Security
How Zensus handles your financial data
Bank-level access, handled with bank-level care. Zensus reads from your banks, books, and CRM to forecast cash. Here is exactly what we hold, what we never touch, and how it is protected.
- Last reviewed
- June 2026
- Encryption
- AES-256-GCM
- Hosting
- AWS, US region
- AI training
- None
Controls at a glance
Encryption at rest
AES-256-GCM
Encryption in transit
TLS on every request
Bank-level OAuth
Plaid and Intuit hold credentials
Account isolation
Every query scoped to your user
No AI training
Your data never trains a model
US data residency
Stored data in an AWS US region
Encrypted backups
Tested recovery, not a first restore
Static analysis in CI
Semgrep and Gitleaks on commit
Security headers
HSTS, CSP, clickjacking protection
How your data flows
You connect through OAuth. Credentials stay with the provider. Zensus only ever holds scoped tokens, and stores only what it needs to compute your runway.
Your banks, QuickBooks, HubSpot
You authorize access through OAuth
Scoped OAuth tokens
Each provider holds the credentials
Zensus reads only what it needs
Just enough to project your runway
Encrypted at rest on AWS
AES-256-GCM, United States region
Your bank password never touches Zensus. Credentials stay with each provider.
What we store, and never store
Stores
- OAuth tokens for each connected provider, encrypted at rest with AES-256-GCM.
- Transactions and balances within the sync window needed to project your runway.
- Scenario chat history for your account only.
- Derived runway projections and alert state.
Never stores
- Bank or QuickBooks passwords. Plaid and Intuit hold those.
- Payment card details.
- Raw transactions outside the sync window needed for projections.
How your data is protected
Account isolation
Every database query is filtered by user ID. Zensus staff cannot reach your data without an explicit, audited authorization path. Cross-account access is impossible by design, not just by policy.
Backups and recovery
Your data is backed up on a regular schedule, encrypted at rest on the same AWS infrastructure. We test the recovery process, so a restore is a known procedure, not a first-time experiment during an incident.
Data residency
Zensus runs on AWS in a United States region. Your stored data, OAuth tokens, in-window transactions, and scenario history, lives in that US infrastructure. When you run a scenario, the request is processed by Claude per request and returns to you.
Pipeline security
The backend runs Semgrep static analysis on every commit. Gitleaks blocks any pull request that introduces a secret. Dependencies are tracked with automated vulnerability alerts.
AI and your data
Your data never trains a model. Scenarios are sent to Claude per request, analyzed, and returned to you. No fine-tuning, no memory, and no data crossing between accounts.
Compliance status
| Area | Detail | Status |
|---|---|---|
| Encryption | AES-256-GCM at rest, TLS in transit | Active |
| Hosting | AWS, United States region | Active |
| Backups | Encrypted, recovery tested | Active |
| Data isolation | Per-user, enforced at query level | Active |
| AI training | None on your data | Active |
| HTTP headers | HSTS preload, CSP, X-Frame-Options DENY | Active |
Zensus is not yet SOC 2 certified. Our data protection and access control practices are documented and reviewable on request. If your procurement process needs specific evidence, talk to us and we will share what we have.
Responsible disclosure
Found a security issue? Email support@zensus.app and we will work with you on it. We support good-faith security research. If you report a vulnerability responsibly, test only against your own account, give us reasonable time to fix the issue before disclosing it, and do not access, modify, or delete data that is not your own, we will not pursue legal action against you for your research.
Our machine-readable policy lives at /.well-known/security.txt.
Common security questions
Documentation for procurement
Request our security overview and data-handling details, and review the subprocessors we rely on. Security questions, disclosures, and procurement inquiries go to support@zensus.app.