Security
Policy

This security policy applies to all digital assets owned and operated by Tiritix, including but not limited to:

• tiritix.com — corporate website and product portfolio
• api.tiritix.com — backend API infrastructure
• map.tiritix.com — mapping and geolocation services
• myspector.com — SaaS web monitoring platform
• All mobile applications published under the Tiritix name (Xopoz, Xolorz)
• All open-source repositories maintained by Tiritix (XoSkryb, XoClock, XoPing)

Tiritix systems process, transmit, and store real-time and historical geolocation data of natural persons, classified as high-sensitivity personal data under applicable data protection law. Pursuant to GDPR Recital 75, location data is expressly recognized as information whose unauthorized disclosure may cause significant economic or social disadvantage to data subjects.

Geolocation data processed by Tiritix services is capable of revealing:

• Home address, workplace, and habitual places of residence of identified individuals
• Patterns of daily life, travel habits, and recurring behavioural routines
• Attendance at religious, political, medical, or other sensitive establishments
• Real-time physical whereabouts of individuals, creating direct personal safety risks
• Social and professional associations through co-location and team membership analysis

Without prior written authorization from Tiritix, the following activities are strictly prohibited and will give rise to civil and criminal liability:

• Conducting security assessments, vulnerability scans, penetration tests, or fuzz testing of any kind against any Tiritix system, website, API, or application
• Accessing, querying, or invoking any non-public endpoint, whether authenticated or unauthenticated, without a valid license agreement
• Enumerating, cataloguing, reverse-engineering, or reconstructing any API schema, route, data model, or internal architecture
• Intercepting, recording, replaying, or tampering with traffic via proxy, man-in-the-middle, or packet inspection tools
• Automated scraping, crawling, harvesting, or systematic extraction of data from any Tiritix-operated service or website
• Credential stuffing, brute-force authentication, token forgery, session hijacking, or any form of unauthorized credential exploitation
• Any interaction that degrades, disrupts, or impairs the availability, integrity, or performance of any Tiritix service
• Decompiling, disassembling, or reverse-engineering any Tiritix software product, mobile application, or backend service

Unauthorized access to any Tiritix system is prosecutable under the following statutes and regulatory instruments, without limitation:

This policy and any dispute arising from unauthorized access shall be governed exclusively by the laws specified below. Tiritix reserves the right to pursue legal proceedings in any competent jurisdiction where the unauthorized activity originated, transited, or produced effects.

All interactions with Tiritix systems are logged, monitored, and retained in accordance with our data retention policy and applicable legal requirements. Metadata collected includes, but is not limited to: source IP addresses, request timestamps (UTC), HTTP methods, URI paths, request headers, TLS fingerprints, and response codes.

Log data is preserved in tamper-evident storage and will be disclosed to law enforcement authorities, regulatory bodies, or legal counsel in connection with any investigation or proceeding arising from unauthorized access.

Right to File Criminal Complaints: Tiritix reserves the unconditional right to file criminal complaints with German and international law enforcement agencies upon detection of any attempt to probe, test, or gain unauthorized access to its systems. Under German and EU law, the mere attempt to circumvent access controls or test system defenses constitutes a criminal offence — no successful breach is required for prosecution.

Automated Detection Threshold: Any single source generating more than 100 requests within a 24-hour period to a given HTTP endpoint with varying parameters, credentials, or payloads constitutes prima facie evidence of automated unauthorized access and will trigger immediate preservation of forensic evidence and referral to law enforcement. This threshold is a factual indicator, not a safe harbour — Tiritix may file complaints for any volume of suspicious activity at its sole discretion.