How xengo protects your data and your visitors’ privacy — stated plainly, claim by claim. xengo is a product of Synvu Limited (UK company no. 15761962), hosted entirely in AWS London.
1. Where Your Data Lives
xengo runs entirely in AWS eu-west-2 (London) — the application, the redirect plane, analytics storage and backups. Customer data is not replicated outside the UK region.
xengo is built and operated by Synvu Limited, a UK-registered company (no. 15761962). Your agreement is with a UK entity under English law.
2. Visitor Privacy by Architecture
When someone clicks a link or scans a QR code, we enrich the event (location, device, bot detection) using an offline geolocation database running on our own servers. The visitor’s IP address is never sent to a third-party service to be looked up.
Raw click and scan records expire automatically after 90 days. Long-term reporting uses aggregated counters, not raw visitor rows.
3. Encryption and Access Control
All traffic is TLS-encrypted in transit and encrypted at rest. Every request to the platform is scoped to your tenant server-side — tenant identity comes only from a verified token, never from client input.
API keys are stored as SHA-256 hashes and shown exactly once at creation. Outbound webhook deliveries are HMAC-SHA256 signed (Svix-compatible headers) with automatic retries and a per-attempt delivery log, so your systems can verify every event really came from us.
Team access is role-based (admin / user) with per-plan seat enforcement. Single Sign-On is available on the Enterprise tier.
4. Link Safety Screening
Every destination URL is screened before a short link goes live: scheme and internal-address checks, shortener-chain blocking and malware/phishing reputation screening, with automatic daily re-scans of live destinations.
Suspicious links are quarantined for human review, and abusive accounts are suspended. This is why links on xengo domains stay trusted by corporate mail filters.
5. Payments
Card details never touch our servers. Billing is handled end-to-end by Stripe (PCI DSS Level 1); billing events we receive from Stripe are signature-verified and idempotent.
6. UK GDPR and Data Processing
We operate to UK GDPR. A Data Processing Agreement is available on request, and our Privacy Policy sets out what we collect and why. We do not sell personal data.
Certifications: we are not yet SOC 2 or ISO 27001 certified, and we won’t pretend otherwise — this page states our actual posture. If a certification matters for your procurement, contact us and we’ll walk you through our controls directly.
7. Subprocessors
Amazon Web Services (hosting & storage, London region) · Stripe (payments) · Google Workspace (business email) · Brevo (transactional/marketing email delivery) · MaxMind (geolocation database, licensed and run offline on our infrastructure — no visitor data is sent to MaxMind).
Our marketing website (not the console) also uses Google Analytics and Microsoft Clarity.
8. Reporting a Vulnerability
Found something? Email security@xengo.io and we’ll respond promptly. We ask for reasonable disclosure time and will credit good-faith researchers.
Security questions or procurement checklists? Contact security@xengo.io.
Synvu Limited, UK registered company no. 15761962, 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ.