Security

Execlave is an AI agent governance platform that provides policy enforcement, audit logging, and compliance tooling for organizations deploying AI agents. Security is foundational to our mission—we help you govern AI systems responsibly, and that starts with securing the governance layer itself.

This page describes the security measures we implement to protect your data, ensure tenant isolation, and maintain the integrity of audit records. We follow defense-in-depth principles and continuously evaluate our security posture.

Execlave implements multiple layers of data protection to safeguard your organization's information throughout its lifecycle.

1.1 Multi-Tenant Isolation

Execlave uses PostgreSQL Row-Level Security (RLS) to enforce strict tenant isolation at the database level. Every API request sets the organization context via SET LOCAL app.current_org_id before executing queries, ensuring that:

• Each organization can only access its own data
• Cross-tenant data access is prevented at the database level, not just the application layer
• Even in the event of application-level vulnerabilities, tenant boundaries are enforced by the database

1.2 Encryption

In Transit: All data transmitted to and from Execlave is encrypted using TLS 1.2 or higher. We enforce HTTPS for all API endpoints and web traffic.

At Rest: Data stored in our databases and object storage is encrypted using AES-256 encryption. Encryption keys are managed through secure key management practices with regular rotation.

1.3 API Key Security

API keys used to authenticate with Execlave are handled with care:

• Hashed Storage: API key secrets are stored as bcrypt hashes—we never store plaintext secrets
• Key Prefixes: Live keys use the ag_ prefix; test keys use ag_test_ for clear differentiation
• Expiration: API keys can be configured with expiration dates for time-limited access
• IP Allowlists: Keys can be scoped to specific IP addresses or CIDR ranges for additional access control

Audit log integrity is fundamental to Execlave's value as a governance platform. We implement multiple controls to ensure audit records are complete, accurate, and tamper-evident.

2.1 Append-Only Audit Logs

Audit logs are append-only at the database level. We use database-level constraints that prevent UPDATE and DELETE operations on audit tables. This ensures:

• Historical records cannot be modified after creation
• Deletion of audit entries is not possible through normal application operations
• A complete, chronological record of all governed agent activity is maintained

2.2 Hash Chaining for Tamper Evidence

Audit records include SHA-256 checksum integrity to provide tamper evidence. Each record's hash is computed from its contents, creating a verifiable chain that makes unauthorized modifications detectable.

2.3 Digitally Signed Compliance Exports

When you export audit data for compliance purposes, exports are digitally signed using RSA-SHA256. This allows recipients to verify that the exported data originated from Execlave and has not been modified since export.

3.1 Authentication

Execlave supports two authentication methods, which share a unified middleware chain:

• Clerk JWT Authentication: Primary authentication method for users accessing the platform through the web interface. JWT tokens are verified on every API request.
• API Key Authentication: For programmatic access via SDKs and direct API calls. API keys are validated with bcrypt-hashed secret comparison and support IP allowlists.

3.2 Role-Based Access Control (RBAC)

Execlave implements a hierarchical role system to control access within organizations:

The role hierarchy (Owner > Admin > Developer > Viewer) ensures that users can only perform actions appropriate to their level of responsibility.

4.1 Transport & Header Security

Execlave implements comprehensive HTTP security headers:

• Helmet Middleware: Configures security headers including Content Security Policy (CSP), X-Frame-Options, X-Content-Type-Options, and Referrer-Policy
• HSTS Preload: HTTP Strict Transport Security is enabled with preload to ensure browsers always connect via HTTPS
• CORS: Cross-Origin Resource Sharing is restricted to configured origins only
• CVE-2025-29927 Mitigation: The internal x-middleware-subrequest header is stripped at both the edge middleware and the production server ingress to prevent middleware authorization bypass. Next.js is pinned to a patched release (≥ 15.2.9) that addresses the vulnerability at the framework level.

4.2 Rate Limiting

Execlave uses Redis-based rate limiting to protect against abuse and ensure fair resource allocation:

• Control Plane: 100 requests per minute for configuration and management APIs
• Trace Ingestion: 1,000 requests per minute for audit log ingestion
• Policy Enforcement: 10,000 requests per minute for real-time policy evaluation

4.3 Webhook Security

Outgoing webhook payloads are signed using HMAC-SHA256. Webhook recipients can verify signatures to ensure payloads originated from Execlave and have not been tampered with in transit.

4.4 Input Validation

All inputs are validated before processing:

• Parameterized SQL: All database queries use parameterized statements—no string interpolation
• Schema Validation: API inputs are validated against Zod schemas; policy rules use JSON Schema validation
• Sanitization: Input sanitization middleware strips potentially dangerous content

Our Python and JavaScript SDKs include built-in security features:

• Client-Side PII Scrubbing: Both SDKs support configurable PII detection and redaction before data is transmitted to Execlave, helping you minimize sensitive data exposure
• Zero Runtime Dependencies: The JavaScript SDK has no external runtime dependencies, minimizing supply chain risk

Security is a shared responsibility between Execlave and our customers. Understanding the division of responsibility helps ensure comprehensive protection.

6.1 Execlave Responsibilities

Execlave is responsible for:

• Security of the Execlave platform infrastructure
• Multi-tenant isolation and data protection within the platform
• Encryption of data in transit and at rest
• Audit log integrity and immutability
• Authentication and access control mechanisms
• Security monitoring, incident response, and vulnerability management
• Compliance with applicable laws and regulations for our services

6.2 Customer Responsibilities

Customers are responsible for:

• API Key Management: Securely storing API keys, rotating them periodically, and revoking compromised keys promptly
• Access Control: Assigning appropriate roles to team members and reviewing access regularly
• Policy Configuration: Designing and maintaining governance policies appropriate to your use case and risk profile
• Agent Security: Securing the AI agents that integrate with Execlave, including their credentials and runtime environments
• Data Classification: Understanding what data flows through your governed agents and ensuring appropriate handling
• Incident Reporting: Promptly reporting security vulnerabilities or suspected breaches
• Compliance: Ensuring your use of Execlave complies with your own regulatory and contractual obligations

We appreciate security researchers who help keep Execlave and our users safe. If you discover a security vulnerability, please report it responsibly.

7.1 How to Report

Do not open a public GitHub issue for security vulnerabilities.

Email support@execlave.com with:

1. A description of the vulnerability
2. Steps to reproduce
3. Potential impact
4. Suggested fix (if any)

7.2 Response Timeline

• Acknowledgment: Within 48 hours of your report
• Assessment: Status update within 5 business days with an assessment and timeline
• Patch Target: We aim to patch confirmed vulnerabilities within 14 days
• Disclosure: We will coordinate with you on public disclosure timing

7.3 Scope

The following are in scope for security reports:

• Execlave backend API and frontend application
• Python SDK and JavaScript SDK
• CLI tool
• Processing service
• Deployment configurations and CI/CD workflows

Out of scope: Issues in third-party dependencies (report upstream and notify us if it affects Execlave), social engineering, denial of service attacks, and issues requiring physical access to infrastructure.

7.4 Recognition

Reporters of confirmed vulnerabilities will be credited in the relevant CHANGELOG entry unless they prefer to remain anonymous.

Execlave is designed to support organizations in meeting their compliance obligations. Our security controls, audit logging, and data protection measures align with common compliance frameworks.

Execlave is designed to support compliance with:

• SOC 2 Type II: Our security controls and audit capabilities are designed to align with SOC 2 trust service criteria
• ISO 27001: Our information security management practices are designed to align with ISO 27001 requirements
• EU AI Act: Our governance, audit, and transparency features are designed to help organizations meet EU AI Act requirements for high-risk AI systems

Note: The above represents alignment with framework requirements, not formal certifications. Please contact us for current certification status and compliance documentation.

We integrate security throughout our development and deployment processes:

• Dependency Scanning: Automated npm audit and Trivy container scanning in CI pipelines
• Secret Detection: Gitleaks scanning prevents accidental secret commits
• Production Safeguards: Manual approval gates required for production deployments

For security-related inquiries:

• Security Issues: support@execlave.com
• General Security Questions: Contact Us

For more information about our data handling practices, see our Privacy Policy. For terms governing use of the platform, see our Terms of Service.