Trust · Compliance

Trust, spelled out.

This page lists every regulation we comply with, how we meet it, and which underlying vendors carry the audits we rely on. Everything here is self-attested — we list what we can honestly stand behind today, and we tell you what we can't.

Last reviewed — 2026-04-21

Honesty clause

We have not completed an external SOC 2 or ISO 27001 audit of our own systems. We will not display those badges for ourselves. Where we rely on vendors who do hold those audits — Clerk, Convex, Vercel, Dodo — we list their certifications in the infrastructure section below, because those certifications apply to the hosting and identity layer we sit on top of, not to our own codebase. We would rather be a small company that tells the truth than a small company that borrows other people's badges.

— Signed, the zlabz.io team

01 — Privacy frameworks

Privacy frameworks we comply with

Each item is backed by a concrete control we ship — not a promise on a slide. Click any item to see the evidence it's based on.

01
GDPR · EU Regulation 2016/679
Self-attested
Lawful basis (consent + contract), transparent privacy notice, data minimisation, 13-month retention cap, full subject rights (access, rectification, erasure, portability, objection, restriction), named subprocessors, EU-friendly transfers, and documented security measures.
How we meet it/privacy · granular cookie consent · /api/user/export · account deletion in /settings · /subprocessors
02
UK GDPR · 2021
Self-attested
Post-Brexit UK-specific GDPR regulation. We apply the same controls as EU GDPR — the UK version is substantively identical at the operational level, so compliance is carried through the same mechanisms.
How we meet itSame controls as EU GDPR · ICO-aligned privacy notice
03
CCPA / CPRA · California, USA
Self-attested
No sale or sharing of personal information, clear notice at collection, right to know / access / delete / correct, right to limit use of sensitive info, non-discrimination for exercising rights. We treat all CA users with the maximum-rights approach.
How we meet it/privacy · 'Do Not Sell or Share' is a non-issue because we don't · /api/user/export · account deletion
04
LGPD · Brazil Lei 13.709/2018
Self-attested
Brazilian privacy law modelled on GDPR. We rely on consent and legitimate contractual basis, honour all data-subject rights, and flag LGPD explicitly in our cookie banner so Brazilian users recognise the framework.
How we meet itCookie banner LGPD flag · /privacy · /api/user/export
05
ePrivacy · EU Directive 2002/58 (cookie law)
Self-attested
No non-essential cookies fire before explicit consent. 'Accept all' and 'Reject optional' have equal prominence. No pre-ticked boxes, no 'X' that silently accepts. Consent is versioned and auto-expires at 13 months so material changes re-prompt.
How we meet itPre-consent script blocking in cookie-consent.tsx · versioned consent in use-cookie-consent.ts
06
COPPA · USA · Children under 13
Self-attested
Our service is not directed to children under 13. We do not knowingly collect personal information from minors, and we explain this in plain language in our privacy policy. If we learn a minor has registered, we delete the account on notice.
How we meet it'Children' section in /privacy · no features targeting minors
07
PCI DSS · SAQ-A scope
Self-attested
Card data never touches our servers. All payments are redirected to Dodo Payments (PCI DSS Level 1 certified provider). That places us squarely in SAQ-A scope — the lightest-weight form of PCI compliance, and the only honest claim for a merchant that never handles PANs.
How we meet itDodo-hosted checkout · no PAN storage · no CVV capture

02 — Security posture

Security posture

The technical controls behind the compliance claims above. Most of this is the result of picking vendors carefully rather than rolling our own.

Hosting · Vercel + Coolify: Primary web and API workloads run on Vercel (SOC 2 Type II, ISO 27001). Render and search services run on a Coolify-managed EU VPS with fail2ban, UFW firewall, and a non-root deploy user. TLS is enforced end-to-end.
Database · Convex (encrypted at rest): All user data lives in Convex, which encrypts data at rest by default and is SOC 2 Type II certified. We query it with strict per-user scoping via Clerk identity — no cross-tenant access paths.
Identity · Clerk (we never touch passwords): Clerk handles sign-in, password storage, MFA, session rotation, and OAuth. We never see or store passwords. Sessions are JWT-based and verified per-request against Clerk's JWKS.
Payments · Dodo (PCI Level 1): Checkout redirects to Dodo Payments. Card numbers, CVVs, and full PANs are never transmitted to zlabz.io or stored in our database — only plan status, subscription ID, and billing metadata.
Transport · HTTPS-only, modern TLS: All endpoints enforce HTTPS via HSTS. We set strict COOP/COEP headers on the editor routes for SharedArrayBuffer safety, and the app runs in a CORS-credentialless context.
Retention · 13-month cap: Account data is retained while your account is active. On deletion, a Convex cascade job wipes profile, subscription, credits, projects, and support history. Billing records are retained per tax-law minimums (typically 7 years) as required.

03 — Your rights

Your rights

Every right below is a button you can click today — not a process that takes 30 days of email ping-pong.

Access + portability

Download a JSON snapshot of everything we store about you, any time. Covers profile, subscription, credits, support tickets, feedback, and projects.

Export my data

Erasure

Delete your account in one click. We cascade-wipe your rows from Convex. Billing records held for tax compliance are retained per the minimums required by law.

Delete my account

Withdraw consent

Change your cookie preferences at any time. Withdrawal is as easy as granting — just click 'Cookie preferences' anywhere in the footer.

Manage cookies

04 — Infrastructure

Underlying infrastructure (what vendors carry the audits)

We don't display vendor badges as if they were our own — but the certifications below apply to the platforms we sit on, which directly affects our security posture. This is the honest version of 'built on SOC 2 infrastructure'.

Clerk

Identity · sessions · MFA

SOC 2 Type II · ISO 27001 · GDPR · CCPA

Convex

Database · real-time sync

SOC 2 Type II · GDPR · CCPA · HIPAA ready

Vercel

Web + API hosting · CDN

SOC 2 Type II · ISO 27001 · GDPR · CCPA

Dodo Payments

Checkout · card handling

PCI DSS Level 1 · SOC 2 · GDPR

Mistral AI

AI paragraph generation

GDPR · SOC 2 Type II · EU-hosted

Umami

Aggregated analytics (self-hosted)

GDPR · ePrivacy · No PII

What we do NOT claim

We have not completed SOC 2 Type I or Type II, ISO 27001, ISO 27701, HIPAA, FedRAMP, or any other third-party audit of our own systems. If enterprise procurement requires that level of assurance from us specifically, contact us — we can share vendor reports and a security questionnaire, but we will not invent badges we don't hold.

05 — Related documents

Still have questions?

If your procurement team needs a signed DPA, a security questionnaire, or deeper documentation, reach out and we'll respond within two business days.

Contact support