z3t.ai

Security

Last updated: June 24, 2026

Overview

At z3t.ai, security is an important part of how we design, operate, and maintain the Platform.

While we do not currently maintain a formal certification such as SOC 2 or ISO 27001, we implement practical technical and organizational measures designed to protect customer data and Platform infrastructure.

This page provides a high-level overview of our current security practices.

Shared Responsibility Model

Security is a shared responsibility.

Appesco B.V. Is Responsible For

  • Platform infrastructure
  • Authentication systems
  • Core application security
  • Data storage security
  • Platform availability
  • Security monitoring
  • Automated operational controls
  • Backup and recovery processes

Customers and Creators Are Responsible For

  • Account security
  • Data submitted to the Platform
  • Agent configuration
  • Prompts and workflows
  • Third-party integrations
  • API credentials they create or connect
  • Compliance with applicable laws

Creators remain responsible for the security and compliance implications of the Agents they create and operate.

Additional information is available in our:

Encryption

Data in Transit

Traffic between users and the Platform is encrypted using TLS.

Public traffic is protected through Cloudflare before reaching Platform infrastructure.

Data at Rest

Sensitive credentials and secrets stored by the Platform are encrypted before storage.

Examples may include:

  • integration credentials;
  • authentication secrets;
  • API tokens;
  • access tokens.

Authentication and Access Control

We implement measures designed to reduce unauthorized access, including:

  • password hashing;
  • multi-factor authentication support;
  • role-based access controls;
  • session management controls;
  • credential rotation capabilities for API keys.

Administrative access is restricted to authorized personnel.

Operational processes are designed to minimize direct access to production systems and customer data wherever reasonably practical.

Infrastructure Security

Platform infrastructure is designed to reduce exposure and limit unauthorized access.

Measures include:

  • restricted access to internal services;
  • network segmentation where appropriate;
  • firewall protections;
  • controlled administrative access;
  • infrastructure monitoring.

Public-facing traffic is routed through Cloudflare, which provides network-layer protections including DDoS mitigation.

Automated Operations

The Platform is designed around automation-first operational principles.

Where practical, routine operational activities are performed through software, automated workflows, infrastructure tooling, and application controls rather than manual handling of customer data.

Examples may include:

  • automated deployments;
  • automated infrastructure provisioning;
  • automated monitoring and alerting;
  • automated backup processes;
  • automated retention and deletion workflows;
  • automated billing and payout processes.

This approach is intended to reduce operational risk, improve consistency, and minimize unnecessary access to customer data.

Access to production systems is restricted and granted only where required for operational, security, support, or legal purposes.

Data Retention

Platform data is retained only for operational, security, contractual, and legal purposes.

By default:

Data TypeTypical Retention
Run inputs and outputsApproximately 3 days
Uploaded filesApproximately 3 days
Billing recordsAs required by law
Security logsAs reasonably necessary for security purposes

Backup copies may remain temporarily within disaster recovery systems before being overwritten according to retention schedules.

Additional information is available in our Privacy Policy.

Backups and Recovery

We maintain backup and recovery procedures designed to support service continuity.

Backups may include:

  • application data;
  • database data;
  • operational configuration data.

Backups are intended for disaster recovery and operational continuity purposes.

Monitoring and Logging

We maintain monitoring and logging systems designed to:

  • detect service issues;
  • identify suspicious activity;
  • investigate security incidents;
  • support operational reliability.

Access to logs is restricted to authorized personnel.

Incident Response

If we become aware of a security incident affecting customer data, we will investigate the incident and take appropriate steps to contain, remediate, and assess its impact.

Where required by applicable law or contractual obligations, affected customers will be notified.

Additional information regarding personal data incidents is available in our Data Processing Agreement.

Security Certifications

At this time, Appesco B.V. does not maintain SOC 2, ISO 27001, or similar third-party security certifications.

We continuously evaluate our security program and may pursue additional certifications as the Platform, customer requirements, and operational maturity evolve.

Subprocessors

We use a limited number of third-party providers to operate the Platform.

A current list of providers is available on our Subprocessors page.

We evaluate providers based on factors including:

  • security practices;
  • reliability;
  • operational requirements;
  • contractual commitments.

AI Providers and Customer Integrations

Creators may configure Agents to interact with:

  • AI providers;
  • APIs;
  • databases;
  • CRM systems;
  • communication platforms;
  • other third-party services.

While Appesco secures the Platform infrastructure, Creators remain responsible for:

  • selecting integrations;
  • configuring workflows;
  • determining data flows;
  • ensuring lawful processing of personal data;
  • complying with third-party provider requirements.

Additional information is available on our AI Processing & Data Flows page.

Security Reporting

If you believe you have discovered a security vulnerability affecting the Platform, please contact us at:

[email protected]

Please include sufficient information to help us investigate the issue.

We appreciate responsible disclosure and will make reasonable efforts to investigate reports.

Changes to This Page

We may update this page from time to time as our security practices evolve.

Material changes will be reflected by updating the "Last updated" date.

Contact

Questions regarding Platform security may be directed to:

Appesco B.V.
Voorburg, The Netherlands

Email: [email protected]