Skip to content
← Back

Security & Trust

No security product is ever “100% secure.” What we can give you is a clear, audit-backed picture of how your data is handled and who is accountable at every layer.

Certifications in our supply chain

Every piece of infrastructure Nexley AI depends on is independently audited:

  • Supabase - SOC 2 Type 2 certified; HIPAA compliant; ISO 27001 in progress. Encrypts data at rest (AES-256) and in transit (TLS 1.3). Hosts your contacts, call logs, integrations.
  • Composio - SOC 2 Type 2 certified; end-to-end encrypted OAuth tokens; zero-day log retention. Holds the tokens that let your AI Employee send emails, book calendars, etc.
  • Vercel - SOC 2 Type 2 + ISO 27001. Hosts the dashboard.
  • Amazon Web Services (AWS) - ISO 27001, SOC 2, PCI DSS. Each client runs on a dedicated UK-region VPS (London, eu-west-2).
  • Anthropic (Claude) - SOC 2 Type 2. The language model behind the AI Employee.

Data handling

  • Integration OAuth tokens never sit in our database. Composio stores them encrypted; we only hold a connection ID.
  • Every client’s data is isolated to their own VPS and their own Composio user scope - one client’s agent can never see another client’s tools.
  • Database access is gated by Row-Level Security tied to a scoped JWT. No shared service-role keys in client environments.
  • Dashboard sessions use Supabase magic links (no passwords) - nothing for an attacker to phish.
  • Zero data training. We never use client data to train AI models.

GDPR & DPA

Nexley AI is a data processor acting on your instructions. We sign a Data Processing Agreement before onboarding and are registered with the UK ICO. Ask legal@nexley.ai for our DPA template.

Uptime

We target 99.5% uptime on the AI Employee service - industry norm for AI-LLM systems is 99.3% (source: Anthropic status dashboard shows ~5h downtime/month). Our agents run with model failover (Opus → Sonnet 4.6), per-minute health monitoring, automatic restart on failure, and human escalation inside 15 minutes when anything breaks.

Responsible disclosure

Found something? Email security@nexley.ai. We triage within one business day, resolve criticals within 72 hours, and credit reporters (with permission) in the acknowledgements section.

See /.well-known/security.txt

Acknowledgements

No researchers yet - be the first.

Last updated: 2026-04-14.