Trust + compliance

Six guarantees. One audit-grade operating model.
Multi-jurisdictional coverage. Sovereign by default.

We tell the truth about where we are. Audit-grade evidence about ourselves precedes audit-grade evidence we promise customers.

The six guarantees

Baked into how Xlooop works.

Each guarantee maps to a concrete mechanism - published here so a buyer can verify it during due diligence, not just take our word.

01

Audit-grade evidence

Every AI output traces back to the request that started it. Every edit, sign-off, and re-version is captured in a write-only ledger. Reviewer-ready by default; no post-hoc evidence reconstruction.

HOW WE GUARANTEE ITBuilt on a write-only audit ledger the founder runs Xlooop itself on — and trusts with his own most sensitive records — through many iterations of real operating use. The ledger cannot be edited after-the-fact; only superseded with a new artefact + reason.

02

Customer-facing

Your customer can review the same record you do - without seeing your private workspace. We produce a portable, scoped, redacted record for each customer-facing engagement.

HOW WE GUARANTEE ITEvery output that crosses your authority gate is reviewed by the Commercial Claim Reviewer agent (see AI Team). Customer-facing exports cannot contain internal pointers, secrets, or out-of-scope content — a pre-transmission redaction scan enforces this before anything leaves your workspace.

03

Sterile boundary

Your customer data stays scoped + consented. Xlooop never touches what it shouldn't.

HOW WE GUARANTEE ITThe 6-role AI panel enforces boundaries; the L0-L5 authority framework maps every action to an explicit consent level; OAuth scopes are read-only by default; write actions require explicit per-action authority grants.

04

Compliance-aware

Designed for TPB · ATO · AUSTRAC · NSW Fair Trading · building defect liability · APES 110 · NDIA / ADHA provider audits and similar regulatory regimes. Multi-jurisdictional terms cover AU + EU + UK + US.

HOW WE GUARANTEE ITLegal pages 06 Privacy + 07 Terms + 08 Data Sovereignty at v2.1-FINAL. AU-qualified legal practitioner sign-off is the publication gate (non-negotiable; operator-committed). EU + UK + US practitioner sign-off pre-respective-region GTM.

05

Model-agnostic

Claude · GPT · Gemini · local models. Switch any time. Your evidence trail survives.

HOW WE GUARANTEE ITThe audit ledger captures the prompt + the output + the model + the version + the parameters for every AI action. Switching model providers does not break your historical audit trail - and the trail itself is not tied to any single provider's infrastructure.

06

Patented IP foundation

The multi-user, role-based collaboration model that makes this work is patented — US 11,604,641 (granted March 14, 2023 · 24 claims · 2 independent). The bi-directional code↔UI engine is our own architecture, built on top of that patented foundation. European decision due October 2026.

HOW WE GUARANTEE ITClaim 1 covers multi-user collaborative roles (project initiator + administrator + project manager) plus chat-bot integration. The patent is held by Adevi IP Holding Company Pty Ltd; ADEVI Pty Ltd (trading as Xlooop) is the operating company. Read the granted patent on Google Patents: https://patents.google.com/patent/US11604641B2

Want the trust evidence pack?

Sub-processor register · per-region residency map · breach-response runbook · cyber posture attestation. Delivered under NDA on request.

Request the pack
Honest fit-check

We'd rather lose your demo slot now than lose your trust later.

YOU'RE A FIT IF
  • You have 5+ staff who already use AI tools in their daily work.
  • Your customers are regulated, audited, or contractually entitled to evidence of how their work was done.
  • You operate in a regime where an enforcement action could end the business (accounting, building inspection, advisory, legal-adjacent, healthcare-adjacent, professional services).
  • You are past pilot-curiosity - you need a record that survives a regulator letter, an insurer review, or a customer dispute.
YOU'RE EARLY IF
  • Your team is <5 people OR does not yet use AI tools for customer-facing work.
  • Your customers are not asking for evidence yet - and will not for at least 12 months.
  • You want a developer-AI tool, an internal portal, or a SOC 2 / ISO checklist generator.
  • You are looking for "general AI strategy" advisory - we are an operating layer, not consulting.
Where your data lives

Per-region residency · encryption · cross-border mechanism.

Multi-region availability: Cloudflare R2 (object) + Cloudflare D1 (metadata) + Cloudflare Workers (compute) - region-pinned at engagement.

CUSTOMER LOCATIONDEFAULT RESIDENCYAT-REST ENCRYPTIONIN-TRANSIT ENCRYPTIONCROSS-BORDER MECHANISM
AustraliaAU (Sydney) — Cloudflare AU edgeAES-256TLS 1.3n/a
European UnionAU default; EU residency on Pilot+ tierAES-256TLS 1.3EU SCCs 2021 Module 2 (controller-to-processor); transfer-impact assessment per Schrems II
United KingdomAU default; UK residency on Pilot+ tierAES-256TLS 1.3UK IDTA + EU SCCs UK addendum
United StatesAU default; US residency on Pilot+ tierAES-256TLS 1.3APEC CBPRs + APP 8 reasonable steps
Other regionsAU defaultAES-256TLS 1.3APP 8 reasonable steps + region-specific assessment

full data-residency posture (storage · processing · backup · sub-processor list · region-pinning controls) - see Data Sovereignty.

Sub-processor list

Eight sub-processors disclosed. No data brokers. No tracking.

We engage sub-processors only where necessary. Every sub-processor is bound to our DPA + GDPR Article 28 obligations. 30 days' notice before any change that affects your data; terminate without penalty if you disagree.

SUB-PROCESSORPURPOSEDATA CATEGORYREGIONCOMPLIANCE POSTURE
CloudflareEdge compute · object storage · DNS · WAFAll customer dataAU (default) / EU / UK / USSOC 2 Type II · ISO 27001 · GDPR-aligned · APP-compliant
Anthropic (Claude)AI inference (default model)Prompt + immediate context only - not training dataUS (default)SOC 2 Type II · GDPR-aligned · no training on customer data (contractually)
OpenAI (GPT)AI inference (model option)Prompt + immediate context onlyUSSOC 2 Type II · GDPR-aligned · no training on customer data (Enterprise tier)
Google (Gemini)AI inference (model option)Prompt + immediate context onlyUSSOC 2 Type II · GDPR-aligned · no training on customer data (Workspace tier)
SanityCMS content + asset hostingMarketing-page content only · NO customer dataEU (Dublin)SOC 2 Type II · GDPR-aligned
StripePayment processing (paid tiers)Billing data only · NO customer-work dataUS / EU / AUSOC 1 + SOC 2 Type II · PCI DSS L1 · GDPR-aligned
ResendTransactional emailEmail address + send logUSSOC 2 Type II · GDPR-aligned
Cloudflare AccessAuthentication (Pilot+ tier)Auth tokens onlyAU edgeSOC 2 Type II · ISO 27001
AI inference provider data flow

What actually happens on every AI action.

  1. 01Your workspace captures the prompt (locally in your tenant).
  2. 02Prompt + immediate context goes to the AI inference provider (Anthropic / OpenAI / Google) over TLS 1.3.
  3. 03Inference provider returns the output back to your workspace.
  4. 04Output + prompt + model + version + parameters are written to your audit ledger (in your tenant).
  5. 05Inference provider RETAINS NO TRAINING-DATA RIGHT to your prompt / output.
  6. 06Inference provider may retain a temporary cache for ~30 days for abuse / safety monitoring (contractual; see DPA § "AI inference").

You can opt for local-model inference (Ollama / vLLM / llama.cpp on your-region infrastructure) on Production POC + Annual licence tiers to keep all inference in-region.

Cyber baseline + SLA

Continuously monitored. Honestly disclosed.

We do not claim certifications we haven't earned. SOC 2 and ISO 27001 are explicit roadmap items, not present-tense claims.

Cyber baseline (operator-locked)

  • DMARCstrict reject policy on xlooop.com + adevi.com.au domains
  • TLSTLS 1.3 minimum; HSTS preloaded
  • HIBPcredentials monitored; no exposed credentials on file
  • CSPstrict Content-Security-Policy on all marketing surfaces
  • DNSDNSSEC-aligned; Cloudflare-protected
  • SOC 2 Type IIaspirational - not currently audited; on roadmap
  • ISO 27001aspirational - not currently certified; on roadmap

SLA by tier

TIERUPTIMERESPONSEREVIEWDiscoverybest-effortbest-effortn/aPilot99.0%4 hoursend-of-pilotProduction POC99.5%2 hoursmonthlyAnnual licence99.9%1 hourweekly + dedicated CSM

see Terms of Service § "Service Levels".

Incident response

Multi-jurisdictional breach-notification posture.

  • 01

    Notifiable Data Breaches scheme (AU)

    Breaches involving personal information likely to result in serious harm are notified to affected individuals + the OAIC within statutory windows.

  • 02

    EU GDPR Article 33

    Supervisory authority notification within 72 hours; data subject notification without undue delay if high risk.

  • 03

    UK GDPR Article 33

    ICO notification within 72 hours.

  • 04

    US state laws

    CCPA + state-specific breach-notification laws.

  • 05

    Incident dashboard

    Operator-bound (Trust Center surface; v2).

Frequently asked questions

The questions buyers ask in due diligence.

🇦🇺 Australia · regulatory regimes

Designed with AU regulation in mind.

Switch region in the top nav to see the equivalents in your market. Full 5-country matrix →

REGULATORSCOPEWHAT XLOOOP PRODUCES
TPB - Tax Practitioners BoardCode of professional conduct + record-keepingAI-assisted client interaction evidence trail · per-client AI-use disclosure
ATO - Australian Taxation OfficeLodgement audit trail + benchmark conformityReviewer-signed AI-assisted return record · ATO Small Business Benchmark cross-reference
AUSTRAC - AML / CTF transactionsSuspicious-matter surveillance + reportingSuspicious-matter surfacing in audit ledger · SMR pre-population
OAIC - Privacy + NDBPrivacy Act + Notifiable Data Breaches scheme + AI Guidance Oct 2024APP-compliant data handling · NDB-compliant incident response · AI-decision transparency
ASD - Essential 8Cyber maturity baselineDMARC · TLS · patching · MFA enforcement · backup discipline
NSW Fair Trading - Building defect liabilityPre-purchase + pre-settlement evidence chainBuilding inspection evidence chain · reviewer signature chain · defect record
Other launch markets

5-country GTM split.

EU coverage beyond DE+FR: legal framework remains EU-wide; sign-customers-on-request for other EU Member States under EU GDPR + EU AI Act framework. Full regional matrix →

US

United States

IRS Circ. 230 · FTC §5 · NIST AI RMF · CCPA/CPRA · state patchwork · Colorado AI Act 2026 · CPPA ADMT · SOC 2 (aspirational)

UK

United Kingdom

ICO · FCA · UK GDPR · DPA 2018 · DUAA 2025 · AISI · HMRC

DE

Germany

BfDI + Lander DPAs · BaFin · BStBK · BDSG + DSGVO + EU AI Act

FR

France

CNIL · ACPR · OEC · Loi Informatique et Libertes + RGPD + EU AI Act

Trust posture summary

The one-page version.

DIMENSIONPOSTUREEVIDENCE
Data residencyAU default · EU/UK/US selectable on Pilot+Data Sovereignty
EncryptionAES-256 at rest · TLS 1.3 in transitThis page
Privacy complianceAU APPs voluntary + EU GDPR + UK GDPR + CCPA/CPRA + state lawsPrivacy Policy v2.1-FINAL
AI disclosureOAIC + EU AI Act + UK + Colorado AI Act + ADM transparency forward-lookingAI Team
Sub-processors8 disclosed · 30-day notice on changeThis page
No training on your dataContractualPrivacy Policy §4.2
OAuth scopesRead-only default · earn-the-right escalationHow it works
Sterile teardownAlways available · 14-day export · no feeThis page FAQ
Cyber baselineDMARC · TLS · HIBP · CSP · DNSSEC continuousThis page
SOC 2 / ISO 27001Aspirational (not certified) - honestly statedThis page
InsuranceCyber + PI (specifics operator-bound; pre-publication)Privacy Policy §12
DPAAU + EU + UK + US-aligned · Pilot+ tier · v1.1 authoringDPA (in Terms)
Incident responseNDB · GDPR Article 33 · UK ICO · US state lawsThis page
Article 22 (automated decisions)No exposure (no fully-automated significant decisions)FAQ
AU practitioner sign-offNON-NEGOTIABLE publication gate · operator-committedSee operator note

Entity: ADEVI PTY LTD (trading as Xlooop) · ABN 80 627 916 698 · ACN 627 916 698 · Australia (NSW jurisdiction). Multi-jurisdictional terms apply per Terms of Service; data-residency posture per Data Sovereignty; AI disclosure per Privacy Policy §4.

Behind each guarantee

What it actually does.

Each line above maps to a concrete mechanism — published here so a buyer can verify it during due diligence, not just take our word.

01

Audit-grade ledger

Append-only · hash-chained · per-tenant. Every prompt, output, review event carries a provenance triple (request_id, prompt_hash, output_hash). The chain breaks loudly if anything is tampered with — silent corruption is detectable.

mechanism · argon2id · KMS-managed pepper · per-tenant key

02

Sterile teardown

A one-click action assembles an export bundle, then schedules deletion within 30 days. Backups expire on a rolling 90-day cycle. A proof-of-deletion certificate is emailed to the workspace owner.

mechanism · pre-transmission redaction scan · scheduled purge · KMS key destruction

03

Region-bound residency

Locked at provisioning. AU → AU edge; UK → UK; DE / FR → EU Frankfurt; US → US-East. No cross-region migration without explicit operator approval + customer notice.

mechanism · per-tenant Cloudflare Access app · region-bound Sanity dataset

04

Read-only by default

Every OAuth scope is read-only at first request. Write scopes are granted per-workflow, per-customer, on the cockpit’s explicit request, and they appear in the audit ledger with full reasoning.

mechanism · Google Drive Picker · OneDrive Files.Read.Selected · Xero read-only

05

No model-training

Your content is never used to train external AI models. Not now, not later, not as a default. The vendor contracts with all model providers we use prohibit training on inference inputs.

mechanism · contract enforcement + no-train HTTP headers on every model call

06

Cyber baseline

DMARC enforced (reject); TLS 1.3 minimum; HIBP daily check on admin emails; HSTS + CSP + X-Content-Type-Options on every response. ASD Essential 8 (AU) / NCSC Cyber Essentials (UK) / NIST CSF (US) / BSI IT-Grundschutz (DE) / SecNumCloud baseline (FR).

mechanism · daily DMARC/TLS scan · weekly HIBP check · monthly cyber attestation

Want the trust evidence pack?

Sub-processor register · per-region residency map · breach-response runbook · cyber posture attestation. Delivered under NDA on request.

Request the pack →
Honest fit-check

We'd rather lose your demo slot now than lose your trust later.

✓ YOU'RE A FIT IF
  • You have 5+ staff who already use AI tools in their daily work
  • Your customers are regulated, audited, or contractually entitled to evidence of how their work was done
  • You operate in a regime where an enforcement action could end the business (accounting · building inspection · advisory · healthcare-adjacent · professional services)
  • You’re past pilot-curiosity — you need a record that survives a regulator letter, an insurer review, or a customer dispute
— YOU'RE EARLY IF
  • Your team is <5 people or doesn’t yet use AI tools for customer-facing work
  • Your customers aren’t asking for evidence yet — and won’t for at least 12 months
  • You want a developer-AI tool, an internal portal, or a SOC 2 / ISO checklist generator
  • You’re looking for "general AI strategy" advisory — we’re an operating layer, not consulting
Sub-processors

Eight sub-processors disclosed. No data brokers. No tracking.

Every sub-processor is bound to our DPA + GDPR Article 28 obligations. 30 days notice before any change that affects your data; terminate without penalty if you disagree.

SUB-PROCESSORPURPOSEDATA CATEGORYREGIONCOMPLIANCE POSTURE
CloudflareEdge compute · object storage · DNS · WAFAll customer dataAU / EU / UK / USSOC 2 Type II · ISO 27001 · GDPR · APP
Anthropic (Claude)AI inference (default model)Prompt + immediate context only — not training dataUSSOC 2 Type II · GDPR · no training on customer data (contractually)
OpenAI (GPT)AI inference (model option)Prompt + immediate context onlyUSSOC 2 Type II · GDPR · no training (Enterprise tier)
Google (Gemini)AI inference (model option)Prompt + immediate context onlyUSSOC 2 Type II · GDPR · no training (Workspace tier)
SanityCMS content + asset hostingMarketing-page content only · NO customer dataEU (Dublin)SOC 2 Type II · GDPR
StripePayment processing (paid tiers)Billing data only · NO customer-work dataUS / EU / AUSOC 1 + SOC 2 Type II · PCI DSS L1 · GDPR
ResendTransactional emailEmail address + send logUSSOC 2 Type II · GDPR
Cloudflare AccessAuthentication (Pilot+ tier)Auth tokens onlyAU edgeSOC 2 Type II · ISO 27001
Cyber baseline + SLA

Continuously monitored. Honestly disclosed.

We do not claim certifications we haven't earned. SOC 2 and ISO 27001 are explicit roadmap items, not present-tense claims.

Cyber baseline

  • DMARCstrict reject policy on xlooop.com + adevi.com.au domains
  • TLSTLS 1.3 minimum; HSTS preloaded
  • HIBPcredentials monitored; no exposed credentials on file
  • CSPstrict Content-Security-Policy on all marketing surfaces
  • DNSDNSSEC-aligned; Cloudflare-protected
  • SOC 2 Type IIaspirational — not currently audited; on roadmap
  • ISO 27001aspirational — not currently certified; on roadmap

SLA by tier

TIERUPTIMERESPONSEREVIEWDiscoverybest-effortbest-effortn/aPilot99.0%4 hoursend-of-pilotProduction POC99.5%2 hoursmonthlyAnnual licence99.9%1 hourweekly · dedicated CSM

full data residency posture · per-region encryption · cross-border transfer mechanisms — see Data Sovereignty.

FAQ

The questions buyers ask in due diligence.

🇦🇺 Australia · regulatory regimes

Designed with Australia regulation in mind.

Switch region in the top nav to see the equivalents in your market.

TPB
Tax Practitioners Board
Code of professional conduct + record-keeping.
ATO
Australian Taxation Office
Lodgement audit trail + benchmark conformity.
AUSTRAC
AML / CTF transactions
Suspicious-matter surfacing + audit ledger.
OAIC
Privacy + NDB
Notifiable-data-breach + consent management.
ASD
Essential 8
DMARC + TLS + patching posture.
NSW Fair Trading
Building defect liability
Pre-purchase + pre-settlement evidence chain.
?Need help?