Security at Cerul
Cerul holds your team's video archive. We treat that responsibility seriously. This page documents how — encryption, data handling, compliance, and the controls you keep.
Last updated 2026-05-17 · Contact security@cerul.ai
Your data never trains any model.
- We do not train any Cerul model on customer videos, transcripts, embeddings, or queries.
- We do not share customer data with third-party model providers for training.
- We do not use one customer's data to improve another customer's search results.
- This commitment is binding — written into our DPA and Terms of Service.
If we ever change this policy, we will give you 90 days written notice and the right to opt out and export all of your data.
What we collect — and what we never touch
What we collect via your connectors
Video files (mp4 / mov / webm)
For indexing only
Audio extracted from video
For transcription
Keyframes (image samples)
For visual embeddings
Transcripts produced by Whisper
Search index
Metadata: title, duration, source URL, timestamps
Search index
ACL: who can access each video in the source platform
Permission enforcement
What we never touch
- Slack DMs or message content
- Slack channels we have not been added to
- Zoom meetings that were not cloud-recorded
- Account passwords (OAuth never exposes them)
- Any data outside the OAuth scopes you granted
- Any data from workspaces other than the one connected
Encrypted everywhere
In transit
TLS 1.3
All API and bot traffic
At rest
AES-256
Per-workspace encryption keys
Key storage
Cloud KMS
AWS KMS / Google Cloud KMS — keys never in code or DB
Backups
Encrypted
Separate keys, separate region, 30-day rotation
Enterprise customers can bring their own keys (BYOK) via AWS KMS, Azure Key Vault, or GCP KMS. Contact sales.
We hold only what is needed, only as long as needed
| Data class | Retention |
|---|---|
| Raw video files | Deleted 7 days after indexing (configurable: immediate, or kept for re-embed) |
| Transcripts | Retained while workspace is active |
| Embeddings | Retained while workspace is active |
| Query logs | 90 days, then aggregated / anonymized |
| Backups | Encrypted, cross-region, 30-day rotation |
| On workspace deletion | All data purged within 7 days, no recovery |
| On OAuth revocation | Token invalidated within seconds; index becomes read-only |
Who can access your data
Customer admins
Full access within their workspace via product UI.
Customer users
ACL-filtered access. Can only see what their source-platform permissions allow.
Cerul employees
No routine access. Support requires a customer-approved, time-limited grant (max 24h), with every action logged.
Every access event — customer or Cerul — is recorded in an audit log visible to customer admins.
Built for procurement
- ✅GDPR-compliant DPA available for any customer
- ✅CCPA-compliant
- 🚧SOC 2 Type II — audit in progress
- 🚧ISO 27001 — planned Year 2
- 🚧HIPAA + BAA — available on Enterprise with healthcare addendum
Standard questionnaires we can complete: SIG Lite, SIG Core, CAIQ, VSA. Request our trust portal.
Production-grade by default
Hosting
AWS US-East (Virginia) primary, US-West (Oregon) backup. EU (Frankfurt) available on Enterprise.
Isolation
Per-workspace data isolation at storage and query layers. Vector indexes are stored per-tenant.
Monitoring
24/7 automated monitoring. On-call engineer for sev-1 incidents.
Backups
Daily encrypted, retained 30 days, cross-region replication.
DDoS
Cloudflare in front of all public endpoints.
Network
Private subnets, security groups, no public databases.
You stay in control — always
Revoke any connector
From your source platform's admin console. We stop fetching new content within seconds; existing index becomes read-only.
Export your data
All transcripts, metadata, and audit logs as JSON / CSV at any time.
Delete specific videos
From the Cerul Flow admin UI, anytime.
Delete your workspace
Self-serve, 7-day grace period, then permanent purge of all data.
Request a security report
Pen test summary, SOC 2 progress, security questionnaires (SIG, CAIQ) under NDA.
Third parties we use to operate Cerul
We disclose every third-party service that may process customer data. Email security@cerul.ai to subscribe to subprocessor change notifications.
| Vendor | Purpose |
|---|---|
| AWS | Hosting, storage, encryption (KMS) |
| Cloudflare | CDN, DDoS protection, edge |
| Neon | Managed PostgreSQL |
| Stripe | Billing |
| Resend | Transactional email |
| PostHog | Product analytics (workspace-aggregated; no content) |
| Slack / Zoom / Loom | Connector APIs (per-customer OAuth) |
If something goes wrong
Report a security issue
Email security@cerul.ai. We respond within 24 hours.
A formal bug bounty program is planned for Q3 2026 via HackerOne. In the meantime, responsible disclosures are welcomed and acknowledged.
If a breach affects your data
- You will be notified within 72 hours.
- We will tell you what was accessed, when, by whom (if known), and what data was involved.
- We will share remediation steps and timeline.
Questions, or running a security review?
We respond to security questionnaires, DPAs, and trust portal requests within one business day.