Security & Trust Center
Transparency is not a feature — it's our foundation. We are committed to protecting your data with industry-leading security practices, and we publish our policies, certifications, and architecture openly.
Security Certifications
Active compliance certifications are in place today. Additional third-party audits are on our roadmap as we scale.
GDPR Compliant
Full compliance with the EU General Data Protection Regulation. Data export and deletion available at any time.
CCPA Compliant
California Consumer Privacy Act compliance. California residents have full data access and deletion rights.
HIPAA Aligned
Architectural alignment with HIPAA principles for data protection, access control, and audit logging.
Certification Roadmap
SOC 2 Type II
Service Organization Control 2 audit covering security, availability, and confidentiality trust principles.
ISO 27001
International information security management standard. Scoping and gap analysis underway.
PCI DSS
Payment Card Industry Data Security Standard. All payment processing is handled by our payment provider — we never store card data.
Data Handling
We collect only what is strictly necessary to provide the service. We never sell your data to third parties, and we never mine your content.
What We Collect
- Email addresses (account registration)
- Scan URLs (hashed for privacy)
- Device information (OS version, app version)
- Usage analytics (feature usage, scan frequency)
What We Never Collect
- Email content or message bodies
- File contents or document data
- Personal messages or communications
- Payment card details (handled exclusively by our payment processor — we never store card data)
Subprocessors
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| NOWPayments | Payment processing | Billing information | US / EU |
| MongoDB Atlas | Database storage | Encrypted user data | US / EU |
| AWS | Cloud infrastructure | Application hosting | US / EU |
| Anthropic | AI threat analysis (Claude) | Anonymized scan data | US |
| Google Safe Browsing | URL threat data | Hashed URL lookups | US |
Infrastructure Security
Our infrastructure is designed with defense-in-depth. Multiple layers of security controls protect every layer of the stack.
AES-256 encryption at rest
All stored data encrypted with AES-256-GCM
TLS 1.3 in transit
All network traffic encrypted with TLS 1.3
Zero-knowledge architecture
Applied wherever technically feasible — we cannot read your sensitive data
99.9% uptime SLA
Guaranteed availability with prorated credit for violations
Multi-region backups
Daily encrypted backups stored across three geographically separated regions
Penetration testing quarterly
Independent third-party pen testing every quarter
Vulnerability Disclosure
We take security vulnerabilities seriously and appreciate the work of the security research community. If you discover a vulnerability in Zoxrim infrastructure, applications, or APIs, please report it to us responsibly.
Responsible Disclosure Process
- 01Submit your reportEmail [email protected] with a clear description of the vulnerability, reproduction steps, and potential impact.
- 02Acknowledgment within 48 hoursWe will acknowledge receipt of your report within 48 hours and begin triaging the issue.
- 03Fix and remediationWe aim to remediate critical vulnerabilities within 7 days and other issues within 30 days, depending on complexity.
- 04Coordinated disclosureAfter the fix is deployed, we will coordinate public disclosure with you. The standard window is 90 days from initial report.
Researchers acting in good faith — following this disclosure policy and not accessing, modifying, or deleting user data — will not face legal action from Zoxrim. We reserve the right to take action against actors who do not follow responsible disclosure principles.