Zubby AI
  • Pricing
Sign inStart free trial
  • Welcome
  • Security & data handling
  1. Docs
  2. Security & data handling

Security & data handling

This page is the technical answer to “what does Zubby do with my data?”. It complements the legal privacy policy and our security overview. If your security team needs a deeper artifact (DPA, sub-processor list, SOC 2 report), email security@zubbyai.com.

Encryption

  • In transit — TLS 1.2+ everywhere. HTTPS-only cookies, HSTS preload on zubbyai.com and the API domain.
  • At rest — AES-256 on the database (Postgres) and on object storage (uploaded files, exports). Backups are encrypted with separate keys.
  • Application-level — store access tokens (Shopify, WooCommerce, third-party connectors) are encrypted with a per- tenant key derived from a master KMS key.

Tenant isolation

All data is keyed by store_id. Every database query threads the store context; we use row-level isolation to make cross-tenant reads physically impossible from application code. Background workers carry the store context through the job payload.

Data residency

Three regions: US-East (default), EU (Frankfurt), AU (Sydney). Choose at workspace creation; switching regions later is a data migration we run manually within 30 days. The widget loader is served from a global CDN; your application data never leaves your chosen region.

Retention

Data classDefault retentionConfigurable
Conversations12 months1 / 3 / 6 / 12 / 24 months
Shopper profilesWhile workspace is activeTrigger redaction via API or webhook
Catalog dataWhile store is connectedCleared on disconnect
Aggregated analyticsIndefinite (no PII)—
Audit logs24 monthsUp to 7 years on Enterprise

Short retention is fine

Most stores can run on a 3-month conversation retention without impacting AI quality — the model is grounded in your catalog and knowledge base, not historical conversations. Shorter retention means smaller blast radius on a breach.

GDPR & CCPA

Shopper-initiated data requests propagate through standard webhooks:

  • Shopify — customers/data_request, customers/redact, shop/redact. Processed automatically on the timelines Shopify mandates.
  • WooCommerce — the plugin exposes equivalent hooks and forwards them to Zubby.
  • Native — your support team can trigger deletion / export from a profile page.

For workspace-level DPAs, see Settings → Compliance → DPA. Zubby’s standard DPA is GDPR Article 28-compliant and signable in-app for non-Enterprise plans.

Sub-processors

We list every sub-processor at /security. The current list:

  • AWS — primary hosting (US-East, EU-Central, AP-Southeast).
  • OpenAI, Anthropic, Azure OpenAI, Google Gemini — AI providers.
  • Postmark / Resend — transactional email.
  • Twilio — SMS, WhatsApp.
  • Stripe — billing.
  • Cloudflare — CDN and DDoS protection.
  • Sentry — error tracking (no PII).

SOC 2 status

SOC 2 Type I report issued for the period ending 2025-12-31. Type II observation window is in progress; expected issuance Q3 2026. Request the current report from security@zubbyai.com under MNDA.

Vulnerability disclosure

Report security issues to security@zubbyai.com. PGP key available on request. We respond within one business day, fix critical vulnerabilities within 7 days, and publish a postmortem for anything that affected customer data.

API key hygiene

Public API keys are scoped per store. Best practices:

  • Rotate keys every 90 days from Settings → API keys → Rotate.
  • Store keys in a real secret manager (1Password, AWS Secrets Manager, GCP Secret Manager) — never in source control.
  • Revoke immediately if a teammate with key access leaves.
  • Use the audit log to investigate suspicious activity.

Authentication

  • Standard — email + password with bcrypt-hashed credentials, optional TOTP 2FA.
  • SSO — Google, Microsoft Entra, Okta, generic SAML 2.0 on Enterprise.
  • Session — short-lived JWTs in HttpOnly cookies.

Penetration testing

Annual external pen tests by a CREST-accredited firm. Latest report available under MNDA. We also run continuous DAST + SAST in CI.

Insurance

Zubby carries cyber liability and E&O insurance through a major US carrier. Coverage details available to procurement teams on request.

Was this page helpful?

Still stuck? Contact support with the URL of this page (/docs/security).

PreviousOutbound webhooksNextTroubleshooting overview

Footer

Zubby AI

The AI sales agent for Shopify and WooCommerce. Learns your store, guides shoppers in real time, and recovers the revenue you would have otherwise lost.

System status

Product

  • All Features
  • AI Sales Agent
  • Cart Rescue
  • Widget Designer
  • Multi-Language
  • Pricing
  • Changelog

Solutions

  • Solutions Hub
  • Cart Recovery
  • Product Discovery
  • 24/7 Support
  • Upsell + Cross-sell
  • Conversion Optimization

Industries

  • Fashion & Apparel
  • Beauty & Cosmetics
  • Electronics
  • Jewelry & Accessories
  • Food & Beverage
  • Health & Wellness

Integrations

  • Shopify
  • WooCommerce
  • All integrations
  • vs Rep AI
  • vs Tidio
  • vs Klaviyo
  • vs Gorgias

Resources

  • Documentation
  • Guides
  • ROI Calculator
  • Glossary
  • Answers (AI Q&A)
  • Blog
  • Case Studies

Company

  • About
  • Careers
  • Contact
  • Trust
  • Security
  • Status
  • Privacy
  • Terms

© 2026 Zubby AI, Inc. All rights reserved.

Built for merchants.Made with care.