Skip to main content
Zenfox.ai

Data Safety and Integrity Policy

Version 2.0 · Last Updated: April 12, 2026 · Applies to: All Zenfox Services

CASA Tier 2 Certified

Zenfox is CASA Tier 2 certified. Our security practices are independently assessed.

Learn about CASA certification →

1. Introduction

This Data Safety and Integrity Policy outlines how Zenfox protects user data, ensures data integrity, and maintains transparency regarding AI processing, third-party integrations, and security practices.

Key Principles:

  • User data is never used to train AI models without explicit consent
  • Data is encrypted in transit and at rest
  • Users retain full ownership of their data
  • Transparency in all data processing activities

2. AI Model and Training

2.1 Model Architecture

Primary Model: Zenfox Eternity

  • Base Model: Open-source foundation model (1 trillion parameters)
  • Post-Training: Custom fine-tuning specifically for user privacy protection, data security protocols, tool calling and agentic workflows, and multi-language proficiency
  • Hosting: Self-hosted infrastructure (not via third-party APIs)
  • Data Retention: Zero data retention for model inference — inputs are processed in real-time and not stored for model improvement

2.2 No Training on User Data

Explicit Prohibition:

  • User conversations, files, and data are NEVER used to train or fine-tune Zenfox Eternity
  • No data is retained for model retraining purposes
  • Each inference request is stateless and ephemeral

2.3 Fallback Models

For specific specialised tasks, Zenfox may route to external models:

ProviderPurposeData Retention Policy
Zenfox Eternity (Primary)General queries, tool calling, reasoningZero retention — ephemeral processing
Anthropic ClaudeComputer useZero retention (enterprise opt-out)
IdeogramImage generation30 days for service improvement (no PII)
ElevenLabsText-to-speechEphemeral — no storage
DeepgramSpeech-to-textEphemeral — no storage

Important: When external models are used, data is transmitted via encrypted channels and subject to the provider's retention policies above. No user data is retained by Zenfox for these operations.

3. Data Collection and Storage

3.1 What We Store

User-Generated Content:

  • Notes, todos, and files uploaded to Zenfox
  • Conversation history (for continuity across sessions)
  • Calendar events and emails accessed through integrations
  • Memories explicitly created by the user
  • Project configurations and settings

Technical Data:

  • Authentication tokens (encrypted)
  • Integration credentials (encrypted with AES-256)
  • Usage analytics (anonymised)
  • Error logs (no PII)

3.2 What We Do NOT Store

  • Raw AI model inputs/outputs (ephemeral processing)
  • Third-party service data beyond what the user explicitly saves
  • Biometric data (voice recordings are processed in real-time, not stored)
  • Payment information (handled by Stripe, never touches our servers)

3.3 Data Retention Periods

Data TypeRetention PeriodNotes
Active user dataIndefinite (while account active)User-controlled deletion
Deleted user data30 daysSecure wipe after grace period
Analytics90 daysAnonymised only
Error logs7 daysRotated automatically
AI inference logs0 daysNot stored
Integration tokensUntil revokedEncrypted at rest

4. Data Security Measures

4.1 Encryption

In Transit:

  • TLS 1.3 for all API communications
  • End-to-end encryption for sensitive operations

At Rest:

  • AES-256 encryption for all stored data
  • Database encryption with rotating keys
  • Encrypted backups in geographically distributed regions

4.2 Access Controls

  • Role-based access control (RBAC) for staff
  • Zero-trust architecture — no implicit trust
  • Multi-factor authentication required for all admin access
  • Regular access audits and least-privilege enforcement

4.3 Infrastructure Security

  • SOC 2 Type II certified data centres
  • Regular penetration testing (quarterly)
  • Automated vulnerability scanning
  • DDoS protection and rate limiting
  • Network segmentation and micro-segmentation

5. Data Integrity

5.1 Backup and Recovery

  • Frequency: Continuous replication + daily snapshots
  • Retention: 30 days of point-in-time recovery
  • Testing: Monthly disaster recovery drills
  • Geographic Distribution: Multi-region redundancy

5.2 Data Validation

  • Checksums for all stored files
  • Automated integrity scans (daily)
  • Version control for document changes
  • Corruption detection and auto-repair

5.3 User Control

Users can at any time:

  • Export all their data (GDPR-compliant format)
  • Delete specific items or their entire account
  • Revoke integration access
  • Request data audit logs

6. Third-Party Integrations

6.1 Integration Security

When you connect third-party services (Gmail, Slack, Notion, etc.):

  • OAuth tokens: Stored encrypted, never exposed in logs
  • Scope limitation: Minimum required permissions only
  • Revocation: Instant token invalidation on disconnect
  • Monitoring: Anomaly detection on API usage

6.2 Provider Accountability

All third-party providers are vetted for:

  • SOC 2 or ISO 27001 certification
  • GDPR/CCPA compliance
  • Published data retention policies
  • No unauthorised AI training on shared data

7. Compliance and Certifications

7.1 Regulatory Compliance

  • GDPR: Full compliance — data portability, right to erasure, DPO contact available
  • CCPA: California privacy rights honoured for all users
  • SOC 2 Type II: Audited security controls (report available on request)

7.2 Data Localisation

Users can choose where their data is stored at signup: United Kingdom, Canada, United States, or Singapore.

8. Incident Response

8.1 Breach Protocol

In the unlikely event of a data breach:

  1. Detection: Automated monitoring (mean time to detect: <5 minutes)
  2. Containment: Immediate isolation (target: <30 minutes)
  3. Assessment: Impact analysis and classification
  4. Notification: Affected users notified within 72 hours (GDPR compliant)
  5. Remediation: Root cause fix and preventive measures

8.2 User Notification

  • Email notification to affected users
  • In-app security alerts
  • Public status page updates
  • Direct support channel for inquiries

9. Policy Updates

This policy is reviewed quarterly. Changes are:

  • Communicated via email 30 days in advance
  • Posted in-app with version history
  • Never retroactive — changes only apply to future data processing

10. Contact

Data Protection Officer: privacy@zenfox.ai Security Team: security@zenfox.ai Bug Bounty: security@zenfox.ai (responsible disclosure is rewarded)

For urgent security issues, include "SECURITY" in the subject line.

Document Control: Version 2.0 · Approved by Security Team · Next Review: July 12, 2026

This policy is part of our broader legal framework. See also: Privacy Policy, Terms of Service, and Fair Use Policy.