SECURITY & COMPLIANCE
Security by design.
Ex.Brain is built for organizations that take security seriously. Our platform is architected from the ground up with security as a first-order requirement — not an afterthought. This page covers our security principles, encryption standards, compliance posture, and infrastructure.
Architecture validated against source code, May 2026. Security owned by Adam Sepehri, CTO and CISO, PhD in Computer Vision, MS in AI. Read the full technical security architecture →
PRINCIPLES
Security principles
Zero data training
Your data is never used to train AI models — not ours, not any third party's. Your knowledge stays exclusively yours.
AES-256 encryption at rest
All stored data is encrypted using AES-256. This applies to knowledge bases, documents, and all user-generated content.
TLS 1.3 in transit
All data in transit is encrypted with TLS 1.3. No unencrypted connections are accepted on any endpoint.
Role-based access control
Granular, permission-bounded access. Users see only what their role permits. Enforced at the architecture level, not the UI.
Immutable audit logs
Every sensitive action is logged in append-only, immutable logs. INSERT and SELECT only — UPDATE and DELETE are blocked at the database level.
Defense in depth
Multiple independent protections across every level: identity, authorization, infrastructure, encryption, audit, and operations.
COMPLIANCE
Compliance & certifications
We are committed to meeting the compliance requirements of our customers across regulated industries.
SOC 2 Type II
In progressAudit in progress. Contact us for our current SOC 2 report.
ISO 27001
RoadmapPlanned for 2026. Built to ISO 27001 controls.
GDPR
CompliantData Processing Agreement available. Contact privacy@exbrain.ai.
CCPA
CompliantCalifornia privacy rights honored. See our Privacy Policy.
HIPAA
ReadyBusiness Associate Agreements available for healthcare customers.
INFRASTRUCTURE
Infrastructure
Ex.Brain runs on enterprise-grade cloud infrastructure with redundancy, automated failover, and geographic distribution.
- Primary infrastructure: Google Cloud Platform (GCP) with multi-region deployment
- AI services: Microsoft Azure AI services with enterprise data residency commitments
- Data isolation: Full tenant isolation — no shared data stores between organizations
- Backups: Automated daily backups with point-in-time recovery and encrypted off-site storage
- Uptime: 99.9% uptime SLA with real-time status monitoring
CONTACT
Security contact
For security questions, to request compliance documentation, or to report a vulnerability, contact our security team:
TECHNICAL DOCUMENTATION
Want the full security architecture?
Our security page covers defense in depth, permission-bounded AI retrieval, STRIDE threat modeling, and our complete control stack.