Zubby AI
  • Pricing
Sign inStart free trial
Home/Trust Center
Trust Center

Zubby Security & Compliance

Zubby AI is the AI sales agent your security team can sign off on. Per-tenant AES-256-GCM encryption, SOC 2 Type I in progress, GDPR and CCPA pipelines wired into first-class background workers, and EU plus US data residency. Every claim on this page links to the code that backs it.

Published 2026-05-19

Type I

SOC 2

Audit in progress

At rest

AES-256-GCM

AAD-bound per tenant

In transit

TLS 1.3

HSTS preloaded

DSAR SLA

48h

Export or erasure

What the Trust Center covers

Every page is dated, plain-English, and code-anchored

We document the controls we have, the ones we are working on, and the ones we do not — so your security review is a fast yes or a fast pass, not a six-week trade.

Trust

GDPR Compliance

Article-by-article mapping. Data subject rights resolved in 48h. Erasure endpoint /api/v1/merchant/gdpr/delete. EU SCCs and Transfer Impact Assessment available.

Read more

Trust

Data Processing Agreement

Counter-signed DPA on every Pro and Enterprise plan. EU SCCs Module 2, UK IDTA, Swiss FADP. Sub-processor list with regional alternatives. Downloadable PDF.

Read more

Trust

CCPA & US State Privacy

California CPRA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Virginia VCDPA. Universal opt-out signal (GPC) honored end-to-end. Service Provider terms in DPA.

Read more

Trust

Responsible AI

Multi-provider routing (OpenAI, Anthropic, Gemini, Azure). Prompt-injection detection. Per-store cost cap. Conversation data never used to train base models.

Read more

Trust

Security & Disclosure

AES-256-GCM at rest, TLS 1.3 in transit, scrypt password hashing, HMAC-SHA256 webhook verification, SSRF protection, magic-byte upload sniffing. Report vulnerabilities to security@zubbyai.com.

Read more

Trust

Live Status & Uptime

Real-time uptime for dashboard, widget chat, webhook ingress, BullMQ worker, and AI providers. Incident timelines published with root-cause analysis on resolution.

Read more

Security architecture at a glance

Architecture

Zubby AI runs three deploy targets — Shopify embedded app, WooCommerce plugin, and a hosted storefront widget — against one multi-tenant backend. The runtime splits into three processes: a Next.js web app (dashboard, widget, public APIs, webhook ingress), a long-running BullMQ worker (catalog sync, embeddings, recovery emails, GDPR jobs), and a Postgres-plus-Redis data layer with pgvector for embedding search.

  • Edge proxy. Every request to /api/v1/* passes through src/proxy.ts, which enforces Upstash-backed rate limits (widget 20 req / 10s, widget chat 6 req / 30s per key plus IP, webhooks 500 req / s per tenant bucket) and Shopify embedded-app session token verification before any route handler runs.
  • Tenant scope. Every row carries a store_id predicate. The widget cannot start a conversation without an x-widget-keyheader verified against the store's key — the proxy injects the resolved store_id into downstream headers so route handlers never trust client-supplied tenancy.
  • Worker process. Ten BullMQ queues (catalog sync, embedding, document embedding, webhook processor, recovery email, journey execution, abandonment check, winback check, GDPR compliance, weekly digest) with retry-aware job options. GDPR jobs get 5 attempts on exponential backoff so an external API hiccup cannot drop a legal obligation.

Encryption everywhere

AES-256-GCMTLS 1.3

At rest. Per-tenant secrets are encrypted with AES-256-GCM, with ciphertexts bound to an AAD context of (tenant, column, provider, field). The implementation lives in src/lib/secrets.ts. The current version is enc_v2; a legacy enc_v1 path remains for backward-compatible reads. The derivation key comes from DATA_ENCRYPTION_KEY — production rejects startup if the key is missing or equals AUTH_SECRET.

In transit. TLS 1.3 terminates at the edge for every public endpoint: dashboard, widget, webhook ingress, public REST API. HSTS preload is enabled on the marketing and app domains. Postgres connections require SSL.

Passwords. Account passwords are hashed with crypto.scrypt using a 16-byte random salt and a 64-byte derived key. Verification uses crypto.timingSafeEqual, eliminating timing-side-channel disclosure of password guesses.

Identity, sessions, and access control

NextAuth v5RBAC
  • NextAuth v5 JWT sessions with hard-invalidation on any credential change — rotating a password or revoking a session immediately terminates every in-flight JWT for that subject. Magic-link email login, Google OAuth, and credentials providers are supported with explicit account-merge guards: a Google sign-in cannot silently absorb a credentials-protected account with the same email.
  • Per-tenant RBAC. Workspace roles (owner, admin, agent, viewer) gate every dashboard action. Invites are token-based and single-use. Role changes, integration credential rotations, knowledge uploads, and erasure requests emit an audit event with actor, action, target, and ISO timestamp.
  • Public REST API authuses long-lived API keys with per-scope permissions (read:catalog, write:conversations, etc.). Keys are hashed at rest and verified in constant time. Per-scope rate limits prevent a leaked write-scope key from exhausting an account's AI budget.

Application-layer defenses

Defense in depth
  • HMAC-SHA256 webhook verification for Shopify (app secret), Stripe (stripe-signature header, idempotent handler keyed by event ID), WooCommerce (plugin-signed token compared via crypto.timingSafeEqual), and Twilio. Replay attacks blocked by event-ID dedupe in the webhook processor.
  • SSRF protection. Every outbound HTTP call from user-controlled URLs (search-by-image, knowledge import, Loox pull, Klaviyo redirector) passes through assertSafeOutboundUrl which blocks RFC 1918, link-local, loopback, and AWS metadata addresses, with DNS rebinding mitigation.
  • Magic-byte upload sniffing. Image uploads to the widget, knowledge base, and product catalog are validated against magic bytes — not the client-declared MIME type — so a renamed payload cannot bypass the type check.
  • Cloudflare Turnstile gates conversation start on suspicious traffic patterns. Configurable per store; defaults to enabled for new workspaces.

Privacy lifecycle: export, erasure, retention

GDPRCCPA

Privacy-rights fulfillment is a first-class background worker, not a ticket queue. The gdpr-compliance queue handles Shopify data-request, data-erasure, and shop-redact webhooks, plus WooCommerce equivalents, plus direct merchant requests via the dashboard. The endpoint /api/v1/merchant/gdpr/delete accepts a shopper identifier and emits a fanout: delete conversations, embeddings, journey state, customer record, AI tool-call logs, and CDN-cached avatars.

  • Right of access.Export a shopper's data in JSON within 48h.
  • Right to erasure. One-click delete propagates to every linked system, including embeddings and AI conversation logs.
  • Right to data portability. Full JSON and CSV exports.
  • Retention. Default conversation retention is 12 months; merchants can shorten it per store. Audit logs retained 24 months.

Operational excellence

SLOsObservability
  • 99.9% uptime SLO on the merchant dashboard and widget chat API. Real-time status at /status with synthetic monitoring runs every 60 seconds.
  • Sentry-instrumented Next.js runtimes (server, edge, client) plus the BullMQ worker. PII scrubbing applied before capture.
  • Dead-letter queue replay. Failed background jobs land in a dedicated DLQ with merchant-visible replay tooling in the dashboard.
  • Disaster recovery. Documented in DEPLOY.md. Postgres backed by managed point-in-time recovery; encrypted off-site snapshots daily. RTO 4h, RPO 1h.

Drill into a topic

  • GDPR Compliance
  • Data Processing Agreement
  • CCPA & US privacy
  • Responsible AI
  • Security disclosure
  • Live status

Procurement and security questions?

We answer security questionnaires in 5 business days on Pro and Enterprise. For counter-signed DPAs, SOC 2 readiness letters, or a custom security review, talk to us.

security@zubbyai.com
Procurement-ready

Bring your security team. We will be ready.

DPAs, EU SCCs, sub-processor lists, SOC 2 readiness letters, pen-test summaries, and a Transfer Impact Assessment are available on request — typically within 24h.

Talk to salesSee pricing

Footer

Zubby AI

The AI sales agent for Shopify and WooCommerce. Learns your store, guides shoppers in real time, and recovers the revenue you would have otherwise lost.

System status

Product

  • All Features
  • AI Sales Agent
  • Cart Rescue
  • Widget Designer
  • Multi-Language
  • Pricing
  • Changelog

Solutions

  • Solutions Hub
  • Cart Recovery
  • Product Discovery
  • 24/7 Support
  • Upsell + Cross-sell
  • Conversion Optimization

Industries

  • Fashion & Apparel
  • Beauty & Cosmetics
  • Electronics
  • Jewelry & Accessories
  • Food & Beverage
  • Health & Wellness

Integrations

  • Shopify
  • WooCommerce
  • All integrations
  • vs Rep AI
  • vs Tidio
  • vs Klaviyo
  • vs Gorgias

Resources

  • Documentation
  • Guides
  • ROI Calculator
  • Glossary
  • Answers (AI Q&A)
  • Blog
  • Case Studies

Company

  • About
  • Careers
  • Contact
  • Trust
  • Security
  • Status
  • Privacy
  • Terms

© 2026 Zubby AI, Inc. All rights reserved.

Built for merchants.Made with care.