🔒 Security

Security at D-Zero AI

We take the security of your business data seriously. Here's how we protect it.

🔒
Encrypted in Transit
All data transmitted between your browser and our servers uses TLS 1.3 encryption.
🛡️
Secure at Rest
Your data is stored in encrypted PostgreSQL databases hosted on Neon's secure infrastructure.
🔑
Access Controls
Role-based access ensures only authorised personnel can access your business data.
🏗️
Secure Infrastructure
Deployed on Vercel's edge network with automatic DDoS protection and zero-downtime deploys.
🔍
Continuous Monitoring
Our systems are monitored around the clock for unusual activity and potential threats.
📋
Responsible Disclosure
We have a clear process for security researchers to report vulnerabilities responsibly.

1. Security Overview

Security is built into every layer of the D-Zero AI platform. We follow industry best practices for application security, data protection, and access management. This page provides transparency about our security posture so you can make informed decisions about using our Service.

Our security programme covers: secure development practices, data encryption, access controls, infrastructure hardening, incident response, and regular security reviews.

2. Data Protection

Data in transit: All communications between clients and our servers are encrypted using TLS 1.3. We enforce HTTPS across all endpoints and redirect HTTP traffic automatically.

Data at rest: Your business data, conversation records, and account information are stored in PostgreSQL databases hosted on Neon's serverless platform, which provides encryption at rest by default.

Password security: Passwords are never stored in plaintext. We use bcrypt with 12 salt rounds — a widely-accepted standard that makes brute-force attacks computationally expensive.

Sensitive credentials: API keys, database connection strings, and third-party service tokens are stored as environment variables, never committed to source code.

3. Authentication & Sessions

D-Zero AI uses NextAuth v5 (Auth.js) for authentication. Sessions are implemented as signed JWTs containing only the minimum necessary user information (ID, role, status). Tokens are signed with a secure secret and expire after a limited period.

All dashboard and admin routes are protected by middleware that validates session tokens on every request. Users with a PENDING or REJECTED status cannot access protected routes regardless of token validity.

Admin access is strictly role-gated. Regular users cannot access any admin endpoints or pages.

4. Infrastructure Security

Our platform runs on Vercel, a production-grade hosting platform that provides:

  • Automatic DDoS mitigation and edge-level protection
  • Isolated serverless function execution environments
  • Automatic TLS certificate provisioning and renewal
  • 99.99% uptime SLA with global edge distribution
  • Zero-downtime deployments

Our database is hosted on Neon, a serverless PostgreSQL provider with:

  • Encryption at rest using AES-256
  • Automatic backups with point-in-time recovery
  • Network isolation and VPC-level security
  • SOC 2 Type II compliance

5. Third-Party Services

We rely on the following security-vetted third-party providers:

  • ElevenLabs: Handles AI conversation processing. Data is processed per their enterprise security policies.
  • OpenAI: Used for generating response guidelines. Data submitted is governed by OpenAI's data processing terms.
  • Resend: Handles transactional emails with TLS-encrypted delivery.
  • UploadThing: Manages file uploads with access controls and signed URLs.

All third-party providers are selected based on their security certifications, data processing agreements, and privacy standards.

6. Incident Response

We maintain an incident response process to handle security events quickly and effectively:

  • Detection: Automated alerts for anomalous activity, failed authentication attempts, and unusual data access patterns
  • Containment: Rapid isolation of affected systems and revocation of compromised credentials
  • Notification: Affected users will be notified within 72 hours of a confirmed data breach, as required by the NDPR
  • Recovery: Restoration from backups and a post-incident review to prevent recurrence

In the event of a security incident affecting your data, we will contact you directly at your registered email address.

7. Responsible Disclosure

We welcome responsible security research. If you discover a vulnerability in our platform, please report it privately before public disclosure to give us time to address it.

To report a security issue: Email us at support@dailzero.com with the subject line "Security Disclosure." Include a description of the vulnerability, steps to reproduce, and your contact information. We will acknowledge receipt within 48 hours and aim to provide a fix within 30 days for critical issues.

We ask that you:

  • Do not access, modify, or delete data belonging to other users
  • Do not perform denial-of-service attacks
  • Do not publicly disclose the vulnerability before we've had a chance to fix it
  • Act in good faith to avoid harm to the platform and its users

8. Contact

For security-related questions or to report a vulnerability: