Multiple layers of protection at every level of the stack.
All data is encrypted at rest using AES-256 via Supabase (AWS infrastructure). All data in transit is protected by TLS 1.2+. OAuth integration tokens receive an additional layer of application-level encryption using AES-256-GCM before storage.
Every database query is scoped to the authenticated user via PostgreSQL Row-Level Security (RLS). This is enforced at the database engine level, not the application level—meaning even application bugs cannot leak data across accounts. Workspace data is further scoped via team-based RLS policies.
Zealos runs on Vercel’s edge network (SOC 2 Type II, ISO 27001) with automatic HTTPS, DDoS protection, and global CDN. Our database is hosted on Supabase (SOC 2 Type II), powered by AWS infrastructure with automated backups and point-in-time recovery.
Authentication is powered by Supabase Auth with secure, HttpOnly session cookies and PKCE flow. All OAuth integrations use CSRF-protected state parameters with HMAC-SHA256 signing. Webhook endpoints verify cryptographic signatures from their respective providers.
When you use Zealos's AI features, relevant context from your connected accounts is sent to our AI providers via their APIs. Here's what you should know:
Your data is never used to train AI models. All of our AI providers explicitly confirm that data sent via their commercial APIs is not used for model training. See Anthropic Trust Center, OpenAI Enterprise Privacy, Google Cloud DPA, and Supabase Privacy Policy.
AI processing is stateless. Your data is sent, processed, and returned—providers do not retain your content beyond the API request lifecycle.
You control what’s connected. You choose which accounts to connect, and you can disconnect any integration at any time from Settings.
Embeddings are stored in your database. Semantic search indexes are generated and stored in your own isolated Supabase database using pgvector—not in a separate third-party vector service.
Every vendor in our stack maintains independent security certifications.
OAuth, API Integrations
SOC 2 Type II, ISO 27001
Embeddings
SOC 2 Type II, ISO 27001
AI Processing (Claude)
SOC 2 Type II, ISO 27001
Payment Processing
SOC 2 Type II, PCI DSS Level 1
Application Hosting
SOC 2 Type II, ISO 27001
Database, Auth, Storage
SOC 2 Type II
We're building Zealos for teams that handle sensitive business data. Here's where we are and where we're headed.
All infrastructure providers maintain SOC 2 Type II and ISO 27001 certifications.
Database-level tenant isolation, encryption at rest and in transit, webhook signature verification, CSRF protection.
Published and available at Privacy Policy and Terms of Service.
Actively pursuing SOC 2 Type II certification for Delusional, Inc. Expected completion: Q4 2026.
If you discover a security vulnerability, please report it to security@delusional.gg. We'll acknowledge receipt within 48 hours and provide an initial assessment within 5 business days.
We appreciate responsible disclosure and will not take legal action against researchers who report vulnerabilities in good faith.
If you're evaluating Zealos for your organization and need additional security documentation, a completed security questionnaire, or a Data Processing Agreement, reach out to security@delusional.gg.