Built for regulated industries
from the first line of code.
Xelurel AI handles sensitive AI outputs across healthcare, legal, and financial services. Security and auditability aren't features we added later — they're the architecture.
What we store — and what we don't.
Xelurel AI never stores your raw AI outputs or user prompts. Content is hashed (HMAC-SHA256, tenant-scoped key) for integrity verification only. The governance decision, risk score, and triggered rules are stored — not the content itself.
Content hashing, not content storage
Every prompt and output is hashed using a tenant-scoped HMAC-SHA256 key before the assessment is persisted. The hash lets you verify integrity later — but the original content cannot be reconstructed from it.
What is stored per decision
Decision ID, tenant ID, decision outcome (allow / review / block), risk score (0–100), triggered rule IDs, policy ID and version, API key environment, and timestamps. No raw text.
Data retention
Default retention is 12 months. Enterprise customers can configure custom retention windows under a data processing agreement. Deletion requests are honoured within 30 days.
Data residency
All data is stored in Google Cloud Firestore (us-central1 by default). Enterprise customers on custom contracts can request regional isolation.
Encrypted everywhere, always.
At rest
- AES-256 encryption via Google Cloud Firestore
- Tenant-scoped HMAC-SHA256 keys for content hashing
- API keys stored as SHA-256 hashes — never in plaintext
- Webhook signing secrets stored encrypted
In transit
- TLS 1.2+ enforced on all endpoints
- HTTPS-only — HTTP requests redirected
- HMAC-SHA256 signatures on all outbound webhooks
- Stripe-signed webhooks for billing events
Least privilege, enforced server-side.
Role-based access control (RBAC)
Every team member is assigned a role — admin, reviewer, or read_only. Roles are enforced server-side on every API route, not just the UI. A reviewer cannot publish policies. A read_only member cannot invite teammates or call mutating endpoints.
API key security
API keys are shown once at creation, then stored as SHA-256 hashes. Keys are scoped to a single tenant and environment (test / live). You can revoke any key instantly from the dashboard. Rate limits are enforced at three independent layers: per-tenant, per-key, and per-IP.
Session management
Dashboard sessions use Firebase-issued HttpOnly, Secure, SameSite=Lax cookies with a 7-day TTL. Sessions are verified server-side on every authenticated request using Firebase Admin SDK — no client-side trust.
Tenant isolation
Every Firestore read and write is scoped to the authenticated tenant's ID. There are no cross-tenant queries. Multi-tenant admin access is available to super-admins only, identified by allow-listed email at session creation.
Every decision. Immutable. Exportable.
Xelurel AI's core function is producing an auditable record of every AI governance decision. That record is designed to satisfy compliance reviewers, not just developers.
Decision ID
UUID v4 — unique per assessment
Timestamp
ISO 8601, server-side (not client clock)
Decision
allow / review / block — immutable once written
Risk score
0–100 integer + normalized float
Triggered rules
Rule IDs + human-readable reasons
Policy version
Exact version applied at assessment time
API key env
test or live — prevents test/prod confusion
Content hashes
HMAC-SHA256 of prompt + output
Reviewer actions
Override decision + note, timestamped
Decision logs can be exported as CSV or JSON directly from the dashboard, with optional date range filtering. Enterprise customers get audit exports formatted for regulatory submission.
Where we are and where we're going.
Audit in progress. Controls are designed to Type II standards. Report available to enterprise customers under NDA upon request.
Available to Enterprise customers handling PHI. Contact us to execute a Business Associate Agreement. Healthcare policy templates are available on all plans.
Xelurel AI does not store raw personal data. Hashed content cannot be reversed. Data deletion requests honoured within 30 days. DPA available on request.
Default 12-month retention on all paid plans. Custom retention windows (longer or shorter) available under Enterprise data processing agreements.
Annual third-party penetration testing. Results available to enterprise customers under NDA.
How we run it.
Hosting
Vercel Edge Network
Global CDN · automatic TLS · zero cold-start for API routes
Database
Google Cloud Firestore
Multi-region replication · automatic backups · point-in-time recovery
Auth
Firebase Authentication
Industry-standard token flow · short-lived ID tokens · HttpOnly session cookies
Rate limiting
Upstash Redis
Sliding window · cross-instance · 3 independent layers per API request
Resend
Transactional only · no marketing lists · SPF + DKIM + DMARC configured
Payments
Stripe
PCI-DSS compliant · card data never touches Xelurel AI servers
Found something? Tell us first.
We take security reports seriously and respond to all valid reports within 5 business days. We ask that you give us reasonable time to investigate and remediate before public disclosure.
Responsible disclosure
Report security vulnerabilities to security@xelurel.com. Include steps to reproduce, impact assessment, and your contact details. We do not currently offer a bug bounty program but acknowledge all valid reports.
Questions about our security posture?
Enterprise security reviews, custom DPAs, and BAA negotiations handled directly. We share our controls documentation, architecture diagrams, and pen test summaries under NDA.