Privacy Policy

This Privacy Policy describes how V01D Technologies ("Execlave," "we," "us," or "our") collects, uses, stores, and protects information when you use the Execlave AI agent governance platform ("Service"). This policy applies to all users of the Service, including organization administrators, developers, and viewers.

Execlave acts as a data processor on behalf of the Customer organization ("Customer"), which acts as the data controller for the data submitted through the Service. This Privacy Policy supplements any Data Processing Agreement between Execlave and Customer.

1. Information We Collect

1.1 Account Information

When a Customer organization registers for Execlave, we collect:

• User identity data: Name, email address, profile image, and authentication identifiers provided through our SSO provider (Clerk).
• Organization data: Organization name, billing contact information, and team structure.
• Role assignments: Each user's role within the organization (Owner, Admin, Developer, or Viewer).

1.2 Agent Execution Traces

When Customer's AI agents report to Execlave via SDK or API, we collect:

• Trace data: Agent inputs (prompts, queries, tool call parameters), agent outputs (responses, actions taken), execution duration, token counts, and associated metadata.
• Session context: Session identifiers, conversation history references, and agent goal descriptions.
• Policy evaluation results: Whether each action was allowed, denied, or flagged, along with the rule or semantic check that produced the decision.

1.3 Governance Configuration Data

• Policy definitions: Rule configurations, thresholds, semantic check parameters, and enforcement modes (enforce, monitor, disabled).
• Agent registrations: Agent names, descriptions, environments, frameworks, model configurations, capabilities, and dependency maps.
• Prompt versions: Prompt text, version history, approval states, and deployment status.
• Kill switch state: Active/inactive status and activation history.

1.4 Audit Logs

Execlave maintains an append-only, cryptographically chained audit log recording governance-relevant actions, including:

• Agent registration, updates, and archival
• Policy creation, modification, and deletion
• Policy violations and enforcement decisions
• Prompt version lifecycle (creation, approval, rejection, deployment, rollback)
• API key creation, deletion, and rotation
• Kill switch activations and resolutions
• User authentication events
• Webhook configuration changes

Each audit log entry includes the action type, the acting user, the affected resource, a timestamp, the organization context, and a SHA-256 hash linking to the previous entry for tamper evidence.

1.5 Billing and Payment Information

We collect billing contact details and subscription plan information. Payment card details are processed and stored exclusively by Stripe; Execlave does not store card numbers or payment credentials.

1.6 Usage and Technical Data

• API usage metrics: Request counts, response times, error rates, and rate limit events.
• Anomaly detection data: Statistical baselines and deviation scores computed from trace patterns.
• Infrastructure logs: Server logs, error reports, and performance metrics generated during Service operation.

2. How We Use Your Information

We process information for the following purposes:

3. Semantic Classification (Local LLM Processing)

When a Customer enables semantic policy evaluation on a policy, agent inputs and contextual data are processed by a locally deployed LLM model for classification. This processing happens entirely within the Execlave deployment environment.

No external AI APIs are used. Agent inputs, action types, and conversation context never leave the deployment infrastructure for AI processing. Specifically, the following data may be processed by the local LLM:

• The agent's stated goal or task description
• The action type being evaluated
• The input text or query being assessed
• Relevant conversation history (if provided)

This processing occurs only when:

1. The Customer has configured a policy with semantic_check_enabled = true, AND
2. The deterministic rule engine (Layer 1) does not produce a hard violation for the given action.

Data handling: All semantic classification is performed by locally hosted open-source LLM models (Apache-2.0 licensed). No data is transmitted to external AI service providers. For self-hosted deployments, the LLM infrastructure is entirely under Customer control.

Disabling: Customers who do not wish to use LLM-based classification can disable semantic policy evaluation on all policies. Deterministic rule-based enforcement does not involve any LLM processing.

4. Data Storage and Security

4.1 Infrastructure

Customer Data is stored in PostgreSQL databases with TimescaleDB extensions, hosted on Amazon Web Services (AWS). Redis is used for caching and job queue management.

4.2 Tenant Isolation

All Customer Data is isolated using PostgreSQL Row-Level Security (RLS). Every database query is scoped to the authenticated organization via SET LOCAL app.current_org_id, ensuring that one Customer's data is never accessible to another.

4.3 Encryption

• In transit: All data transmitted between clients and the Service is encrypted using TLS 1.2 or higher.
• At rest: Database storage is encrypted using AES-256 encryption provided by the underlying cloud infrastructure.
• API keys: Stored as bcrypt hashes; the original key value is not retained after initial issuance.

4.4 Access Controls

• Role-based access control (RBAC) with four privilege levels (Owner, Admin, Developer, Viewer).
• API key scoping with optional IP allowlist restrictions.
• All administrative actions are recorded in the tamper-evident audit log.

4.5 Audit Log Integrity

Audit log entries are append-only at the database level (UPDATE and DELETE operations are blocked by database constraints). Each entry contains a SHA-256 hash of the previous entry, forming a verifiable chain.

5. Data Retention

5.1 Trace Data Retention

Trace data retention periods vary by subscription plan:

Traces older than the retention period are automatically purged.

5.2 Audit Log Retention

Audit logs are retained for a minimum of 1 year across all plans, as they serve as compliance evidence. Enterprise customers may negotiate extended retention periods.

5.3 Account and Configuration Data

Organization accounts, user profiles, policy configurations, and agent registrations are retained for the duration of the Customer relationship and for up to 60 days following account termination to allow for data export.

5.4 Billing Records

Payment and invoice records are retained for 7 years to comply with tax and accounting regulations.

5.5 Post-Termination

Upon account termination, Customer has 30 days to export data. All Customer Data is permanently deleted within 60 days of termination, except where longer retention is required by law.

6. Third-Party Processors

Execlave uses the following third-party service providers (sub-processors) to deliver the Service:

We maintain contracts with all sub-processors that include data protection obligations consistent with GDPR requirements. We will notify Customers at least 30 days before engaging a new sub-processor.

For a complete list of sub-processors, see our Subprocessors page.

7. Data Subject Rights

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction that provides the following rights, you may exercise them by contacting us or, where applicable, by contacting the Customer organization that controls your data:

7.1 Right of Access (GDPR Art. 15)

You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data.

7.2 Right to Rectification (GDPR Art. 16)

You have the right to request correction of inaccurate personal data.

7.3 Right to Erasure (GDPR Art. 17)

You have the right to request deletion of your personal data, subject to legal retention obligations and the append-only nature of audit logs (which may be anonymized rather than deleted to preserve compliance evidence chain integrity).

7.4 Right to Data Portability (GDPR Art. 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV).

7.5 Right to Restriction of Processing (GDPR Art. 18)

You have the right to request that we restrict processing of your personal data under certain circumstances.

7.6 Right to Object (GDPR Art. 21)

You have the right to object to processing of your personal data based on legitimate interests.

7.7 Automated Decision-Making (GDPR Art. 22)

Execlave's policy enforcement engine makes automated decisions about whether to allow, deny, or flag agent actions. These decisions apply to AI agent operations, not to decisions about individuals. If an automated decision affects you as an individual, you have the right to obtain human review.

7.8 How to Exercise Your Rights

• If you are an end user of a Customer's AI agents: Contact the Customer organization directly, as they are the data controller.
• If you are an Authorized User of Execlave: Contact us at support@execlave.com or submit a request through your organization's Owner or Admin.

We will respond to valid requests within 30 days (or within the timeframe required by applicable law).

8. International Data Transfers

Customer Data may be transferred to and processed in the United States, where our primary infrastructure and sub-processors are located. For transfers from the EEA or UK, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Data Processing Agreements with all sub-processors that include appropriate transfer mechanisms.
• Supplementary measures including encryption in transit and at rest, access controls, and regular security assessments.

Enterprise customers may select specific AWS regions for data residency where available.

9. Cookies and Tracking

Execlave uses a minimal set of cookies:

We do not use advertising cookies, tracking pixels, or third-party analytics cookies by default. No consent banner is required because all cookies are strictly necessary for the Service to function.

For more details, see our Cookie Policy.

10. Self-Hosted Deployment

Execlave offers a self-hosted deployment option for Enterprise customers. Under the self-hosted model:

• All Customer Data remains within Customer's own infrastructure.
• No Customer Data is transmitted to Execlave-managed servers.
• Customer is responsible for data security, backups, and compliance within their environment.
• Semantic policy evaluation runs entirely on locally deployed LLM models within Customer's infrastructure — no external AI APIs are used.
• Execlave provides the software, Helm charts, and Docker images; Customer manages the deployment.

The self-hosted option eliminates third-party data transfer concerns for Customers with strict data residency requirements.

11. Children's Privacy

Execlave is a B2B service and is not directed at individuals under the age of 16. We do not knowingly collect personal data from children.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify Customers of material changes by:

• Sending an email to the Organization Owner's registered email address.
• Displaying a prominent notice in the Execlave dashboard.
• Providing at least 30 days' notice before material changes take effect.

Non-material changes (such as formatting or clarifications that do not alter data practices) may be made without advance notice.

13. Contact Us

For privacy-related questions, data subject requests, or concerns:

If you are located in the EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local supervisory authority.