Security

    How Zensus handles your financial data

    Bank-level access, handled with bank-level care. Zensus reads from your banks, books, and CRM to forecast cash. Here is exactly what we hold, what we never touch, and how it is protected.

    Last reviewed
    June 2026
    Encryption
    AES-256-GCM
    Hosting
    AWS, US region
    AI training
    None
    01

    Controls at a glance

    Encryption at rest

    AES-256-GCM

    Encryption in transit

    TLS on every request

    Bank-level OAuth

    Plaid and Intuit hold credentials

    Account isolation

    Every query scoped to your user

    No AI training

    Your data never trains a model

    US data residency

    Stored data in an AWS US region

    Encrypted backups

    Tested recovery, not a first restore

    Static analysis in CI

    Semgrep and Gitleaks on commit

    Security headers

    HSTS, CSP, clickjacking protection

    02

    How your data flows

    You connect through OAuth. Credentials stay with the provider. Zensus only ever holds scoped tokens, and stores only what it needs to compute your runway.

    01

    Your banks, QuickBooks, HubSpot

    You authorize access through OAuth

    02

    Scoped OAuth tokens

    Each provider holds the credentials

    03

    Zensus reads only what it needs

    Just enough to project your runway

    04

    Encrypted at rest on AWS

    AES-256-GCM, United States region

    Your bank password never touches Zensus. Credentials stay with each provider.

    03

    What we store, and never store

    Stores

    • OAuth tokens for each connected provider, encrypted at rest with AES-256-GCM.
    • Transactions and balances within the sync window needed to project your runway.
    • Scenario chat history for your account only.
    • Derived runway projections and alert state.

    Never stores

    • Bank or QuickBooks passwords. Plaid and Intuit hold those.
    • Payment card details.
    • Raw transactions outside the sync window needed for projections.
    04

    How your data is protected

    Account isolation

    Every database query is filtered by user ID. Zensus staff cannot reach your data without an explicit, audited authorization path. Cross-account access is impossible by design, not just by policy.

    Backups and recovery

    Your data is backed up on a regular schedule, encrypted at rest on the same AWS infrastructure. We test the recovery process, so a restore is a known procedure, not a first-time experiment during an incident.

    Data residency

    Zensus runs on AWS in a United States region. Your stored data, OAuth tokens, in-window transactions, and scenario history, lives in that US infrastructure. When you run a scenario, the request is processed by Claude per request and returns to you.

    Pipeline security

    The backend runs Semgrep static analysis on every commit. Gitleaks blocks any pull request that introduces a secret. Dependencies are tracked with automated vulnerability alerts.

    AI and your data

    Your data never trains a model. Scenarios are sent to Claude per request, analyzed, and returned to you. No fine-tuning, no memory, and no data crossing between accounts.

    05

    Compliance status

    AreaDetailStatus
    EncryptionAES-256-GCM at rest, TLS in transitActive
    HostingAWS, United States regionActive
    BackupsEncrypted, recovery testedActive
    Data isolationPer-user, enforced at query levelActive
    AI trainingNone on your dataActive
    HTTP headersHSTS preload, CSP, X-Frame-Options DENYActive
    Verify our HTTP security headers

    Zensus is not yet SOC 2 certified. Our data protection and access control practices are documented and reviewable on request. If your procurement process needs specific evidence, talk to us and we will share what we have.

    06

    Responsible disclosure

    Found a security issue? Email support@zensus.app and we will work with you on it. We support good-faith security research. If you report a vulnerability responsibly, test only against your own account, give us reasonable time to fix the issue before disclosing it, and do not access, modify, or delete data that is not your own, we will not pursue legal action against you for your research.

    Our machine-readable policy lives at /.well-known/security.txt.

    07

    Common security questions

    Every integration token is encrypted at rest with AES-256-GCM, data moves over TLS, and your stored data sits on encrypted AWS infrastructure in a United States region. Every database query is scoped to your account, so cross-account access is not possible by design.

    No. You connect through OAuth, and Plaid and Intuit hold those credentials. Zensus only ever receives scoped tokens, never your bank or QuickBooks password.

    No. Your data never trains any model. When you run a scenario, your data is sent to Claude per request, analyzed, and returned to you. There is no training, no fine-tuning, and no memory across accounts.

    Your stored data lives on AWS in a United States region. If your procurement process needs the specific region or a data-flow diagram, email support@zensus.app and we will share it.

    Not yet. Our data-protection and access-control practices are documented and reviewable on request, and we would rather tell you exactly where we stand than imply a certification we do not hold.
    08

    Documentation for procurement

    Request our security overview and data-handling details, and review the subprocessors we rely on. Security questions, disclosures, and procurement inquiries go to support@zensus.app.