v2026.04
Read release notes
exAI Agentic OSexAI
Join the waitlist
§ 01 / 06
Security · Trust CenterPosture, certs, residencyFor CISOs, security architects, compliance.
Posture green · last verified 04:11 UTC
exAI Agentic OS · Trust Center

Security as a primitive,
not a feature.

exAI runs every workspace in its own Firecracker microVM, encrypts every artefact under a key you control, and streams every action to your SIEM in under a second.

This page is the operator memory: the isolation model, the secret-handling pipeline, the audit log targets, the certifications we hold today, and the deployment shapes — managed cloud, private cloud, air-gapped — that we ship against. No marketing. Real numbers, real control planes.

Download whitepaperJoin the waitlist
Firecracker microVMsCustomer-managed KMSPre-prompt scrubbing0-day prompt retention
Posture · live
probe #04127
SOC 2 controls in scope
0 / 92
0 exceptions · reissued Mar 2026
ISO 27001 · operational
yes
Annex A · 93 controls covered
Customer-managed KMS regions
0
AWS · GCP · Azure · on-prem
P1 incident response · SLA
0h
24×7 · 6 dedicated SREs
kms.rotate · 90-day default● green
Fig. 01 · last 60s of trust signalsStreamed from control plane
§ 02 / 06
Isolation model

One workspace.
One microVM. Always.

Every workspace boots inside its own Firecracker microVM under KVM. Tenants never share a kernel. Network paths are per-tenant: every microVM has its own veth, its own egress allowlist, and its own rotating disk-encryption key. The control plane never reaches inside a workspace — it only schedules them.

exAI does not run untrusted code in containers. Containers share the host kernel — that surface is too wide for the threat model. Instead, every workspace, every long-running agent task, and every Builder preview boots inside a Firecracker microVM. Boot is 125 ms cold, snapshot resume is 612 ms, and the per-VM kernel is a hardened, minimal Linux with no SSH and no inbound surface.

Networking is built the same way. Each microVM gets a per-tenant veth pair landed in a tenant-scoped network namespace. Egress is enforced by an eBPF program loaded into the host: default-deny, with allowlists derived from the tenant's policy bundle. Inter-workspace traffic is impossible without an explicit, signed policy approval.

Disks are encrypted per-VM with AES-256-XTS, keyed off the tenant data-encryption key (DEK), which itself is wrapped by a customer-managed KEK in your KMS. When a workspace is destroyed, its image, snapshot, and key material are shredded inside the same minute.

Cold boot
125 ms
Firecracker, p99
Snapshot resume
612 ms
memfd, NVMe
Tenant blast-radius
1 microVM
by construction
Invariants · enforced● 5 / 5 green
  1. 01 · vCPU floor
    1 vCPU per workspace, hard floor
    No pinning to noisy neighbors. cgroups v2 + cpuset enforcement.
  2. 02 · KVM-isolated
    One microVM per tenant workspace
    Firecracker over KVM. No shared kernel, no shared user namespace.
  3. 03 · Snapshot-resume
    Resume in 612 ms · cold start 4.1 s
    Per-workspace memory snapshot on idle, restored from disk on hit.
  4. 04 · eBPF egress filter
    Per-VM allowlist, default-deny
    No outbound to public IPs unless declared in workspace policy.
  5. 05 · Rotating per-VM image keys
    AES-256-XTS, key per microVM lifetime
    Image keys derived from tenant DEK; rotated on snapshot, never reused.
Verified at every workspace bootpolicy.bundle v2026.04
§ 03 / 06
Secret handling · Audit

Nothing leaks.
Everything is witnessed.

Four layers between a prompt and your SIEM. Pre-prompt scrubbing for sensitive inputs. Customer-managed KEKs for everything stored. An immutable audit log streamed to the tools your SOC already uses. Retention policies that match regulated workloads — not a vendor's preference.

Pre-prompt scrubbing● enforced
regex + ML detector

Every prompt and every tool input passes a two-stage scrubber. Stage 1 is a deterministic regex pack (AWS keys, GCP service accounts, GitHub PATs, JWTs, RFC-822 emails, IBANs). Stage 2 is a small classifier trained on internal labelled corpora to catch shaped-but-novel secrets and PII.

scrub.detect → match=AWS_ACCESS_KEY_ID
scrub.replace → ‹AKIA****REDACTED***›
Stage 1 · 247 patterns · Stage 2 · 14ms p95
Per-tenant KEK● enforced
AWS KMS · GCP KMS · Azure KV

Each tenant has its own key encryption key (KEK), held in your KMS — not ours. exAI never holds plaintext key material; we hold a wrapped DEK that only your KEK can decrypt. Rotate the KEK and every workspace re-keys on next boot. Pull the KEK and the tenant goes opaque in 30 seconds.

kms.encrypt(arn:aws:kms:eu-west-1:.../tenant-abc-kek)
→ ciphertext.dek = AQID***wrapped***
AES-256-GCM · 90-day rotation · revocable
Audit log● enforced
Datadog · Splunk · CloudTrail · Iceberg

Every action — workspace boot, agent step, file read, KMS unwrap, IdP claim — becomes a structured event. Events stream to your SIEM over a customer-pull or push connector. We also write to an immutable S3-Iceberg log with hash-chained manifests, so your auditor can independently verify any claim.

{ts:1746...,actor:'k.mori',action:'agent.exec',
 target:'TestWriter',workspace:'wks-prod-01'}
Sub-second p95 · hash-chained · WORM
Retention● enforced
0-day on prompts · 7-year on audit

Prompts and tool inputs are not retained for training — ever, on any tier, by any operator. The transient store is purged inside 24 hours. The audit log is the opposite — it is retained for 7 years (configurable upward to 10), encrypted at rest, with quarterly key rotation and verifiable deletion.

retention.policy = {prompts:0d, audit:2557d, replay:30d}
Configurable per tenant · GDPR + HIPAA aligned
Read the secret-handling specJump to certificationsTalk to compliance →
§ 04 / 06
Certifications & attestations

The paperwork your auditor
actually asks for.

Reports, attestations, and BAAs available under NDA via the Trust Center. Each certificate ships with a controls matrix, penetration test summary, and the most recent audit management response. FedRAMP Moderate is in 3PAO assessment with target authorization Q3 2026.

● Operational
SOC 2 Type II
92 / 92 controls · reissued Mar 2026
cert · 01under NDA
● Operational
ISO 27001
Annex A · 93 controls · audited Feb 2026
cert · 02under NDA
● Operational
ISO 27701
Privacy IMS · aligned to GDPR
cert · 03under NDA
● Operational
HIPAA
BAA available · HITRUST CSF mapped
cert · 04under NDA
● Operational
PCI DSS 4.0
SAQ-D · scoped tenants only
cert · 05under NDA
● Operational
GDPR · DPF
EU-US Data Privacy Framework certified
cert · 06under NDA
● Operational
CSA STAR
Level 2 · CCM v4 · self-assessment + audit
cert · 07under NDA
○ In progress
FedRAMP
Moderate · 3PAO assessment · Q3 2026
cert · 08under NDA
7 of 8 operational · 1 in-progressannual third-party audits · big-4 + cybersecurity boutique
Request reports under NDA
§ 05 / 06
Sovereign · Air-gapped

Run it in your perimeter.
Or run it offline. Both ship.

Three deployment shapes, one product. Pick the one that matches your regulator, your network, and your procurement. Each ships from the same Helm chart, audited the same way, supported by the same SRE rotation — no second-class installations.

01 · Private cloudGPU-backed

Private cloud

Single-tenant control plane in your VPC, GPU-backed compute on AWS Outposts, GCP Distributed Cloud Edge, Azure Local, or HPE GreenLake. Your network, your IdP, your KMS — exAI runs as a managed workload inside the perimeter.

Sector fit · live customers
  • BankingTier-1 · multi-region
  • HealthcareHIPAA · HDS
  • Defense-adjacentClassified-tier
  • EnergyGrid · upstream
  • TelecomCarrier-grade
  • PublicNational gov.
02 · Air-gappedSovereign installs

Air-gapped

Full offline install. Helm chart on Kubernetes 1.29+, signed model bundles delivered on encrypted media, a local mirror for telemetry, and a one-binary update channel. No phone-home, no implicit egress, no exceptions. Tested against airgap-verifier in CI.

Sector fit · live customers
  • Defense-adjacentSCIF deployments
  • BankingSanctioned-region
  • EnergyOT · ICS networks
  • PublicClassified · sovereign
  • TelecomLawful-intercept zones
  • HealthcareResearch isolates
03 · Customer-managed everythingBYOC · BYOK · BYOM

Customer-managed everything

DNS, KMS, identity, models, telemetry — all customer-owned. Bring your own Anthropic, OpenAI, Mistral, or self-hosted Llama / Qwen endpoints. exAI is the runtime; the keys, the models, and the data planes are yours. Runbook included.

Sector fit · live customers
  • BankingBYOK · BYOM
  • HealthcareBYO-LLM · de-id
  • Defense-adjacentSovereign-LLM
  • EnergyOn-prem inference
  • TelecomEdge inference
  • PublicSovereign-cloud
Helm chart parity across all three shapesSame audit log schema · same control plane APIOne SRE rotation · 24×7
Architect a deployment
§ 06 / 06
Decide where the runtime lives

Bring it into your perimeter.
Or leave it at the edge.

We ship the same product into managed cloud, your private cloud, and air-gapped sovereign sites. The control plane is the same. The audit log is the same. The certifications are the same. The only thing that changes is who owns the keys — and that's a choice you make, not a tier we sell.

Request enterprise briefingDownload whitepaper
SOC 2 Type IIISO 27001HIPAAPCI DSS 4.0GDPR · DPF
Trust Center · v2026.04Last verified 04:11 UTCsecurity@exai.dev · PGP fingerprint on request