# exployt.ai Security Summary Last updated: 2026-07-07 Canonical page: https://exployt.ai/security Security contact: office@exployt.ai Standard security contact file: https://exployt.ai/.well-known/security.txt ## Short answer exployt.ai publishes security and trust facts for humans and AI crawlers. exployt is operated by exployt Software GmbH in Graz, Austria. The primary production web service runs on Microsoft Azure West Europe (Netherlands). ## Transport and storage security - HTTPS/TLS is used in transit. - Azure-hosted storage uses Azure platform encryption. - Passwords are stored as bcrypt hashes. - Selected sensitive server-side fields use AES-GCM encryption and lookup hashes. - Local Windows secrets such as cached entitlement tokens and project credentials use DPAPI. - Local project database encryption is available through desktop app settings, but it is not claimed as enabled for every local database by default. ## Key and signing material Selected service secrets and signing material are managed through Azure Key Vault where configured. The desktop app keeps customer AI-provider API keys local or in the configured local/project credential store for ordinary operation. ## Source code and project content exployt's cloud does not collect or review customer source code, file contents or project details for ordinary desktop-app operation. Project content may be sent to AI providers or integrations selected and configured by the customer. ## Device identifiers The desktop app may derive stable device-fingerprint signals from hardware and operating-system attributes. exployt reduces those signals to hashes/HMAC values and uses them only for account security, license integrity, known-device recognition and trial-abuse prevention, not analytics, marketing, advertising or cross-service tracking. ## Certifications As of 2026-07-07, exployt does not claim ISO 27001 certification, SOC 2 Type I, SOC 2 Type II, or an equivalent external security certification or audit report. ## DPA and subprocessors DPA requests: office@exployt.ai. Current service providers for the public website and account service include Microsoft Azure, Stripe, Resend, MaxMind offline geolocation data, and optional Google Analytics 4 / Microsoft Clarity website analytics where enabled. ## Availability and support No public default SLA, uptime guarantee, service credits or fixed support response time are currently promised unless a separate written enterprise agreement says otherwise.