Skip to content
Security

Built so security teams
say yes.

Conversations stored safely. Access role-based. Compliance work underway. Zephlo is engineered so the parts of your business that need to move fast don't get blocked by the parts that need to move carefully.

Talk to securityCompliance status
How your data is protected

Encrypted in transit.
Encrypted at rest.

Conversations encrypted end-to-end

Every message between user, Agent, and your dashboard travels over TLS 1.3. At rest, conversation data is encrypted with AES-256. Keys are managed by AWS KMS and rotated automatically.

Stored safely, segregated by tenant

Each organization's data lives in a logically isolated tenant. Conversations, embeddings, and tool definitions never cross boundaries. Backups are encrypted and access-logged.

Role-based access control

Owners, admins, editors, and viewers — each role has a tightly-scoped set of permissions. Invite teammates with the access they need, nothing more. Every privilege change is audited.

No credential proxying

Tools run inside the user's own browser session. Zephlo never sees passwords, tokens, or session cookies. Your users authenticate with you — not with us.

Granular data retention

Set retention windows per organization, per channel. Purge conversations on demand. Export your data anytime in a portable format. We don't hold what you don't want held.

Defense in depth

WAF, rate limiting, anomaly detection, and audit logging across the stack. Production access requires SSO + MFA. Dependencies are continuously scanned for vulnerabilities.

Access control

Role-based,
audited end-to-end.

Every action in Zephlo is gated by role. Every access decision is logged. You know who saw what, who changed what, and when — without piecing it together from disparate systems.

  • SSO via SAML and OIDC (Enterprise)
  • MFA enforced for all dashboard sign-ins
  • Per-role permissions: Owner, Admin, Editor, Viewer
  • Invitation-only org membership with email verification
  • Full audit log of access, role changes, and configuration edits
  • API keys scoped per-environment with one-click rotation
Compliance

Where we are
on the journey.

We're upfront about what's certified, what's in progress, and what's coming. No theatre, no badges we haven't earned.

In progress

SOC 2 Type II

Audit underway. Controls for security, availability, confidentiality, and processing integrity are implemented; we expect attestation in 2026.

In progress

GDPR

Data Processing Agreements available on request. EU data residency options on the roadmap. We act as a processor on behalf of your organization.

Certification underway

HIPAA

Working toward HIPAA-aligned controls and a signable BAA for healthcare customers. Today, sensitive deployments run in tightly scoped, opt-in environments.

Need a DPA, BAA, or our latest security questionnaire? Reach out — we share what we have, when we have it.

Have a security review?

Send it our way. We'll respond with detailed answers and the latest documentation — usually within a business day.

Contact security