delivered under NDA on request.
We'd rather lose your demo slot now than lose your trust later.
- ✓You have 5+ staff who already use AI tools in their daily work
- ✓Your customers are regulated, audited, or contractually entitled to evidence of how their work was done
- ✓You operate in a regime where an enforcement action could end the business (accounting · building inspection · advisory · healthcare-adjacent · professional services)
- ✓You’re past pilot-curiosity — you need a record that survives a regulator letter, an insurer review, or a customer dispute
- —Your team is <5 people or doesn’t yet use AI tools for customer-facing work
- —Your customers aren’t asking for evidence yet — and won’t for at least 12 months
- —You want a developer-AI tool, an internal portal, or a SOC 2 / ISO checklist generator
- —You’re looking for "general AI strategy" advisory — we’re an operating layer, not consulting
Eight sub-processors disclosed. No data brokers. No tracking.
Every sub-processor is bound to our DPA + GDPR Article 28 obligations. 30 days notice before any change that affects your data; terminate without penalty if you disagree.
Continuously monitored. Honestly disclosed.
We do not claim certifications we haven't earned. SOC 2 and ISO 27001 are explicit roadmap items, not present-tense claims.
Cyber baseline
- ✓DMARCstrict reject policy on xlooop.com + adevi.com.au domains
- ✓TLSTLS 1.3 minimum; HSTS preloaded
- ✓HIBPcredentials monitored; no exposed credentials on file
- ✓CSPstrict Content-Security-Policy on all marketing surfaces
- ✓DNSDNSSEC-aligned; Cloudflare-protected
- ⚠SOC 2 Type IIaspirational — not currently audited; on roadmap
- ⚠ISO 27001aspirational — not currently certified; on roadmap
SLA by tier
full data residency posture · per-region encryption · cross-border transfer mechanisms — see Data Sovereignty.
The questions buyers ask in due diligence.
Designed with Australia regulation in mind.
Switch region in the top nav to see the equivalents in your market.
Three doors. Same destination: a firm whose AI work is provable.
Pick the one that fits where you are today — none commit you to anything.
Or simply email hello@xlooop.com — one human reads every message.