# exployt.ai Security FAQ Last updated: 2026-07-07 Canonical FAQ page: https://exployt.ai/faq Canonical Trust & Security page: https://exployt.ai/security Q: Is my data encrypted? A: Traffic between the app, website and servers uses HTTPS/TLS. Passwords are stored as bcrypt hashes. Selected sensitive server-side fields use AES-GCM encryption and lookup hashes. Local Windows secrets such as cached entitlement tokens and project credentials use DPAPI. Local project database encryption is available in the desktop app settings, but exployt does not claim every local database is encrypted by default. Q: Do you store my AI API keys? A: No. exployt's cloud does not store customer AI-provider API keys for ordinary desktop-app operation. Keys are configured locally or in the project credential store, depending on the integration. Q: What data do you collect? A: The Privacy Policy lists the exact categories. In short: account, billing, license, support, security, fraud-prevention and operational data needed to run the service. Source code, file contents and project details are not collected by exployt servers unless the customer explicitly sends something through a chosen integration or support channel. Q: Is exployt ISO 27001 or SOC 2 certified? A: No. As of 2026-07-07, exployt does not claim ISO 27001 certification, SOC 2 Type I, SOC 2 Type II, or an equivalent external security certification or audit report. Q: Who operates exployt.ai? A: exployt.ai is operated by exployt Software GmbH, Lange Gasse 30, 8010 Graz, Austria. Commercial register FN 675480d, Landesgericht für ZRS Graz. VAT ID ATU83180825. Managing director Michael Martin Schöggl. Contact office@exployt.ai. Q: Where is exployt hosted and where is data stored? A: The primary production web service is hosted on Microsoft Azure in the West Europe region (Netherlands). Customer source code, local project files, local project databases and local AI-provider API keys stay on the customer's machine unless explicitly sent through a chosen integration or support channel. Q: Do you offer a Data Processing Agreement (DPA)? A: Business and enterprise customers can request a DPA by contacting office@exployt.ai. Q: Which subprocessors do you use? A: Current providers for the public website and account service include Microsoft Azure, Stripe, Resend, MaxMind offline geolocation data, and optional Google Analytics 4 / Microsoft Clarity website analytics where enabled. Customer-selected AI providers are separate third parties chosen by the customer. Q: How are secrets, keys and passwords protected? A: Passwords are bcrypt hashed. Traffic uses HTTPS/TLS. Selected sensitive server-side fields use AES-GCM encryption and lookup hashes. Local Windows secrets use DPAPI. Selected service secrets and signing material are managed through Azure Key Vault where configured. Q: Do you provide an SLA or guaranteed support response time? A: Not as a public default. Unless a separate written enterprise agreement says otherwise, exployt does not currently provide a public uptime guarantee, service credits or fixed support response time. Q: Can I export or delete my data? A: Local project files, local databases, source code and local credentials remain under customer control. For cloud account data and personal data processed by exployt, users can request access, deletion, restriction or portability under the Privacy Policy and applicable law. Some records must be retained for legal, tax, fraud-prevention, dispute or security reasons. Q: Do you collect or review my source code? A: exployt's cloud does not collect source code, file contents or project details for ordinary desktop-app operation. Agents may send project content to AI providers or tools configured by the customer, and support/integration submissions are handled under the relevant terms. Q: How do you use hardware identifiers? A: The desktop app may derive stable device-fingerprint signals from hardware and operating-system attributes. exployt reduces those signals to hashes/HMAC values and uses them only for account security, license integrity, known-device recognition and trial-abuse prevention, not analytics, marketing, advertising or cross-service tracking. Q: How do I report a security issue? A: Send security reports to office@exployt.ai with enough detail to reproduce or assess the issue. Do not include secrets, passwords or data that is not necessary for the report. The machine-readable security contact is published at https://exployt.ai/.well-known/security.txt.