Security & Trust

Your data, under lock and key. Yours, always.

Nexera is built for regulated enterprises. GDPR and EU AI Act aligned, with zero-retention AI mode and bring-your-own-key encryption. Everything you expect from a vendor your Legal team will actually sign.

Request the Trust PackageRead DPA

GDPR

EU AI Act

Zero-retention

BYOK

Compliance & trust

The posture Legal actually cares about.

Two regulatory alignments live today and two product capabilities that do the hard work. No checkbox theatre.

GDPR compliant

DPA, SCCs, and documented deletion flows as standard

EU AI Act aligned

Article 4 literacy and transparency obligations built in

Zero-retention AI mode

Ephemeral inference, nothing stored or trained on

Bring-your-own-key encryption

Encrypt with a KMS key that stays in your AWS account

On our security roadmap

SOC 2 Type II

ISO 27001

How we protect you

Six pillars of the Nexera security posture.

Encryption everywhere

Every byte is encrypted in transit and at rest, with AES-256 and per-tenant isolation. Bring your own KMS key and it stays in your account.

TLS 1.3 for all network traffic

AES-256 at rest with per-tenant isolation

Bring-your-own-key via AWS KMS

Zero-retention mode

Run The Brain with no model-side persistence. We read everything, remember nothing. Context is flushed the moment the response leaves.

Ephemeral context, flushed after every request

Your data is never used to train any model

Per-workspace policy controls

Identity you already own

Nexera plugs into your IdP and directory. Provisioning, deprovisioning, and role sync happen without a ticket.

SAML 2.0 and OIDC, Okta, Azure AD, Google, Ping

SCIM 2.0 auto-provisioning and deprovisioning

Role-based access controls

EU data residency

Store your data where your regulator tells you to. US and EU regions today, with regional isolation for retrieval and inference.

US (us-east) and EU (eu-central) regions

Data stays in its region, including for inference

Dedicated region available on enterprise contracts

Transparency & disclosure

Every access is logged. Every incident gets an owner and a runbook. If something affects you, you hear from us inside 24 hours.

Immutable audit logs streamed to your SIEM

Documented incident response runbook

24-hour breach disclosure commitment

Tenant isolation

Every workspace is logically isolated, with its own retrieval scope and key material. Nothing is shared by default.

Per-tenant encryption and key rotation

Isolated vector stores and retrieval contexts

Dedicated single-tenant tier available

Zero-retention AI

Read everything. Remember nothing.

For the most sensitive workloads, run Nexera in zero-retention mode. The Brain processes your content in memory, answers the question, and forgets. No training, no caching, no prompt logging. Your data leaves the request with the response.

Ephemeral inference, flushed after every request

Customer data never used to train any model

Per-workspace policy · audit-grade evidence

Request lifecycle

Request in

Encrypted over TLS 1.3

STEP 1

Context loaded

Retrieved into ephemeral memory

STEP 2

Inference

Model reads, reasons, responds

STEP 3

Flush

Memory wiped · nothing retained

STEP 4

Controls

What's covered, in plain English.

Four layers, dozens of controls. Here are the controls we're asked about the most. The full list lives in the Trust Package.

Access

Mandatory SSO and MFA for all production access

Role-based access with least-privilege enforcement

All production access logged and reviewed

People

Security awareness training on hire and annually

Confidentiality agreements for every team member

Structured offboarding with immediate access revocation

Infrastructure

Built on AWS with multi-region redundancy

Segregated production, staging, and development

Automated vulnerability scanning on every deploy

Data

Documented retention and deletion commitments

Customer-initiated export and deletion endpoints

Workspace-scoped access by default

Bring-your-own-key

Keep the key. Keep control.

For customers who demand it, Nexera encrypts your workspace with a KMS key that lives in your own AWS account. Rotate it, restrict it, or disable it, and our access to your data goes with it. No root keys at Nexera, no leverage over your content.

AWS KMS key stays in your account, never exported

Rotate or disable anytime, effective immediately

Per-workspace scoping with audit-grade evidence

Key custody · your KMS

Your AWS account

KMS key stays in your VPC, never exported

Nexera

Requests signed with your key reference

Revoke anytime

Rotate or disable the key, access stops

By the numbers

What our security posture looks like in production.

0

Retained in zero-retention mode

AES-256

At-rest encryption

BYOK

AWS KMS supported

< 24h

Breach disclosure commitment

Go deeper

The trust stack

Trust Package

DPA, SCCs, architecture overview, and sub-processors, one link.

Request access

Responsible Disclosure

Researchers welcome. Bounty program on our roadmap.

Report a vulnerability

Status page

Live uptime, incidents, and scheduled maintenance.

View status

Ready for Legal

Talk to our security team.

Give us 30 minutes. We'll walk your security, privacy, and procurement teams through the stack and hand over everything you need to close procurement in days, not months.

Book a security reviewRequest the Trust Package
Nexera

The AI-native platform that captures, maps, teaches, and proves what your workforce knows.

GDPR

EU AI Act

SOC 2 in progress

Platform

OverviewKnowledge AssuranceAI AgentsAI Course BuilderInteractive ActivitiesThe BrainLive ClassroomsAnalytics & ReportingIntegrations & API

Solutions

Compliance TrainingEmployee OnboardingSales EnablementExternal TrainingLeadership DevelopmentTalent Assessments

Resources

AI Literacy TrainingBlogGuidesCustomersPricingReseller Program

Company

AboutSecurity & TrustCareersContactBook a demo

© 2026 Nexera. All rights reserved.

PrivacyTermsSecurityContact