← Back to ercel.ai

About Ercel Security

Why Ercel exists

Ercel Security was born from a real need: while developing AI automation systems for healthcare clinics, critical data leaks and vulnerabilities were discovered in AI chatbots — problems most companies don't even know they have.

The EU AI Act (Reg. 2024/1689) was the missing piece: starting August 2026, companies need to demonstrate compliance. Ercel automates those assessments using the same methodology a manual red team would use, but in minutes and at a fraction of the cost.

Team

Emilio Molina Román

Emilio Molina Román — Founder and lead engineer.

  • Fullstack engineer — SaaS platforms and AI automation
  • Hands-on experience with AI system security in production (healthcare sector)
  • Stack: TypeScript, Node.js, React, PostgreSQL, Playwright, LLMs

LinkedIn · Professional contact: [email protected]

Methodology

Each assessment runs 550+ attack vectors across 9 categories, with 223 custom prompts and 26 multi-turn sequences. The engine combines Promptfoo (open-source) with Claude AI for regulatory enrichment:

  • System prompt extraction (LLM07)
  • Personal data leakage — PII (LLM06)
  • Purpose hijacking — jailbreak (LLM01)
  • Excessive agency (LLM08)
  • Harmful content generation (LLM09)
  • Tool abuse (LLM05)
  • Indirect injection — RAG poisoning (LLM02)
  • Cross-tenant exfiltration
  • 10 evasion techniques: Skeleton Key, ArtPrompt, Many-shot, Base64, leetspeak, reversed, low-resource languages

Results are mapped article by article to Regulation (EU) 2024/1689, ISO 27001:2022, and SOC 2 Type II, with AI enrichment to generate regulatory context, financial exposure quantification, and prioritized regulatory action plan. OWASP LLM Top 10 coverage: 10/10.

Infrastructure

  • EU Data Residency: all infrastructure resides in the European Union. Servers: Hetzner (Germany). Database: Supabase (EU). CDN: Cloudflare (EU endpoints).
  • Encryption: AES-256-GCM at rest, TLS 1.3 in transit. Payments processed entirely by Stripe (PCI DSS Level 1).
  • GDPR-compliant retention: assessment data is automatically deleted after 90 days.
  • External assessment (black-box): we assess your AI system from the outside, just like an attacker or inspector would. No access to code, databases, or internal infrastructure.
  • Open standards: our methodology is based on OWASP LLM Top 10 (public, maintained by the OWASP Foundation).

Contact

For compliance assessment inquiries: [email protected]