How Elric protects your data — principles, safeguards, and certifications.
🇪🇺
European infrastructure
Your data is hosted exclusively within the European Union on GDPR-compliant infrastructure. We work only with partners that meet strict international security certifications.
AI processing happens in real time without retention by the model provider. No customer data is used to train third-party models.
🔐
End-to-end encryption
- In transit : TLS 1.3 on all connections, with HSTS enabled
- At rest : AES-256 encryption across all persisted data
- Integration credentials : encrypted with AES-256-GCM before storage, using an isolated server key
- Passwords : never stored in plain text, hashed with standard algorithms (bcrypt)
- Access tokens : never exposed client-side, with automatic rotation
🏢
Multi-tenant isolation
- Row-Level Security : strict database-level isolation. Every query is automatically filtered so it can only access your workspace data.
- Native multi-tenant architecture : isolation is enforced by the database engine independently of application code.
- No cross-workspace access : an application security exception cannot compromise your data.
🔒
Application security
- Strict HTTP headers : Content-Security-Policy, HSTS, anti-clickjacking, anti-sniffing, and restrictive referrer policy
- Rate limiting : workspace-level protection against abuse of sensitive endpoints
- SSRF protection : outbound request filtering, blocking loopback, private IPs, and cloud metadata endpoints
- CSRF protection : cryptographic verification on all OAuth callbacks
- Audit trail : complete logging of access and actions
🤖
AI agent security
Elric agents process user content such as documents, emails, and transcripts. We apply specific protections against language-model attacks:
- Strict instruction/data separation : external content is treated as non-executable data
- Prompt-injection mitigation : detection and filtering of known attack patterns
- Mandatory human approval : any sensitive external action, such as sending email, creating an event, or calling a third-party API, requires explicit user approval
- No autonomous irreversible actions : agents cannot send, post, or delete anything without your confirmation click
📋
GDPR compliance
- Processing register : maintained and available on request
- Data Processing Agreement (DPA) : available for our business customers
- Data-subject rights : self-service export and deletion in your account settings
- Minimization : collection limited to strictly necessary data
- Retention period : effective deletion within 30 days after account closure
- International transfers : covered by Standard Contractual Clauses where applicable
Our privacy policy and DPA detail all of our commitments. Privacy · DPA
✅
Infrastructure certifications
Our infrastructure providers are selected for compliance with strict international security standards. Elric benefits from these certifications:
SOC 2 Type II
Hosting and database
ISO 27001
Security management
PCI DSS Level 1
Payment processing
The list of subprocessors and their detailed certifications is available in our Data Processing Agreement, in accordance with Article 28 GDPR. Our own SOC 2 certification process is planned for 2027. DPA
🚨
Responsible disclosure
If you discover a security vulnerability, please contact us confidentially:
security@elric-ia.com
We acknowledge receipt within 48 hours. Critical vulnerabilities are prioritized according to severity, typically within 7 days.
Please follow responsible disclosure principles: do not exploit the vulnerability, do not access data that does not belong to you, and give us reasonable time to fix it before any publication.