Built for Enterprise Procurement
Expert Scale, Inc. builds the Apex Replicant platform with enterprise security as an architectural starting point — not a configuration toggle. Below is the public summary. For full diligence-grade detail, see the Enterprise Due Diligence Response.
Three-Layer Security Architecture
Isolated knowledge bases. Each expert’s knowledge base lives in its own namespace, isolated by a unique
protege_id. Every vector search is hardcoded to scope to that namespace. No code path returns content from another knowledge base.Isolated client sessions. Per-client per-session scoping ensures one client’s conversation history can never surface in another client’s session. Row-Level Security at the database layer enforces this independently of application code.
Filtered LLM access. Your PII and proprietary content never pass through a public LLM. LLM access is bounded by the expert’s validated knowledge base. The model cannot answer outside that domain — it escalates instead.
This is the mechanism behind Expert Scale’s zero-hallucination guarantee.
Compliance Posture
| Certification | Layer | Status |
|---|---|---|
| SOC 2 Type II | GCP infrastructure (inherited) | Certified |
| ISO 27001 | GCP infrastructure (inherited) | Certified |
| SOC 2 Type II | Supabase database (inherited) | Certified |
| SOC 2 Type II | Expert Scale application layer | In audit |
| HIPAA BAA | PHI-handling deployments | Available — contact for terms |
Expert Scale’s application-layer SOC 2 Type II certification is committable as a contractual milestone for enterprise agreements. Both founders have direct experience operating in HIPAA-regulated environments; a BAA is available for healthcare-vertical deployments.
We do not claim SOC 2 Type II certification at the application layer until the audit completes. We tell you the truth and ship the attestation when the auditor signs.
Zero-Hallucination, Built Into the Architecture
When the system reaches the edge of what the knowledge base contains, it does not guess. It escalates to the human expert with full session context attached.
The four guardrails:
- G1 — Context Before Answer. The Protégé gathers context before generating a response, the way a careful expert would.
- G2 — Memory. Session history and long-term client context inform every response.
- G3 — KB First. The expert’s knowledge base is always the primary source. The LLM augments within the validated domain — it does not fill gaps from general training data.
- G4 — Scope Fence. Outside the expert’s validated domain, the Protégé escalates rather than guessing.
The boundary is defined by the knowledge base. Patent claims cover the specific mechanism that distinguishes genuine retrieval failure from tangentially related content.
Data Sovereignty
| Deployment | Description |
|---|---|
| Standard SaaS | Fully managed on Google Cloud Platform. Logical isolation via Row-Level Security and scoped vector search. No customer infrastructure required. |
| GCP Private VPC | Expert Scale services deployed in a private VPC — either Expert Scale’s GCP org or the customer’s own GCP project via secure peering. |
| On-Premises / Customer Infrastructure | Knowledge corpus stored in the customer’s own infrastructure. Expert Scale connects via encrypted API with dedicated key. Customer retains full physical data control. |
For enterprise agreements, customer data ownership is contractual. At contract termination, all data stays within the customer organization — no retention, no negotiation, no lock-in.
What We Do NOT Do
- Train models on customer data. Foundation models are used under enterprise terms that prohibit training on our customer data. Expert-specific protégé behavior comes from prompts and retrieval-augmented generation, not fine-tuning a shared model.
- Share knowledge between tenants. No code path retrieves content from another tenant’s namespace. Multi-division isolation is architectural, not policy.
- Expose your PII to public LLMs. Filtered access is enforced at the architecture layer.
Reporting a Vulnerability
Found something? Email info@expertscale.ai with the details and Security: Vulnerability Report in the subject. We respond to every report. We do not pursue legal action against researchers acting in good faith. Standard responsible-disclosure window applies before public disclosure.
Next Steps
- Read the full diligence response → Enterprise Due Diligence Response — 30 questions across 8 domains.
- Request a security briefing call → info@expertscale.ai — Architecture overview, compliance posture, sub-processor list, incident-response runbook.
- Talk to our security team → info@expertscale.ai
Expert Scale, Inc. is a Nevada corporation headquartered in Las Vegas. The Apex Replicant platform is the company’s flagship product. All references to security architecture describe the platform implementation as Expert Scale operates it.