Security

Last updated 2 July 2026

Nexlyr AI handles business material that is often confidential. This page describes the protections that are actually in place today, in plain English. Questions or reports go to contact@nexlyrai.uk.

Tenant isolation

Every deck, workspace, draft and saved slide is tied to its owner and, for company customers, to the company it belongs to. Isolation is enforced in the database itself (row-level security), not just in application code: a request signed in as one user cannot read another user's rows, and nothing is visible outside its company. We prove this continuously with an automated isolation suite that runs real queries against the live service from separate accounts and must pass before isolation-related changes ship.

Access control and sharing

Everything is private by default. A deck or workspace becomes visible to a teammate only through an explicit share (view or edit), and deleting content is reserved for its owner. Company administrators govern their own company only; membership of every company is fenced to approved email domains.

Encryption

All traffic is encrypted in transit with TLS. The domain enforces HTTPS strictly and is submitted to the browser preload list, so connections cannot be downgraded. Data is encrypted at rest by our hosting providers (see the subprocessors list).

Your uploaded files

Files you upload for a deck are used to build that deck and are then deleted; they are not retained. The only exception is a feature you switch on deliberately: connecting a deck to a workspace with data retention enabled keeps the extracted tables so future decks can use them, and you can view and delete everything retained at any time.

Payment data

Payments are handled by Stripe. Card numbers never touch our servers and we never store them.

Application safeguards

The AI pipeline carries layered protection against prompt injection (documents are treated as data, never as instructions, with automated detection on output), figure verification that removes numbers not found in your source material, and spending controls that cap what any account can consume. Server-side checks, not the browser, are the authority for every access and billing decision.

Monitoring and development practice

Errors and suspicious activity are monitored continuously (Sentry, EU-hosted). Every code change passes an automated pipeline that includes type checks, tests, dependency vulnerability audits and secret scanning of the full history. Administrative actions inside the service are recorded in an append-only audit log.

Account deletion

You can delete your account and its data yourself from the account page at any time. Details of what is removed and what is anonymised are in the privacy policy.

Responsible disclosure

If you believe you have found a vulnerability, email contact@nexlyrai.ukwith enough detail to reproduce it. We will acknowledge promptly, keep you informed and not pursue good-faith research conducted without harming other users' data or the service.