Many firms use one or more security tools that inspect or filter outbound network traffic — Secure Web Gateways (SWGs), endpoint protection platforms, browser isolation products, corporate firewalls, DLP browser extensions, anti-virus suites with web protection, or content-filtering DNS resolvers. Any of these can block or interrupt traffic to ELLA, often inadvertently.
ELLA is an AI-assisted platform built for advisors who work with confidential client data. To security controls designed to keep that data away from public AI tools or untrusted destinations, ELLA can look like the exact thing they are meant to block. The result: chat, Sensemaking, and document upload features may fail intermittently or completely until ELLA is explicitly sanctioned in your firm's security stack.
This guide helps advisors recognize when a security tool is the cause and helps IT teams resolve it.
Advisors: read the Symptoms and Quick test sections to confirm the problem, then forward this article to your IT team.
IT or security administrators: the rest of the guide explains what is happening and what to allow.
When a corporate security tool is interfering with ELLA, users typically see one or more of these:
The app loads and sign-in works, but chat or Sensemaking does not respond or fails mid-response.
Streaming responses cut off after a few characters or freeze partway.
Document uploads fail with a generic error.
The browser shows a vendor-branded block page, a certificate warning, a timeout, or a connection reset.
The browser network panel shows requests that never complete or return non-ELLA response bodies.
Errors appear only on corporate devices or corporate networks — the same user account works on a personal device or non-corporate Wi-Fi.
If you can briefly try ELLA from a personal device on a non-corporate network (a phone on cellular is fine), do so. If it works there but fails on your corporate laptop or network, a security tool somewhere between your browser and ELLA is the cause. Forward this article to your IT team.
Security tools commonly apply one or more of the following policies that can affect ELLA:
GenAI / AI category filtering. The tool maintains a list of generative-AI applications and blocks the category wholesale.
Data Loss Prevention (DLP) on prompts and uploads. The tool inspects the content of messages and files and blocks anything matching a data-loss policy — PII, account numbers, client identifiers, or financial data.
TLS inspection side effects. Tools that perform SSL break-and-inspect can buffer or interrupt long-lived streaming connections, causing chat responses to truncate even when nothing is being deliberately blocked.
URL category or domain reputation blocks. New or unfamiliar domains can be flagged by threat-intel feeds or default URL categories until explicitly trusted.
Browser-level content blocking. DLP browser extensions, browser isolation products, and strict privacy extensions can strip cookies, block scripts, or interfere with streaming responses.
These behaviors are intentional and exist for important reasons. ELLA is built for the same confidentiality obligations these tools are designed to enforce — but the tool cannot know that until you tell it.
You may have one or several of these in your environment. The configuration concepts below apply to all of them:
Secure Web Gateways (SWGs): dope.security, Zscaler, Netskope, Cisco Umbrella, Palo Alto Prisma Access, iboss, Forcepoint, Skyhigh.
Endpoint protection / EDR with web filtering: CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Sophos.
Browser isolation and enterprise browsers: Island, Menlo Security, Talon.
DLP browser extensions and other in-browser data-loss tools.
Corporate firewalls / NGFWs: Palo Alto Networks, Fortinet, Check Point.
Anti-virus suites with web protection.
Content-filtering DNS resolvers (for example, Cisco Umbrella DNS, NextDNS).
Have an affected user reproduce the issue while you check:
Open browser DevTools → Network while sending a chat message. Look for:
A request to a path beginning with /api/ai/stream or /api/ella-ai/ that hangs, resets, or returns a non-ELLA response body.
Block-page HTML or a vendor-branded interstitial in the response.
Certificate warnings or TLS errors.
Compare against off-network behavior. If the same user account works from a cellular hotspot or non-corporate network, the variable is on your corporate network or device.
Check each security tool's admin console for blocked or DLP-flagged entries against ELLA's hostnames (listed below). Most consoles label the entry by application, URL, or DLP rule that fired.
Disable browser extensions as a process of elimination if everything else looks fine.
If you see no entry in any admin console and no failed request in DevTools, the issue is likely not security-tool-related — contact ELLA support so we can investigate the application path.
Sanction the following hostnames as a trusted business application in each relevant security tool:
app.exitwithella.io [verify with your ELLA admin]
*.exitwithella.io — covers API and auxiliary services [verify]
Any additional hostnames provided by your ELLA admin.
For each tool that inspects or intercepts traffic, apply the following exclusions to those hostnames:
Exclude from DLP and AI-prompt inspection. ELLA is a sanctioned destination for the kinds of data your DLP is designed to monitor in transit to unsanctioned AI tools.
Exclude from GenAI and AI category blocks and confirm the domains are not categorized as untrusted, new, or uncategorized.
Disable TLS / SSL inspection for these hostnames, or trust ELLA's certificate chain. This prevents streaming responses from being buffered or interrupted.
Permit long-lived streaming connections (Server-Sent Events) on these hostnames.
Exclude from browser isolation rules that strip cookies, block scripts, or render pages remotely.
Permit DNS resolution at any filtering DNS resolver.
Exact UI varies by product, but the relevant settings typically live under names like these:
SWGs and NGFWs: Cloud App Control or Sanctioned Apps, DLP or Data Protection, SSL/TLS Inspection, URL Filtering Exceptions.
EDR with web protection: Web Control Allowlist, Trusted Sites, exclusions for streaming or long-lived connections.
Browser isolation and enterprise browsers: Trusted Applications or Pass-Through Domains, and DLP policy exclusions for the same hostnames.
DLP browser extensions: application allowlist or domain exception list.
DNS resolvers: allowlist or bypass entries for ELLA's domains.
The concepts are consistent across vendors: allow the domain, exclude it from inspection, and permit streaming.
If you need help locating the right setting in a specific product, contact ELLA support.
If you have allowlisted ELLA's hostnames and the issue persists, or if you would like product-specific configuration assistance, contact [email protected] and we will work with your IT team directly.