Your data is sensitive. We treat it that way. ioZen runs on SOC 2 Type II certified infrastructure, with field-level encryption, multi-tenant isolation, and granular controls over what AI can and cannot see.
We're transparent about where we are on our compliance journey. Some certifications are inherited from our infrastructure providers; others are still in progress. This page tells you exactly which is which.
Last updated: April 27, 2026
Four principles guide every decision we make about your data.
Built in from day one, not bolted on after.
Access only what's needed, nothing more.
Multiple layers, not single points of failure.
We tell you what we do and how.
Multiple layers of protection keep your information safe at every stage.
All traffic uses TLS 1.3.
Disk-level encryption provided by AWS via Supabase for all stored data.
Fields explicitly marked Private + Encrypted are stored in Supabase Vault, separate from the main database.
Fields marked Private are stored separately and are never sent to AI models or included in AI context.
Workspaces are isolated using row-level security policies in Supabase, plus application-level workspace checks on every request.
Here's where we actually stand: what's inherited from our providers, what's in progress, and what we don't support yet.
ioZen runs on SOC 2 Type II certified providers (Supabase, Vercel, Cloudflare). ioZen itself is not yet SOC 2 certified; a platform-level audit is on our roadmap.
We follow GDPR principles (privacy by design, data subject rights, DPA available on request) and are working toward full compliance. We are not yet certified; we'll publish our DPIA and Records of Processing as that work progresses.
Our architecture (private and encrypted fields) is designed to support HIPAA workloads in the future, but we do not currently sign BAAs and ioZen should not be used to store or process PHI. Contact us and we'll let you know when it's ready.
We honor 'Do Not Sell' requests and support data access and deletion. Full CCPA program documentation is in progress.
Have compliance documentation requirements? Contact [email protected]
Every layer of our stack is backed by providers with proven security track records.
| Layer | Provider | Certification |
|---|---|---|
| Database | Supabase (PostgreSQL) | SOC 2 Type II |
| Authentication | Supabase Auth | SOC 2 Type II |
| Storage | Supabase Storage | SOC 2 Type II |
| Application & AI | Vercel (Hosting, AI Gateway, Blob Storage) | SOC 2 Type II |
| CDN | Cloudflare | SOC 2 Type II, ISO 27001 |
March 2026 and later releases ship the controls below.
Credits reset per billing period in one atomic operation. Concurrent requests cannot double-reset usage.
The public credit status endpoint is rate limited to reduce automated scraping and enumeration.
Unauthenticated requests do not receive exact credit counts or full plan details.
IDs are validated with Zod and CUID rules. Malformed input is rejected before it reaches the database.
A submission stays bound to the IntakeBot that received it. Another bot cannot update it.
Validation error responses do not expose internal schema structure.
Permissions-Policy and iframe allow attributes define how geolocation works in embedded, cross-origin contexts.
How we run the platform day to day.
All ioZen team members use SSO with mandatory MFA. Production access follows least-privilege and is logged.
Automatic daily database backups via Supabase. Recovery procedures are tested quarterly.
Dependencies are scanned automatically and our codebase is continuously reviewed by AI for vulnerabilities. Critical findings are addressed within days, not weeks.
An independent penetration test is planned for May 2026.
If a security incident affects customer data, we notify affected customers within 72 hours of confirmation, per GDPR Article 33.
For every field in your FlowApp, you decide how it's stored and whether AI can access it.
AI access
Full
Storage
Normal database
Best for
Most fields
AI access
Never
Storage
Separate table
Best for
PII, sensitive info
AI access
Never
Storage
Encrypted vault
Best for
SSN, medical, financial
Found a security issue? We welcome responsible disclosure.
Email [email protected] with details. We acknowledge within 2 business days.
Please give us reasonable time to remediate before public disclosure. We do not currently offer a paid bug bounty, but we publicly credit researchers (with permission).
A machine-readable disclosure policy is available at /.well-known/security.txt.
Not yet. Our infrastructure providers (Supabase, Vercel, Cloudflare) are SOC 2 Type II certified; an ioZen platform-level audit is on our roadmap. We share our security questionnaire on request. Email [email protected].
Not today. Our architecture is designed to support HIPAA workloads, but we do not sign BAAs and ioZen should not be used to store or process PHI. Contact us to be notified when HIPAA support ships.
Data is stored in Supabase's infrastructure (AWS, US regions by default). Contact us if you have specific region requirements.
No. Private fields are never sent to AI models. AI requests are routed through Vercel AI Gateway to providers like OpenAI, Anthropic, Google, and xAI, but only for fields you choose. You control which fields use AI and which stay completely isolated.
Yes. Workspace deletion requests are completed within 30 days of receipt. Contact support to initiate.
No. Never. Your data is yours. Period.
Security review, compliance docs, or questionnaire? We can help.
