How we think about security
Four principles guide every decision we make about your data.
Security by design
Built in from day one, not bolted on after.
Least privilege
Access only what's needed, nothing more.
Defense in depth
Multiple layers, not single points of failure.
Transparency
We tell you what we do and how.
Your data, protected
Multiple layers of protection keep your information safe at every stage.
Encryption in transit
All data encrypted via TLS 1.3.
Encryption at rest
Database encryption by default (AES-256).
Private fields
Sensitive data stored separately, never exposed to AI.
Encrypted fields
Highest sensitivity data lives in Supabase Vault.
Multi-tenant isolation
Your data is yours. Complete workspace separation.
Compliance-ready
Whether you need GDPR, HIPAA, or SOC 2 compliance, ioZen has you covered.
GDPR
Privacy by design, data subject rights, DPA available, jurisdiction-specific disclosures. Working toward full compliance.
HIPAA
Private and encrypted fields available. BAA upon request. Full certification planned.
SOC 2
Built on SOC 2 Type II certified infrastructure (Supabase, Vercel, Cloudflare). Platform-level audit planned.
CCPA
Do Not Sell policy, data access and deletion supported. Working toward full compliance.
Need a BAA or specific compliance documentation? Contact security@iozen.ai
Built on trusted infrastructure
Every layer of our stack is backed by providers with proven security track records.
| Layer | Provider | Certification |
|---|---|---|
| Database | Supabase (PostgreSQL) | SOC 2 Type II |
| Authentication | Supabase Auth | SOC 2 Type II |
| Storage | Supabase Storage | SOC 2 Type II |
| Hosting | Vercel | SOC 2 Type II |
| CDN | Cloudflare | SOC 2 Type II, ISO 27001 |
You control the sensitivity
For every field in your FlowApp, you decide how it's stored and whether AI can access it.
AI access
Full
Storage
Normal database
Best for
Most fields
AI access
Never
Storage
Separate table
Best for
PII, sensitive info
AI access
Never
Storage
Encrypted vault
Best for
SSN, medical, financial
Frequently asked questions
Is ioZen HIPAA compliant?
Yes. With private and encrypted fields plus our BAA, you can collect PHI safely. Contact us for BAA details.
Where is data stored?
Data is stored in Supabase's infrastructure (AWS, US regions by default). Contact us if you have specific region requirements.
Does AI see all my data?
No. Private fields are never sent to AI models. AI requests are routed through Vercel AI Gateway to providers like OpenAI, Anthropic, Google, and xAI, but only for fields you choose. You control which fields use AI and which stay completely isolated.
Can I delete all my data?
Yes. Full data deletion is available at any time. Contact support for workspace-level deletion.
Do you sell data?
No. Never. Your data is yours. Period.
Questions about security?
Our team is here to help with security reviews, compliance documentation, and BAA requests.