Trust, Safety &
Security
xcelit connects founders, builders, and investors around real execution. That only works if the Platform is a safe, trustworthy environment. Safety is product infrastructure — not policy decoration.
Safety Principles
Every design decision on xcelit is evaluated against four non-negotiable safety principles:
- Respect-first conduct. Every person on the Platform — founder, builder, or investor — deserves to be treated with basic respect. Harassment, discrimination, and intimidation have no place here.
- Least-privilege access. Permissions are scoped as narrowly as the task requires. No role receives access beyond what is needed to do their work within a project.
- Secure defaults. Security controls are active by default — not opt-in. Users should not have to configure their way to safety.
- Actionable reporting. Every report of policy-violating behavior is reviewed by a human. We do not rely solely on automated systems to make moderation decisions.
Conduct Standards
All users must comply with the conduct standards set out in our Terms of Service. The following are expressly prohibited on xcelit:
Interpersonal conduct
- Harassment, threats, or intimidation directed at any user
- Discrimination based on race, ethnicity, religion, gender, sexual orientation, disability, or nationality
- Impersonating another user, founder, investor, or xcelit staff member
- Unwanted or unsolicited commercial messaging ("cold spam") within the Platform
Platform integrity
- Posting false, misleading, or fabricated project information to deceive investors or collaborators
- Creating fake accounts to inflate project metrics or circumvent suspensions
- Attempting to acquire user data from the Platform for external purposes without consent
- Scraping, crawling, or systematic data extraction without explicit written authorization from xcelit
Legal compliance
- Posting content that infringes on third-party intellectual property rights
- Using the Platform to facilitate unauthorized investment solicitation or financial fraud
- Sharing confidential information obtained from project workspaces without authorization
Identity & Verification
xcelit uses layered identity verification to build trust on the Platform without creating unnecessary friction for legitimate users.
- OAuth authentication — all accounts are created through GitHub or Google OAuth. No passwords are stored on xcelit servers, reducing credential theft risk.
- GitHub verification — when a founder connects the GitHub App, their repository activity is verified directly by the GitHub API. This makes execution records harder to fabricate.
- Billing verification — when a founder connects Stripe or Paddle, revenue metrics are pulled directly from the billing provider and marked as "verified." Founder-reported metrics are labeled separately.
- Profile completeness signals — incomplete profiles and newly created accounts may have reduced platform access until basic verification steps are completed.
- Rate limiting — sensitive actions (applications, messages, account changes) are rate-limited via Arcjet to detect and slow credential stuffing and abuse patterns.
Data & Platform Security
- Encryption in transit — all data between users and xcelit is encrypted using TLS.
- Encryption at rest — all third-party API keys (GitHub, Stripe, Paddle, PostHog) are encrypted using AES-256 before being stored in the database. Plaintext credentials are never persisted.
- Role-based access control — within project workspaces, permissions are enforced at the server action level, not just in the UI. OWNER, ADMIN, and MEMBER roles carry distinct permission boundaries.
- Infrastructure security — xcelit is hosted on Vercel (edge-secured), backed by Neon PostgreSQL (encrypted storage, automated backups, point-in-time recovery).
- Payment security — card and financial transaction data is never stored by xcelit. All payment processing is handled by PCI-compliant providers (PayPal, Razorpay, Stripe, Paddle).
- Operational monitoring — errors, anomalies, and security events are logged and alerted in real time. We maintain audit trails for sensitive operations.
Abuse Prevention
We use a combination of automated detection and manual review to identify and act on abuse patterns before they harm users.
- Automated rate limiting on high-risk endpoints (authentication, applications, messaging)
- Bot detection and traffic anomaly monitoring via Arcjet
- Duplicate account detection to prevent ban evasion
- Review queues for flagged profiles, projects, and reported content
- Pattern analysis for spam and mass-outreach behavior
- Audit logs for admin-level actions to maintain accountability
Users who repeatedly violate Platform policies will be permanently removed. We do not provide warnings for severe violations (fraud, harassment, impersonation).
Reporting & Moderation
If you experience or observe behavior that violates these standards, please report it to us.
How to report
Email support@xcelit.co.in with the subject line Safety Report. Include a description of the behavior, relevant screenshots or links, and your account email.
Every report is reviewed by a team member, usually within 72 hours. Actions available to our moderation team include:
- Warning — for first-time minor violations with remediation guidance
- Temporary restriction — limited access to specific features
- Suspension — temporary removal from the Platform pending investigation
- Permanent removal — for severe or repeated violations, with no right of return
We will not disclose the identity of reporters unless legally required to do so. Retaliation against users who report policy violations is itself a policy violation.
Transparency
Trust is built through clarity, not claims. The following transparency standards apply Platform-wide:
- Data source labeling — every metric on xcelit is labeled with its source (GitHub-verified, Stripe-verified, PostHog-verified, or Founder-reported). Users can always distinguish verified data from self-reported data.
- Unverified data warnings — founder-reported financial data older than 30 days receives an amber staleness warning. Users should factor this into how they interpret the data.
- No hidden scores — xcelit does not display hidden ranking scores or composite rating numbers to users. Project sorting and filtering is based on verifiable activity signals.
- Policy change notice — material changes to this Trust & Safety policy will be communicated via in-product notification or email at least 14 days before taking effect.
Investor Safeguards
Investors on xcelit are seeing real execution data — not marketing copy. To protect the integrity of the evidence investors review:
- Verified source only — execution records are generated only from connected systems of record (GitHub, Stripe, PostHog). Founders cannot manually add or edit data in these records.
- No AI-generated observations — AI contributes interpretation (what the data might mean), not observations (what happened). Every fact in an execution record names its source.
- Solicitation limits — xcelit is a discovery and evidence platform, not a regulated financial exchange. We do not facilitate binding investment commitments. Any investment discussions between founders and investors occur outside the Platform and are subject to applicable securities laws.
- No guaranteed returns — xcelit makes no representations about the investment quality, future performance, or valuation of any startup listed on the Platform.
Responsible Disclosure
If you discover a security vulnerability in xcelit, we ask that you disclose it responsibly by contacting us before making it public. We commit to:
- Acknowledge your report within 5 business days
- Investigate and confirm the vulnerability without undue delay
- Keep you informed of our remediation progress
- Not take legal action against good-faith security researchers
To report a vulnerability, email support@xcelit.co.in with the subject line Security Disclosure. Please include a description of the issue, reproduction steps, and your assessment of potential impact. Do not test vulnerabilities against production user data.
Contact & Escalation
For safety reports, security disclosures, or policy questions, contact us at:
xcelit — Trust & Safety
Punjab, India
Safety reports: reviewed within 72 hours. Security disclosures: acknowledged within 5 business days.
If you are not satisfied with our response, you may escalate to the relevant regulatory authority in your jurisdiction. In India, this includes the Ministry of Electronics and Information Technology (MeitY) under the IT Act, 2000.