Data protection
Your client work is encrypted at rest with per-tenant keys and in transit with TLS 1.3. Backups are encrypted, immutable, and retained for 30 days.
- AES-256 at rest
- TLS 1.3 in transit
- Daily backups, 30d retention
Client work belongs to the agency that built it. We encrypt it, log access to it, and commit to never training on it. Here’s exactly how that’s wired up today — and what’s shipping next.
$ cat security/posture.md
# zyan.ai security posture
◐ soc_2_type_ii : in_progress · target Q3 2026
○ hipaa_baa : on_request · Enterprise
● gdpr : supported
● ccpa : supported
● sso_saml : Agency+
○ scim_provisioning : Enterprise
● encryption_at_rest : AES-256 · per-tenant keys
● encryption_in_transit : TLS 1.3
● default_region : us-east-1
○ eu_region : on_request · Enterprise
● audit_log_retention : 30d · 1y · custom
● pentest : annual · last 2026-02
○ vuln_disclosure : security@heckofawebsite.com
$ Boring, auditable, boring. That’s the job. Each of these is practiced, not aspirational — a link to our trust packet below spells out the details your compliance team will want.
Your client work is encrypted at rest with per-tenant keys and in transit with TLS 1.3. Backups are encrypted, immutable, and retained for 30 days.
SSO on Agency+ with Okta, Azure AD, Google Workspace, OneLogin, and JumpCloud. SCIM provisioning and role-based access on Enterprise.
Compute runs in isolated containers on AWS US-East by default. Enterprise customers can pin workloads to a dedicated region with single-tenant pools.
We use a small, audited set of subprocessors. Each is DPA-bound and reviewed annually. A full list and purpose is below.
Our on-call rotation is always paged on P0 / P1 events. Customers are notified within 72 hours of any incident affecting their data, as the GDPR asks.
We only process the data you put in your workspace. No training, no selling, no advertising. Delete your workspace and your data is purged within 30 days.
Here’s what’s shipping, when. If a milestone slips, this page updates — nowhere else.
Each subprocessor is on a current DPA, reviewed annually, and scoped to the purpose below. Want the full trust packet including a sub-SLA table? Request it below.
| Subprocessor | Purpose | Region |
|---|---|---|
| Amazon Web Services | Compute, storage, networking | us-east-1 (EU on request) |
| Cloudflare | CDN, DDoS protection, WAF | Global edge |
| Vercel | Marketing site hosting | US / EU |
| Resend | Transactional email | US |
| Stripe | Billing & subscription management | US |
| Anthropic · OpenAI · Google | AI model providers (opt-in per workspace) | US |
| Sentry | Error monitoring (scrubbed) | US |
| BetterStack | Uptime monitoring & status page | EU |
The trust packet covers pen-test results, DPA templates, incident-response playbooks, and the full subprocessor SLA matrix. Share it with your security team and they’ll be quicker to green-light the pilot.