Security – sanzen.ai

Program overview

Least‑privilege by default: production access limited to a small on‑call group; access reviewed regularly.
Segregated environments: development, staging, and production are separated; no live data in lower environments without explicit, time‑boxed approval.
Auditability: administrative actions in production are logged.
Vendor diligence: we use reputable infrastructure and model providers under DPAs; see Subprocessors.

Data classification & handling

Classes

Public: marketing site content.
Internal: non‑public operational docs and metrics.
Confidential: account/billing/contact details.
Workspace Content: your session inputs, uploaded docs, transcripts, and outputs. Treated as confidential and access‑controlled.

Workspace Content is used only to deliver the features you choose (e.g., saving transcripts) as described in our Privacy Policy.

Encryption

In transit: TLS 1.2+ (TLS 1.3 preferred) for all client‑to‑service traffic.
At rest: industry‑standard encryption (e.g., AES‑256) for supported storage services.
Key management: keys managed by our cloud provider KMS; access limited and logged.

Access controls

Staff access: MFA required for internal admin systems; production access is role‑based and time‑boxed.
Customer controls: you control what content to upload, save, or delete; workspace admins can set retention rules where available.
Secrets: application secrets stored in a secure secrets manager; rotation on change and after incidents.

Application security (SDLC)

Code review: changes require review before merge; CI runs static checks.
Dependencies: vulnerability scanning and prompt patching for critical issues.
Infrastructure as code: reproducible config for consistency and auditability.
Privacy by design: features default to minimal data collection and explicit opt‑ins.

Vulnerability management

Scanning: automated scans for known issues in code and containers.
Triage SLAs (targets): Critical – 24h; High – 7d; Medium – 30d; Low – 90d.
Testing: periodic third‑party security testing; summary available to customers under NDA.

Incident response

On‑call rotation: engineers can respond 24/7 to security and availability incidents.
Plan: detect → contain → eradicate → recover → post‑mortem with action items.
Notification: if personal data is impacted, we’ll notify affected customers without undue delay and meet applicable legal timelines (e.g., GDPR 72‑hour regulator notice).

Availability & backups

Backups: encrypted backups for core data stores; restoration procedures tested periodically.
Resilience: deployment practices designed to avoid single points of failure where feasible.
RTO/RPO: targets vary by component; details available to enterprise customers under NDA.

Subprocessors & data location

We use third‑party processors to operate the service (e.g., hosting, email, model providers). Data may be processed in the United States and other countries where we or our processors operate. For international transfers from the EEA/UK, we use lawful transfer mechanisms. See also the Privacy Policy.

Subprocessors & data location

Name	Purpose	Data categories	Location	DPA/Terms
OpenAI	Model inference (GPT models) for chat/completions	Prompts, outputs; no training on API data; 30-day zero retention	USA (global transfers per SCCs)	Link
xAI (Grok API)	Model inference (Grok models) for chat/completions	Prompts, outputs; minimal request metadata; no training on User Content; 30-day deletion window	USA (global transfers per SCCs)	Link
Groq (GroqCloud)	LPU inference platform used to run open-weight models	Prompts & outputs processed for inference; not permanently retained or used for training per ToS	USA (may operate globally)	Link
Cerebras	Inference-as-a-service	User Content processed to provide the service; not used to train models; usage telemetry excluding User Content	USA	Link
SambaNova	Model hosting / inference	Customer Content processed to provide the service; service usage data (no Customer Content) for improvement	USA	Link
Akamai Connected Cloud (Linode)	Application hosting: compute, block/object storage, backups, networking	Account & billing data, logs/metrics, encrypted app data at rest/in transit; support ticket metadata if you open cases	Global regions (customer-selected); international transfers under SCCs/DPF	Link
Akamai CDN / Prolexic	CDN, DNS, WAF, DDoS protection and edge caching	IP addresses, request headers, TLS metadata, cached assets, security logs/events	Global edge network; international transfers under SCCs/DPF	Link

Compliance posture

We don’t make certification claims we can’t prove. If you need a security questionnaire, DPA, or control mapping (e.g., SOC 2/ISO27001 alignment), contact security@sanzen.ai.

Responsible disclosure

How to report

Email security@sanzen.ai with a clear description, steps to reproduce, and any screenshots or PoC. Please avoid accessing other users’ data.

Safe harbor

If you make a good‑faith effort to follow this policy, we won’t pursue legal action or refer matters to law enforcement. This includes:

No exfiltration, disruption, or privacy violations.
No social engineering of our staff or customers.
No DDoS, spam, or physical attacks.
Respect rate limits and only test against your own accounts.

Our commitment

Acknowledge within 72 hours.
Provide status updates at reasonable intervals.
Coordinate public disclosure if needed after a fix.

We don’t currently run a public bug bounty. If your report leads to a meaningful fix, we’re happy to discuss recognition.

security.txt

Published at /.well-known/security.txt to make reporting easy:

Contact: mailto:security@sanzen.ai
Policy: https://sanzen.ai/security.html#disclosure
Expires: 2026-08-12
Preferred-Languages: en
Canonical: https://sanzen.ai/.well-known/security.txt

Contact

Security: security@sanzen.ai
General: contact@sanzen.ai

For privacy questions, see the Privacy Policy.