Data retention policy

What Zoza Vault stores. What we never see. How long we keep metadata. The sub-processor list. The DPA template.

✓ Zero-plaintext guarantee

Zoza Vault never sees plaintext field values. Our backend receives only ciphertext sealed to your app's public key. We cannot decrypt payloads we route, log, or back up. This is enforced by cryptography, not policy.

What we store

Data class	Purpose	Retention
App metadata id, name, api_key_hash, public_key, private_key, active flag, created_at, decrypt count	Authenticate API calls; rate-limit; serve public-key lookups to browsers	For the life of the account + 90 days after deletion request
Application queue company, email, website, use_case, use_case_details, volume_tier, plan_requested, status, submitter_ip, created_at	B2B apply workflow; admin approve/reject; abuse rate-limiting	12 months after approval/rejection decision
Request logs timestamp, app_id, endpoint, status code, bytes in/out, response time, Fly-Client-IP	Incident response, billing usage metering, abuse detection	30 days rolling; aggregated metrics retained indefinitely
Audit log (planned v0.2) hash-chained entries: app register, app rotate, application approve/reject, admin token use	Transparency; tamper-evident record of admin actions	Indefinite — append-only, cannot be deleted

What we never store

Plaintext field values. Never received, never logged, never backed up. Ciphertext-only in transit and at rest.
User-level PII. Vault has no concept of "end users" — only B2B customer apps. The end-user relationship belongs to our customer.
Request body contents beyond the sealed payload. Our access logs record status codes and byte counts, not the payload itself.
Sentry / Datadog / New Relic captures. We've disabled request-body capture in every APM we run.

Zero-knowledge mode (planned v0.2)

Enterprise customers can opt into zero-knowledge mode at registration: we generate your keypair, hand you the private key once, and destroy our copy. After that, the server-side /v1/decrypt endpoint returns 422 for all of your ciphertext — we literally cannot decrypt. Only local decrypt (with your retained private key) works.

This removes Zoza from your compliance scope entirely: we store ciphertext you can't match to plaintext. Trade-off: if you lose your private key, every app's ciphertext is permanently unrecoverable. By design. We cannot help.

Data deletion

Customers can delete their account at any time via hello@zoza.world. Within 7 business days:

All app metadata is removed from our production DB.
All applications tied to the account are purged from vault_applications.
Access log entries for the account are anonymized (IP removed, app_id nulled).
Backups containing the deletion-date range continue to exist until their normal 7-day rotation expires.
Audit-log entries referencing the account stay — the log is append-only and tamper-evident. They reference the app_id only, not any PII.

Sub-processors

We route traffic and store data through the minimum number of third parties. Each is listed with its function and jurisdiction. We notify customers 30 days in advance of any change.

Processor	Function	Jurisdiction
Fly.io	Application hosting (Singapore + Ashburn VA), managed Postgres	USA (Delaware)
Cloudflare	DNS for zoza.world zone (no proxy; DNS-only for vault-api)	USA (California)
Immunefi	Bug bounty platform (scope docs only, no customer data)	Netherlands

That's it — we don't use third-party analytics, APM, email marketing platforms, or CRM for Vault customers. Billing uses Stripe (when activated); Stripe sees your billing info, not your Vault usage.

Regulatory alignment

Framework	Zoza's role	Status
HIPAA (US)	Business Associate	BAA available after external audit closes (Q2 2026)
PCI-DSS v4.0 (global)	Service provider, scope reducer	Attestation queued with QSA
SOC 2 Type II (US)	Service organization	6-month observation active; report expected 2026-10-15
GDPR (EU)	Data Processor	DPA template available; sub-processor list above
DPDP 2023 (India)	Data Processor / Data Fiduciary (tbd by customer)	Grievance officer designated; consent integration on roadmap
CCPA / CPRA (California)	Service Provider	Service-provider agreement template aligned with §1798.140(v)

Data Processing Agreement template

Our standard DPA (GDPR Art. 28 + CCPA Service-Provider clauses) is available as a PDF on request. Non-standard terms require Enterprise contracts — email hello@zoza.world. Key provisions:

Subject matter: ciphertext storage and public-key lookup services for your customer's form fields.
Processor obligations: confidentiality, security (encryption in transit + at rest), audit cooperation, breach notification within 72 hours.
Customer rights: list of sub-processors, right to object to new sub-processors, deletion on termination.
International transfers: Standard Contractual Clauses (SCCs) with EU customers; UK IDTA addendum for UK customers; DPDP-aligned cross-border provisions for India customers.
Liability: capped at 12 months of fees paid; uncapped for deliberate breach or gross negligence.

Changes to this policy

Changes to this policy are committed to frontend-web/public/about/vault-retention.html in the Zoza products repo. Customers can git log the file for a full history. Material changes trigger email notification to all active customer contacts 30 days in advance.

ℹ Contact

Questions about this policy: hello@zoza.world

Data deletion requests: hello@zoza.world

GDPR rights (access, portability, erasure): your end-users should contact you, since you're the controller; we route requests you make to us about your account.