Nexaera trust, security, and compliance

How Nexaera protects agency and client data across the white-label AI Agency OS.

Data isolation

Postgres row-level security (RLS) on every customer-facing table. The database itself refuses queries that try to cross tenant boundaries. Per-sub-account data partitioning sits on top. Agency access to sub-accounts is off by default and requires explicit approval workflows with full audit logging.

Secret storage

Every API key, OAuth token, and credential is encrypted at rest with AES-GCM using rotating envelope keys, stored as base64(iv):base64(ciphertext+authTag). 4-tier API key resolution prefers organization-level keys, then agency-level, then platform fallback, then legacy.

HIPAA-ready Healthcare Mode

Optional ZDR (Zero Data Retention) runtime: conversations are processed in memory and never written to the database. 20-message local transcript sync, no DB persistence. BAA available. Auto-purge retention. Premium privacy add-on.

SOC 2

Type I work is underway. Type II target is set during contracting. Current readiness status available under MSA.

Audit logging

Append-only audit trail of every admin action. Viewable in-app and exportable to CSV. SIEM-grade audit log streaming on roadmap.

Prompt injection defense

3-layer security: knowledge anonymization at ingest, PII redaction layer applied pre-LLM, character limits and instruction quarantine on agent inputs.

Infrastructure hardening

• SSRF guard on workflow-api and outbound webhooks (shared _shared/ssrf-guard.ts)
• HSTS, COOP, Referrer-Policy, and full CSP via vercel.json
• HMAC-SHA256 signed outbound webhooks with full payload audit
• DOMPurify on rich-text rendering
• Token-scoped RLS on agent-principal HMAC short-lived tokens
• Realtime channels scoped to 24h for anon team-chat
• security.txt published at /.well-known/security.txt

Service-level commitments

• Starter and Operator — best-effort uptime, email support
• Scale — 99.5% uptime target, priority support, team access
• Enterprise — 99.9% uptime target, dedicated Account Manager, Quarterly Business Reviews, direct Slack or Teams channel, 4-week implementation

Plain-language definitions

MCP server (Model Context Protocol)

An open Anthropic protocol that lets AI clients like Claude Desktop, Cursor, and ChatGPT call external tools. Nexaera ships a native MCP server per agency under the agency's own domain and OAuth consent screen.

Row-level security (RLS)

A Postgres database feature that enforces tenant isolation at the query layer — the database itself refuses to return rows that belong to another agency or sub-account, even if application code has a bug.

Zero Data Retention (ZDR)

A premium Healthcare Mode runtime where conversations are processed in memory and never persisted to the database. There is nothing to leak, subpoena, or export. Required for many HIPAA, legal, and financial deployments.

Legal package

Standard MSA, DPA, and BAA available on request. Custom MSA / DPA / BAA negotiation included for Enterprise.