01How the product is built
Encrypted at rest
Optional full-database encryption (SQLCipher) plus an AES-256-GCM field layer for sensitive settings, with keys derived through a layered key-management chain.
Secrets stay out of prompts
A named-secrets vault substitutes values at the wire. A reference like {{secret:NAME}} resolves at send time and never enters a prompt, a log, or the model context.
Tamper-evident audit
A hash-chained audit log records tool calls and state changes, written in the same transaction as the action it records, so the trail can't silently diverge from what happened.
Least privilege for agents
A capability resolver and per-agent access rules gate what each agent may do. Permissions are config-based, session-based, or type-based, and can be granted or revoked at fine grain.
Human approvals & budgets
Approval workflows, spend budgets, and rate tracking sit in the work path, so high-impact or high-cost actions can require a human decision.
Cloud Mode lockdown
For shared or multi-tenant deployments, Cloud Mode restricts agents to a narrow capability set (network and memory) and blocks file system, shell, and browser access.
By design, the product does not accept repository-supplied shell hooks, because anyone who could merge to a watched repo would otherwise gain code execution on the host. Configuration that affects execution is operator-controlled.
02Deployment and data residency
- You choose where it runs — one container (Docker or Podman), a signed desktop build, or your own cloud account.
- Air-gap capable — point Exolvra at local models (such as Ollama or LM Studio) and it can run fully offline; nothing leaves your network.
- Your model keys, your model bill — you bring your own provider keys. The only external traffic is the model API calls you configure.
03This website
The marketing site and waitlist are served over HTTPS through Cloudflare, with modern TLS and standard edge protections. The website collects only the limited information described in our Privacy Policy.
04Compliance posture
We want to be precise rather than aspirational. As of the date above, Exolvra is not yet certified under SOC 2, ISO 27001, ISO 42001, or HIPAA. What we do have: a product engineered to support those programs inside your own environment (encryption at rest and in transit, a hash-chained audit log, RBAC and per-agent least privilege, approvals, and a secrets vault), a control set mapped to the Cloud Security Alliance Cloud Controls Matrix (available as a CAIQ self-assessment and as our answer bank for your security questionnaire), and a founder who built a certified SOC 2 and ISO 27001 program previously. The full posture, framework alignment, and shared-responsibility split are in our Trust Center. If your procurement needs specific documentation, email [email protected] and we'll tell you honestly where we are.
05Reporting a vulnerability
We welcome reports from security researchers and treat them as a priority. If you believe you've found a vulnerability in the Exolvra product or this website, please tell us before disclosing it publicly.
Coordinated disclosure
Email a description of the issue, the affected component and version, and the steps to reproduce it. If you can, include the impact and any proof-of-concept. Please give us a reasonable window to investigate and remediate before public disclosure.
[email protected]What we ask
- Act in good faith, avoid privacy violations, and don't degrade or disrupt our services or other users.
- Only test against your own deployment or accounts — do not access, modify, or exfiltrate data that isn't yours.
- Do not run automated scanning that generates significant load, and do not use social engineering, physical attacks, or denial of service.
- Give us reasonable time to fix the issue before any public disclosure, and coordinate timing with us.
What you can expect
- We will acknowledge your report, work to validate it, and keep you updated on remediation.
- If you follow this policy in good faith, we will not pursue legal action against you for your research (a "safe harbor").
- We do not currently operate a paid bug-bounty program, but we are glad to credit researchers who would like recognition.
06Contact
Security reports: [email protected]. Everything else: [email protected].