Built for the businesses that can't afford to get security wrong.

Xtenfer AI’s security practices are inherited from Xtenfer Consulting Inc., which has delivered IT, training, and facilitation services to commercial and federal clients since 2018. Our federal work — including active engagements with the United States Air Force — means we’ve deployed under the strictest possible compliance conditions. We bring that same discipline to every engagement, regardless of client size.

We support four deployment models. The right one depends on your compliance posture, data sensitivity, and cost profile — we recommend the match during the Strategy Sprint.

• Public cloud — default for most engagements. Uses major cloud AI providers (Anthropic, OpenAI, Google, AWS Bedrock, Azure OpenAI) configured with zero-retention and enterprise confidentiality terms.
• Private cloud — AI deployed inside your own AWS VPC, Azure Private, or Google Cloud VPC-SC tenancy. Data never leaves your cloud account.
• On-premise / self-hosted — open-source models (Llama, Mistral, or custom fine-tunes) running on your own hardware. Suitable for regulated environments and strict data-residency requirements.
• Air-gapped — fully isolated deployments for the most restricted environments. No outbound connectivity.

• Client data is never used to train our models or any third-party model beyond what is strictly necessary to deliver the service
• We configure third-party AI providers with zero-retention terms wherever available and document the configuration in the engagement’s security appendix
• Client data is segregated per engagement — no cross-client mixing, no shared model weights
• All inputs and outputs can be logged and reviewed by the client under the engagement’s audit terms

• In transit: TLS 1.2 or higher for all network communication
• At rest: AES-256 via the cloud provider’s key management service (KMS); customer-managed keys supported where the provider offers them
• Secrets: stored in a secrets manager (AWS Secrets Manager, Azure Key Vault, or equivalent) — never in code or configuration files

• Role-based access control (RBAC) with least-privilege principles
• Multi-factor authentication (MFA) required for all personnel with access to client systems
• Access provisioned per engagement and revoked within 24 hours of offboarding or engagement closure
• Access logs retained and available for client audit

We deploy HIPAA-aware architectures for healthcare clients. We do not process Protected Health Information (PHI) without an executed Business Associate Agreement (BAA) in place.

Our standard HIPAA deployment pattern uses private-cloud or on-premise hosting with audit logging, access controls, and encryption that meet or exceed the HIPAA Security Rule technical safeguards. Specific safeguards are documented in the engagement’s BAA addendum.

Xtenfer Consulting Inc. maintains active engagements with federal clients, including the United States Air Force. Federal engagements are conducted under the contract-specific security controls required by the client (e.g., CUI handling, FIPS-validated encryption, US-citizen staffing requirements). We don’t claim FedRAMP, CMMC, or other certifications we haven’t achieved — the specific compliance posture for an engagement is documented in the engagement’s security appendix.

US-based data residency by default. Alternative residency (EU, UK, other) available for engagements with specific requirements, using region-appropriate cloud tenancy or on-premise infrastructure.

• Client data is retained per the engagement’s Statement of Work
• Deletion of client data on request, or at engagement closure per the SOW, whichever is earlier
• Deletion extends to backups according to the backup-rotation schedule documented in the engagement
• Audit logs retained per client requirements

We use vetted third parties to operate our business and deliver services (hosting, scheduling, AI model providers, etc.). A current list of subprocessors used in client engagements is maintained and shared on request. Clients are notified of material changes to the subprocessor list.

We maintain a written incident response plan covering detection, containment, eradication, recovery, and post-incident review.

In the event of a confirmed security incident affecting client data, we notify the affected client within the timeframes required by law and the engagement’s security appendix — typically within 24 hours of confirmation.

If you believe you’ve identified a security vulnerability in this website or in our services, please email Luka@Xtenfer.ai with the details. We acknowledge reports within one business day and work in good faith with security researchers who report responsibly.

Security or compliance questions — including BAA requests, DPA requests, subprocessor lists, or client-audit coordination — Luka@Xtenfer.ai. Mail: Xtenfer Consulting Inc., Tysons, Northern Virginia, USA.