Security Policy

Our security approach is based on three core principles:

• Privacy by Design Security measures are integrated into every layer of our architecture, not added as an afterthought.
• Minimal Data Retention We store only the data necessary for service delivery and delete it as soon as it's no longer needed.
• Transparency by Default We document our security practices openly and provide clear information about how data is protected.

These principles guide every decision we make about infrastructure, code, and data handling.

Encryption in Transit

• All data transmitted between your browser and Parzero servers uses TLS 1.3 encryption.
• API endpoints enforce HTTPS-only connections with HSTS headers.
• WebSocket connections (for real-time updates) are secured via WSS (WebSocket Secure).

Encryption at Rest

• All user data stored in databases is encrypted using AES-256 encryption.
• File uploads (.zip files) are stored in encrypted S3 buckets with server-side encryption (SSE-S3).

Result: Your data is protected both during transmission and while stored on our servers.

• All servers run in EU-based data centers (Frankfurt, Germany) with physical security controls and 24/7 monitoring.
• Network traffic is filtered through firewalls and DDoS protection (Cloudflare / Vercel Edge Network).
• Access to production systems requires multi-factor authentication (MFA) and is restricted to authorized personnel only.
• Regular security patches and updates are applied automatically via automated deployment pipelines.
• Infrastructure is monitored 24/7 for anomalies, intrusions, and performance issues.

When you upload files for conversion, they are processed in isolated, ephemeral containers:

• Each conversion runs in a separate Docker container with no network access to other containers or databases.
• Containers are automatically destroyed after processing completes (max. 48 hours).
• No persistent storage is attached to conversion containers — all files are temporary.

This ensures that your uploaded files cannot access or interfere with other users' data or system resources.

• AI processing (OpenAI API) is performed via an EU proxy — no data leaves the EU region.
• Uploaded files are never used to train AI models or shared with third parties.
• AI logs contain only process IDs and timestamps — never file content or user data.

Your project data remains private and is never used for AI training or model improvement.

• Database backups are performed daily and stored in encrypted, geographically redundant locations.
• Backups are retained for 90 days and can be restored within 4 hours of a request.
• All backups are encrypted and access-controlled.
• Disaster recovery procedures are tested quarterly to ensure rapid restoration of services.

• Automated security scanning runs continuously to detect vulnerabilities in dependencies and code.
• Penetration testing is performed annually by independent third-party security firms.
• Security incident logs are reviewed daily by the security team.
• All code changes undergo security review before deployment to production.

In the event of a security incident, we follow a structured response plan:

• Incidents are detected and classified within 1 hour of occurrence.
• Affected users are notified within 72 hours (as required by GDPR Art. 33).
• A detailed incident report is published on our status page and sent to affected users.
• Post-incident reviews are conducted to prevent similar issues in the future.

info@parzero.ai

www.parzero.ai