Security & data handling
This page is the technical answer to “what does Zubby do with my data?”. It complements the legal privacy policy and our security overview. If your security team needs a deeper artifact (DPA, sub-processor list, SOC 2 report), email security@zubbyai.com.
Encryption
- In transit — TLS 1.2+ everywhere. HTTPS-only cookies, HSTS preload on
zubbyai.comand the API domain. - At rest — AES-256 on the database (Postgres) and on object storage (uploaded files, exports). Backups are encrypted with separate keys.
- Application-level — store access tokens (Shopify, WooCommerce, third-party connectors) are encrypted with a per- tenant key derived from a master KMS key.
Tenant isolation
All data is keyed by store_id. Every database query threads the store context; we use row-level isolation to make cross-tenant reads physically impossible from application code. Background workers carry the store context through the job payload.
Data residency
Three regions: US-East (default), EU (Frankfurt), AU (Sydney). Choose at workspace creation; switching regions later is a data migration we run manually within 30 days. The widget loader is served from a global CDN; your application data never leaves your chosen region.
Retention
| Data class | Default retention | Configurable |
|---|---|---|
| Conversations | 12 months | 1 / 3 / 6 / 12 / 24 months |
| Shopper profiles | While workspace is active | Trigger redaction via API or webhook |
| Catalog data | While store is connected | Cleared on disconnect |
| Aggregated analytics | Indefinite (no PII) | — |
| Audit logs | 24 months | Up to 7 years on Enterprise |
Short retention is fine
GDPR & CCPA
Shopper-initiated data requests propagate through standard webhooks:
- Shopify —
customers/data_request,customers/redact,shop/redact. Processed automatically on the timelines Shopify mandates. - WooCommerce — the plugin exposes equivalent hooks and forwards them to Zubby.
- Native — your support team can trigger deletion / export from a profile page.
For workspace-level DPAs, see Settings → Compliance → DPA. Zubby’s standard DPA is GDPR Article 28-compliant and signable in-app for non-Enterprise plans.
Sub-processors
We list every sub-processor at /security. The current list:
- AWS — primary hosting (US-East, EU-Central, AP-Southeast).
- OpenAI, Anthropic, Azure OpenAI, Google Gemini — AI providers.
- Postmark / Resend — transactional email.
- Twilio — SMS, WhatsApp.
- Stripe — billing.
- Cloudflare — CDN and DDoS protection.
- Sentry — error tracking (no PII).
SOC 2 status
SOC 2 Type I report issued for the period ending 2025-12-31. Type II observation window is in progress; expected issuance Q3 2026. Request the current report from security@zubbyai.com under MNDA.
Vulnerability disclosure
Report security issues to security@zubbyai.com. PGP key available on request. We respond within one business day, fix critical vulnerabilities within 7 days, and publish a postmortem for anything that affected customer data.
API key hygiene
Public API keys are scoped per store. Best practices:
- Rotate keys every 90 days from
Settings → API keys → Rotate. - Store keys in a real secret manager (1Password, AWS Secrets Manager, GCP Secret Manager) — never in source control.
- Revoke immediately if a teammate with key access leaves.
- Use the audit log to investigate suspicious activity.
Authentication
- Standard — email + password with bcrypt-hashed credentials, optional TOTP 2FA.
- SSO — Google, Microsoft Entra, Okta, generic SAML 2.0 on Enterprise.
- Session — short-lived JWTs in HttpOnly cookies.
Penetration testing
Annual external pen tests by a CREST-accredited firm. Latest report available under MNDA. We also run continuous DAST + SAST in CI.
Insurance
Zubby carries cyber liability and E&O insurance through a major US carrier. Coverage details available to procurement teams on request.