Xelinier Compliance Authority (XCA). Real-time decision infrastructure for GDPR- governed data actions. Violations prevented. Not discovered.
XCA evaluates sensitive employee-data actions before execution. GDPR violations are prevented before employee data is transferred, processed, or exposed.
The action is stopped before execution. The data never moves. A complete audit log — timestamp, reason, risk score, GDPR article — is written immediately. The violation never occurred.
All conditions are satisfied. The action proceeds. XCA records the decision and the basis for it. Your audit trail is complete — with no manual effort required.
A lawful basis exists, but a transfer or processing condition must be met first — SCCs for a cross-border move, for example. XCA tells you exactly what is required and in many cases resolves it automatically.
Traditional governance tools sit downstream in the data path — reading traffic, inspecting payloads, and logging content to make decisions. Your data passes through their hand. Trust is assumed, not infrastructureered.
XCA infrastructure evaluates intent, not content. Your payload never enters our boundary — by architectural design, not policy promise. We govern whether execution may proceed. We never see what is being executed.
Data action executes → logs written → audit happens later → violation found → ICO fine issued. By the time anyone knows something went wrong, it is already too late.
Data action triggered → XCA evaluates → ALLOW or DENY returned → if blocked and fixable, agent resolves → action proceeds or is stopped. Violations prevented, not discovered.
Most systems react after data has already been processed, shared, stored, or transferred. Xelinier XCA moves compliance to the moment before execution.
XCA delivers complete GDPR enforcement — not just a score, but the entire register underneath it, visible to your DPO and auditable by the ICO on demand.
POST /check-action returns ALLOW, DENY, or CONDITIONAL with confidence score, triggered rules, reason, and remediation steps. Real enforcement — not advisory.
When XCA blocks a fixable action, an AI agent executes approved remediation — DPA request emails, compliant infrastructure provisioning, sensitive field redaction. XCA re-validates before proceeding.
Controller/Processor Register, Breach Response, Training Dashboard, App Inventory, Security Controls, ROPA and Lawful Basis — all live, all linked to the decision infrastructure.
Every decision ever made — timestamp, outcome, reason, risk score, data type, jurisdiction. Fully exportable. Regulator-ready on demand. No manual trail required.
A live compliance report generated from XCA decision data. Overall score, risk tier, GDPR article violations, top risk decisions, and immediate actions — in the format an auditor needs to see.
Every governed invocation metered. Live allowance gauge. Usage-linked pricing — pay for what you evaluate, not a flat fee. Audit-grade billing records automatically generated.
72-hour ICO countdown triggered automatically on confirmed breach. Five-step workflow. Notification tracker for ICO, data subjects, sub-processors, customers and leadership.
Pre-execution enforcement for Arts. 15–22 — SAR, Erasure, Rectification, Portability, Objection, Restriction. Each request has an Art. 12 one-month countdown with colour thresholds.
28 pre-built rules across all seven Art. 5 principles. Coverage grid, confidence scores, violation counts, and rule toggles. A visual demonstration of ruleset depth and breadth.
XCA governs by architecture, not policy. It returns a verdict on every data action without ever receiving the underlying data — so the strongest security posture is the one designed in, not bolted on.
XCA evaluates on metadata and cryptographic eligibility evidence only. The intent validator physically rejects any field named payload, content, body, data or blob. We cannot see your records because we never receive them — this is architectural, not a promise.
XCA does not merely document data residency — it enforces Chapter V at the point of action. Transfers to non-adequate countries return DENY regardless of the Article 6 lawful basis, because a lawful basis is not a transfer mechanism.
If a rule cannot be evaluated with confidence, XCA does not guess and does not let the action through. The Policy Decision Point defaults to DENY when uncertain — the safe direction for a control plane sitting in the execution path.
Every verdict is recorded — timestamp, outcome, reason, triggered rules, jurisdiction — under a system-enforced audit principle that cannot be disabled per tenant. Fully exportable and regulator-ready, with no manual trail to maintain.
All traffic is protected with TLS in transit. Tenant boundaries are enforced at every request — one customer's configuration and audit records are never reachable by another. Secrets are held outside source control.
The principle agents evaluate metadata and cryptographic eligibility evidence only — they never receive, inspect, or transmit the underlying data payload, enforced by the intent validator rather than by policy. Where a model assists evaluation, it sees the same metadata, never the payload, and no customer data trains any model. In-tenant deployment is available for data-residency-sensitive customers.
If we become aware of a confirmed personal data breach affecting your organisation, we notify your named contact within 72 hours, with the nature of the incident, records affected, measures taken, and a direct contact for follow-up.
We are an early-stage company and explicit about it. Today we rely on managed infrastructure providers with their own established security programmes. We are evaluating our own assurance — including ISO/IEC 27001 — as the business scales, and will not present a provider's certification as our own.
Xelinier is a trading name of Tek480 Ltd, registered in England and Wales, acting as Data Controller for this site. For our DPA, sub-processor list, or a security questionnaire, email contact@xelinier.com — we respond within one business day.
7 Xelinier propietary AI agents, one per GDPR Article 5 principle — each assessing every data action in real time before it executes.
Most compliance tools are dashboards and checklists. They tell you what went wrong. They don't prevent violations. A car with no seatbelts.
XCA is designed to answer the hardest questions from your CTO, DPO, and Finance teams — in a single, 20-minute live demo.
Add compliance enforcement and autonomous remediation to your existing client offering
Retain clients longer — enforcement plus automated resolution is stickier than features
Win enterprise deals that competitors cannot close without this capability
Simple API integration — no infrastructure to manage
Every governed invocation — every time XCA evaluates a data action — is metered. You pay for what you use, within your tier allowance. The billing record is audit-grade.
30-day sandboxed pilot available — XCA running on your actual use cases, no customer data required. Contact us to discuss →
ICO fines jumped 7× in 2025. In 2026, a single children's data failure cost one platform £14.47 million. These aren't breach cases — they are governance decision failures.
The ICO received approximately 40,000 data protection complaints and 36,000 personal data breach reports during 2024/25 — yet issued only 11 monetary penalties. The real exposure is not in the fines. It is in the thousands of compliance decisions made every day inside HR, IT, and operations teams that no one is evaluating in real time.
XCA assesses those decisions at the moment they are made — before data moves, before a lawful basis is assumed, before a DPIA is skipped. It evaluates, blocks, and in many cases resolves the issue automatically. The Reddit fine was a DPIA governance failure. XCA would have required that assessment before the processing was permitted.
| HR Action | XCA Decision Point |
|---|---|
| Enable employee monitoring | DPIA required? Lawful basis validated? |
| Deploy AI recruitment tool | ADM rules satisfied? Transparency met? |
| Share employee data with vendor | DPA in place? Article 28 compliant? |
| Transfer HR data overseas | Transfer mechanism confirmed? |
| Process health / special category data | Article 9 condition satisfied? |
| Retain recruitment records | Retention period exceeded? |
We're inviting up to 5 organisations to participate in the Xelinier Compliance Authority (XCA) Founding Pilot Programme.
Over a 30-day sandbox engagement, we'll work with your team to evaluate real-world compliance scenarios and demonstrate how XCA can identify, block, or condition non-compliant data actions before execution.
No customer data required. Metadata only.
XCA running on your actual scenarios in days, not months. No customer data required — only metadata crosses the boundary. Reproduce the reference verdicts and see ALLOW / DENY / CONDITIONAL enforced live.
Work alongside the Xelinier XCA team. Integration support measured in hours, not tickets — and a roadmap that responds to what your compliance and engineering leads actually need.
Preferential commercial terms locked in for the life of the engagement, priority access to new capabilities, and a reference position as one of the first to enforce GDPR before execution.
During the pilot we work with your team to evaluate:
To ensure a high-quality engagement, pilot participation is currently limited to five organisations. Applications are reviewed on use-case suitability and potential impact.
XCA is not a replacement for your DPO — it gives your DPO a superpower. Right now, your DPO is manually reviewing policies after the fact. XCA enforces those policies automatically at the moment data moves. And when something is blockable but fixable, the remediation agent handles it. Your DPO gets to focus on strategy instead of firefighting.
Certifications show intent. Xelinier enforces intent demonstrably. There is a real difference between having a policy that says data shouldn't be transferred without lawful basis, and having a system that actually blocks it — and in many cases resolves it automatically. Regulators are increasingly interested in the second. Most companies fined by the ICO already have policies in place.
It's an API call. Your system sends an action request to XCA — roughly the same integration effort as connecting a payment gateway. We have a sandbox environment you can test in hours, not months. Our 30-day pilot gets XCA running on your actual scenarios with no customer data involved.
Yes — that's the remediation agent. When XCA blocks something fixable — a missing DPA, data in the wrong region, a file with unmasked sensitive fields — the agent executes the approved fix automatically. It generates the vendor email, provisions the right storage, redacts the sensitive fields, then re-submits to XCA for a second evaluation. The agent cannot decide what's compliant — only XCA can do that. Once XCA says what needs fixing, the agent handles execution without human intervention.
The moment a breach is confirmed, XCA starts a 72-hour countdown to ICO notification automatically — your Article 33 obligation. The Breach Response page runs a five-step workflow: contain, assess, notify the ICO, notify affected data subjects, remediate. Every party requiring notification is tracked in one place. Most organisations handle this in a spreadsheet under pressure. That's how they miss the 72-hour window.
A ROPA is a document. XCA maintains a live register. It shows DPA status per processor in real time — Signed, Expired, or Missing. It flags cross-border transfer mechanisms that are out of date. It surfaces Article 28 violations before the ICO does. The question isn't whether you have a ROPA — it's whether your ROPA tells you right now, today, which of your processors you are exposed on.
Pricing is usage-linked — you pay per governed invocation, meaning every time XCA evaluates a data action. This includes policy checks, agent remediation steps, re-validations, DPIA evaluations, and audit writes. Overage is charged per additional 50 million block. One avoided ICO fine pays for years of Xelinier.
"Right now, your platform processes data and hopes it's compliant. With Xelinier, it knows — and when it finds a problem, it fixes it."
Two ways to move forward: a 30-day sandboxed pilot on your actual use cases, or a technical walkthrough with your CTO or compliance lead. Which makes more sense for where you are right now?