Security
Last updated 2 July 2026
Nexlyr AI handles business material that is often confidential. This page describes the protections that are actually in place today, in plain English. Questions or reports go to contact@nexlyrai.uk.
Tenant isolation
Every deck, workspace, draft and saved slide is tied to its owner and, for company customers, to the company it belongs to. Isolation is enforced in the database itself (row-level security), not just in application code: a request signed in as one user cannot read another user's rows, and nothing is visible outside its company. We prove this continuously with an automated isolation suite that runs real queries against the live service from separate accounts and must pass before isolation-related changes ship.
Access control and sharing
Everything is private by default. A deck or workspace becomes visible to a teammate only through an explicit share (view or edit), and deleting content is reserved for its owner. Company administrators govern their own company only; membership of every company is fenced to approved email domains.
Encryption
All traffic is encrypted in transit with TLS. The domain enforces HTTPS strictly and is submitted to the browser preload list, so connections cannot be downgraded. Data is encrypted at rest by our hosting providers (see the subprocessors list).
Your uploaded files
Files you upload for a deck are used to build that deck and are then deleted; they are not retained. The only exception is a feature you switch on deliberately: connecting a deck to a workspace with data retention enabled keeps the extracted tables so future decks can use them, and you can view and delete everything retained at any time.
Payment data
Payments are handled by Stripe. Card numbers never touch our servers and we never store them.
Application safeguards
The AI pipeline carries layered protection against prompt injection (documents are treated as data, never as instructions, with automated detection on output), figure verification that removes numbers not found in your source material, and spending controls that cap what any account can consume. Server-side checks, not the browser, are the authority for every access and billing decision.
Monitoring and development practice
Errors and suspicious activity are monitored continuously (Sentry, EU-hosted). Every code change passes an automated pipeline that includes type checks, tests, dependency vulnerability audits and secret scanning of the full history. Administrative actions inside the service are recorded in an append-only audit log.
Account deletion
You can delete your account and its data yourself from the account page at any time. Details of what is removed and what is anonymised are in the privacy policy.
Responsible disclosure
If you believe you have found a vulnerability, email contact@nexlyrai.ukwith enough detail to reproduce it. We will acknowledge promptly, keep you informed and not pursue good-faith research conducted without harming other users' data or the service.