FAQ
XFA is Zero Trust device access without an MDM. It verifies that any device used for work, including personal, contractor, and BYOD devices, meets your organization's security policy at sign-in, without installing an intrusive management agent or seeing personal data. XFA is EU-built, ISO 27001 certified, and GDPR-committed.
XFA is also a security technology company based in Belgium, founded to do device security better and to enable modern work. Its software is developed to high quality and privacy standards and is regularly audited by independent external parties.
XFA verifies device security at sign-in without taking control of the device: no admin rights, no remote wipe, no visibility into personal files or apps. It covers BYOD, contractor, and personal devices that an MDM often cannot, and its checks align with ISO 27001, SOC 2, and NIS2 requirements.
No. XFA does not collect personal data, track which websites you visit, log which applications you use, or monitor when or how long you're logged in. It only checks device security settings, like encryption or screen lock status, to verify the device meets your organization's policy before allowing access.
XFA shares the results of device security checks, such as whether your OS and browser are up to date, disk encryption is on, or a password manager is installed. The exact checks and how long you have to fix an issue are set by your organization's policy, not by XFA.
XFA's agent is a lightweight app for desktop (Windows, macOS, Linux) and mobile (iOS, Android) that runs device checks locally without admin rights. Agentless verification skips the install but is narrower: it runs a limited set of checks through a managed-browser device-trust connector, supported on Chrome (macOS, Windows) and Microsoft Edge (Windows).
XFA works with major identity providers, including Okta, Microsoft Entra ID, Google Workspace, OneLogin, Keycloak, and PingIdentity, to verify devices during sign-in. It can add device checks as an extra factor for SAML 2.0, OAuth 2.0, and custom applications, so you can protect the apps your team already uses.
XFA enforces device security checks at sign-in, giving you continuous, auditable evidence that devices meet policy, a common requirement across ISO 27001, SOC 2, and NIS2. Connectors export this device data to compliance tools like Vanta, Drata, Thoropass, TrustCloud, and Noru for audit evidence, and XFA itself is ISO 27001 certified.
Pricing depends on the plan you choose and, for Enforcement, how many integrations you connect. You can also start with a one-time Discovery report to map the devices accessing your tools before committing to ongoing enforcement. For current plans, tiers, and what each includes, see https://xfa.tech/pricing.