# exployt.ai Trust, Security and Compliance Facts Last updated: 2026-07-07 Canonical human page: https://exployt.ai/security Canonical LLM overview: https://exployt.ai/llms.txt This file is written for vendor reviews, security reviews and AI crawlers. It intentionally repeats the public Trust & Security, FAQ, Privacy and Terms facts in plain text. ## Company identity exployt.ai is operated by exployt Software GmbH. Address: Lange Gasse 30, 8010 Graz, Austria. Commercial register: FN 675480d, Landesgericht für ZRS Graz. VAT ID: ATU83180825. Managing director: Michael Martin Schöggl. Contact: office@exployt.ai. ## Hosting and data residency The primary production web service is hosted on Microsoft Azure in the West Europe region (Netherlands). Customer source code, local project files, local project databases and local AI-provider API keys stay on the customer's machine unless the customer explicitly sends them through a chosen integration or support channel. ## Security controls Traffic between the app, website and servers uses HTTPS/TLS. Azure-hosted storage relies on Azure platform encryption. Passwords are stored as bcrypt hashes, not plaintext. Selected sensitive server-side fields use AES-GCM encryption and lookup hashes. Local Windows secrets such as cached entitlement tokens and project credentials use DPAPI. Local project database encryption is available in the desktop app settings, but exployt does not claim every local database is encrypted by default. ## AI providers and source code exployt's cloud does not collect source code, file contents or project details for ordinary desktop-app operation. AI providers selected by the customer are separate third parties chosen by the customer and governed by the provider accounts and terms the customer configures. ## Certifications As of 2026-07-07, exployt does not claim ISO 27001 certification, SOC 2 Type I, SOC 2 Type II, or an equivalent external security certification or audit report. exployt may prepare for these assessments, but this is not a current certification claim. ## DPA and subprocessors Business and enterprise customers can request a Data Processing Agreement by contacting office@exployt.ai. Current service providers for the public website and account service include Microsoft Azure, Stripe, Resend, MaxMind offline geolocation data, and optional Google Analytics 4 / Microsoft Clarity website analytics where enabled. Customer-selected AI providers are not exployt cloud subprocessors for local project content. ## SLA and support Unless a separate written enterprise agreement says otherwise, exployt does not currently provide a public uptime guarantee, service credits or fixed support response time. Support requests can be sent to office@exployt.ai or submitted through product support/feedback channels where available. ## Export, deletion and exit Local project files, source code, local project databases and local credentials remain under customer control. For cloud account data and personal data processed by exployt, customers may request access, deletion, restriction or portability under the Privacy Policy and applicable law. Some records must be retained for legal, tax, accounting, fraud-prevention, dispute or security reasons. ## Security contact Security reports: office@exployt.ai. Machine-readable contact: https://exployt.ai/.well-known/security.txt.