Security is our top priority

Xoba adheres to the latest, industry-accepted best practices and standards defined by NIST 800-53, SANS and OWASP, ensuring your data is safe at all times.

Least privileged access

Xoba requests only the 'must-have' permissions, which in most cases is read-only. We cannot modify or delete your data.

Learn More

We don't store your files

Xoba does not download your files, documents, tasks, or messaging to our servers.

Learn More


All data is encrypted end-to-end using industry standard methods like AES-256 and TLS1.2. It is encrypted in transit and at rest.

Learn More

No passwords

OAuth is used to connect all your applications. We will never ask for your credentials to these applications and securely store the authentication token.

Learn More

Xoba's Security-First Principles

Security & Privacy are fundamental to Xoba. We always put ourselves in our customer's shoes to ensure we do what is in their best interest.
  • If we can't build a feature securely, we won't build it
  • We never sell user or customer data
  • We use the latest security industry best practices
  • We are transparent about our practices and will notify you if things change
Have questions about our security practices? Read more below or contact us.

Security Details

Cloud providers


Xoba is hosted on Google Cloud Platform. All datacenters are located in the United States.

Creation of Xoba accounts


Individuals are able to create a Xoba account using Google or via passwordless login. Xoba uses Google authentication services.

Third-Party application authentication


Xoba users connect their third-party applications (e.g. Google Drive, Asana, Slack, etc.) using OAuth 2.0, an industry standard for authorizing secure access to external applications. Xoba does not have access or store any application passwords. Users are able to remove an application at any time and Xoba immediately deletes all authentication and authorization data from our servers.

Data encryption


Xoba exclusively sends data over HTTPS transport layer security (TLS) encrypted connections for additional security as data transits to and from the application. All data on Xoba servers is encrypted at rest. Google Cloud Platform stores and manages data cryptography keys in its redundant and globally distributed Key Management Service (KMS). Xoba has complete control over access to the KMS and has restricted access within Xoba.

Access and authentication tokens


All applications connected to Xoba use OAuth 2.0. Users’ access tokens (token used to grant access to information based on the user requesting it) and refresh tokens (token used to request a new access token) are stored in separate databases. The refresh tokens are encrypted using AES-256 encryption. Access to the refresh tokens is tightly controlled to a single service (token refresher). The key for this service is protected with Google Secrets Manager and has restricted access within Xoba. 

The access tokens are accessible to the Xoba’s backend refresher service and the user who owns them. The user’s private key (generated by Google’s Authentication Service) is verified before the user can touch any access tokens to the user is only reading/writing their own token(s). These access tokens have a limited lifespan (typically an hour) and are periodically refreshed. 

The browser (client) itself does not have direct access to any sensitive data such as access and refresher tokens.  Therefore, the browser must go through Xoba’s backend services to gain access decreasing risk of vulnerabilities.

Least privileged access


Xoba requests only the ‘must-’have’ permissions from your applications. In most cases, this is read-only access. This means we do not have the ability to modify or delete any of the data that is connected. These permission scopes are defined within the third-party application itself and Xoba cannot bypass these permissions. For example, if a user searches for Slack messages, Xoba only asks slack for read-access to messages, but not for items such as user profiles.

Data storage/download


Xoba does not download or store emails, files, documents, etc. on Xoba servers. Once a result is sent to the browser, Xoba automatically purges any related information from their servers. User’s Google Drive docs stay on Google servers, Asana tasks stay on Asana servers, etc. We only access the information when a user takes a specific action within Xoba (e.g. performs a search). For more information about data we do collect, refer to our Privacy Policy.

Employee & contractor security


Xoba practices ‘Principle of least privilege’. This means that any individual, application, server, etc. only has the bare minimum privileges necessary to perform their function. In addition, below are a few items we implement for all Xoba employees and contractors. 

  • 2FA for all accounts and applications 
  • 1password for strong password protection (minimum 30 characters or maximum allowed by service)
  • Distinct passwords across accounts (no account has the same password)
  • Security best practices, training, and education for all members of Xoba

Secure Application Development (Application Development Lifecycle)


Xoba practices continuous delivery, which means all code changes are committed, tested, shipped, and iterated on in a rapid sequence. A continuous delivery methodology, complemented by pull request, continuous integration (CI), and automated error tracking, significantly decreases the likelihood of a security issue and improves the response time to and the effective eradication of bugs and vulnerabilities. In addition, we have a policy in place to keep all third-party packages and libraries as up-to-date as possible, to ensure the latest security patches and code are integrated as soon as they’re available.



Xoba is hosted on Google Cloud Platform. Google Cloud Platform undergoes various third-party independent audits regularly and can provide verification of compliance controls for its data centers, infrastructure, and operations. This includes, but is not limited to, SSAE 18-compliant SOC 2 certification and ISO 27001 certification.

Data collected


Xoba collects usage, analytics, and error logs in order to provide their service. For example, Xoba knows that a user clicked on a Google Drive search result, but we don’t know anything specific about that file (e.g. the name, contents, etc.). This information is not sold to any third-parties. If a user wishes to have all their information deleted, they can send a request to



Xoba is an approved Box and Google Cloud partner.

Privacy Policy & Terms of Service




For more information or questions, please reach out to


What information does Xoba store?


Xoba does store information about your account, the applications that you connect to Xoba, searches, Cards created, and other actions you perform. For example, we store an event when you perform a search and click on a result. We don't know what document or file you've selected, but we do store that the result you clicked on was a Dropbox result. For more information about the information we store, please refer to our Privacy Policy.

Why am I requested to enter my password when connecting an application to Xoba?


Xoba uses industry standard OAuth to connect your applications. Depending on the application you connect, that application may ask you to enter your password to verify your identity. This is purely for security purposes and Xoba does not receive your password from these applications.

What happens when I remove an application from Xoba?


When you remove an application from Xoba, we automatically remove the backend information from our systems. This is typically done within 1-3 minutes of you removing the application. If you want to re-connect the application, Xoba requires you to reauthenticate the application for security purposes.

Can I delete my account and data?


Yes. You are able to delete your Xoba account via the 'Account' page. Once you delete your account, Xoba will remove your account, associated applications, etc. from our systems. No further action is needed from you.

Do you sell my data to 3rd parties?


No. All data stays within Xoba systems and is not sold to 3rd parties. We do not intend to ever sell your data to 3rd parties.

If I have more questions, who can I talk to at Xoba?


If you have more questions or concerns about security and data, please reach out to We're more than happy to discuss!

Still have questions? Email us at

Start saving time with Xoba now

Signing up is easy and free. No strings attached.