Skip to content
Xcel Software

Security & Architecture

A plain-language description of how DataXcel handles your data, what runs where, and who we share it with. If you need more detail for a vendor review, email Info@Xcel.Software.

How DataXcel connects to Sage 100 Contractor

DataXcel reads Sage 100 Contractor through XcelConnect, our reverse-tunnel proxy. A small Windows agent runs on your Sage server and opens a single outbound WebSocket Secure (WSS) connection to our broker at broker.xcel.report on port 443. Nothing inbound. No firewall changes on your side.

The agent never listens on a port. When our data pipeline needs to query Sage, the request flows out from our broker, through the tunnel the agent already opened, to 127.0.0.1 on your SQL Server. The agent forwards the response back the same way.

Access is read-only: the SQL account used by the agent is granted SELECT on the Sage database. The agent itself ships as a signed Windows binary that auto-updates from our broker, with a heartbeat watchdog that restarts it if it ever goes unresponsive.

Where your data lives

  • US-based hosting. Our broker, data warehouse, and Metabase instances run in US regions on AWS. Data does not leave the United States.
  • AES-256 at rest. Disk volumes for the data warehouse and Metabase database are encrypted with AES-256.
  • TLS in transit. All connections between you, our broker, our warehouse, and Metabase use TLS 1.2 or higher.
  • Tenant isolation. Each customer gets their own Metabase instance and their own warehouse schema. There is no shared multi-tenant database where your rows sit next to another customer's.

Access controls

  • MFA for our staff. Every Xcel Software employee account with access to customer infrastructure requires multi-factor authentication.
  • No shared credentials. Each engineer has their own account on each system. We do not pass around a single admin password.
  • Audit logs. Broker connections, Metabase logins, and warehouse queries are logged. We can produce an access report for your environment on request.
  • Least-privilege SQL. The agent's SQL account has read-only permissions on the Sage database. It cannot write, alter schema, or read other databases on the same server.

Sub-processors

DataXcel relies on a small number of vendors to deliver the service. We do not share customer data with any party not on this list:

  • Amazon Web Services (AWS). Hosts our broker, data warehouse, and Metabase instances in US regions.
  • Firebase Hosting (Google). Serves this marketing website.
  • GitHub Actions. Runs our build and deploy pipeline. Does not receive customer data.
  • Anthropic and OpenAI. Power the AI features (monthly board-report narratives, query assistance). Only the aggregated figures needed to generate a given report are sent — not raw transaction-level data — and the providers' enterprise terms forbid training on our inputs.

Compliance roadmap

We're transparent about where we are today and where we're going. No fabricated certifications.

  • SOC 2 Type I: targeted for Q3 2027. We can share the in-progress control inventory and our auditor of record on request.
  • Annual penetration test: we contract an external pen-test annually; latest summary available under NDA.
  • Vulnerability disclosure: security@xcel.software accepts reports directly. We acknowledge within 2 business days.
  • DPA on request: data-processing addendums are available for customers with GDPR or state-privacy obligations. We do not sell customer data; we do not use it to train AI models.
  • Breach notification: in the unlikely event of a security incident affecting your data, we will notify your primary contact within 72 hours of confirmation, with a written incident report following.
  • Data-export on exit: if you terminate, we provide a full export of your warehouse schema (CSV + Postgres dump) within 30 days. Your Sage data was never ours — it stayed in your database the whole time.

Questions or vendor reviews

We're a small team and we answer security questionnaires directly. Email Info@Xcel.Software and we'll get back to you with specifics for your environment.