Last updated: April 3, 2026
Security Dashboard
A customer-ready overview of Zentrik's security and privacy posture for diligence and procurement reviews. This page is informational. Contractual commitments are in the Order Form, Terms, and any executed DPA.
Quick answers
| Topic | Status | Details |
|---|---|---|
| Public model training | No | Customer data is not used to train public AI models. Private-model options may be available by request and configuration. |
| SOC 2 status | In progress | Zentrik's SOC 2 Type II program is in progress using Vanta; audit engagement initiated January 7, 2026. |
| Encryption | TLS 1.2+ / at rest | TLS 1.2+ in transit and provider-managed encryption at rest for Postgres and object storage. |
| Backups and export | 30-day SLA | Encrypted nightly backups with 5-day retention (rolling). One-time export or deletion requests are completed within 30 days of a verified request. |
Program evidence: Vanta Trust Center | Audit engagement letter
Access controls
- Workspace access is enforced at the application layer by membership checks on workspace-scoped routes.
- Role-based access control governs privileged actions (Owner, Admin, Viewer).
- Least-privilege access for production credentials and admin tooling.
- Access logs are retained for at least 90 days.
Processing scope
- Hosting, storage, and collaborative editing of Workspace Data.
- AI-assisted content generation and workflow assistance.
- Product analytics limited to usage and event telemetry; for authenticated users this may include account identifiers.
- Support, maintenance, security monitoring, and service improvement as permitted by the Terms and any executed DPA.
Data protection and recovery
- Nightly encrypted snapshots retained for 5 days and purged by rotation.
- Target restore time objective (RTO): 2 business days for incidents caused by Zentrik.
- Target recovery point objective (RPO): time of last successful snapshot.
Security monitoring
- Integrated monitoring of application dependencies for known vulnerabilities, with defined triage and ownership.
- Automated checks in our build pipeline—including scheduled verification—that block critical-severity dependency or container-definition issues when those surfaces change.
- Remediation targets: critical within 7 days; high within 30 days where feasible.
For security questionnaires or implementation detail (tooling, cadence, evidence), contact security@zentrik.ai.
AI usage and training policy
- Customer data is not used to train public AI models.
- AI providers are accessed via API (OpenAI, Anthropic, and Google services if enabled).
- Processing locations may depend on provider capabilities and Customer configuration.
- Private-model options may be available by request and configuration.
Analytics and telemetry
Product analytics is limited to usage/event telemetry and may include account-level identifiers for authenticated users (for example, user ID and email). We do not intentionally send Workspace content to analytics.
Incident response
We maintain a written incident response playbook and an escalation process. Customers are notified of confirmed personal data breaches without undue delay and, where required by law, within 72 hours of awareness.
Security: security@zentrik.ai | Privacy: privacy@zentrik.ai
Processing locations and infrastructure (current)
| Component | Provider | Region | Notes |
|---|---|---|---|
| Database | Fly.io managed Postgres | sjc (US) | Primary relational data store for workspace data. |
| Hosting | Fly.io machines | mad (EU) and sjc (US) | Application runtime and service infrastructure. |
| Object storage | AWS S3 | us-east-2 (US) | Attachments and related metadata. |
| AI provider processing | OpenAI / Anthropic / Google services (if enabled) | Provider-dependent | Typically via US-based API endpoints where supported, subject to provider capabilities and configuration. |
International transfers
Where applicable, Zentrik can execute a DPA on request that includes standard transfer terms such as the EU Standard Contractual Clauses and the UK IDTA. Supplementary measures may include encryption in transit and at rest, access controls, and a government request handling process.
Audit and questionnaires
Zentrik supports reasonable security questionnaires. Remote evidence review and additional materials may be available on request and, where applicable, under NDA. Any audit rights are governed by the Terms and any executed DPA.
Sub-processors
The current list of approved Sub-processors and our change-notification policy are available at https://zentrik.ai/sub-processors.
Questions
For security or privacy questions, contact security@zentrik.ai or privacy@zentrik.ai.
Related legal pages
Review the complete legal set for contractual, privacy, and security context.
Company legal contact
Zentrik Company
490 Post St, Ste 500, PMB 2017
San Francisco, CA 94102, USA
Legal: legal@zentrik.ai | Privacy: privacy@zentrik.ai | Security: security@zentrik.ai