Overview
A transparent summary of how Zaph handles data.
Zaph generates standups, narrative summaries, and metrics from data you authorize via integrations, scoped to your workspace.
Least privilege, strong isolation, minimal required data, and straightforward controls for connecting/disconnecting sources.
We don’t sell personal data. We don’t use private workspace data to train shared/public AI models.
Scope & Definitions
Who this policy applies to and what key terms mean.
This Privacy Policy applies to Zaph’s marketing site, application, and related services (“Service”).
“Workspace Data” means the content and metadata you connect or provide via integrations (e.g., issue keys, repository identifiers, commit metadata, and other read-only signals), plus content you generate inside Zaph.
“Personal Data” means information that identifies or relates to an identifiable person (e.g., name, email).
Data We Collect
What we collect, why we collect it, and typical examples.
We collect data in three primary ways: (1) data you provide directly, (2) data provided by connected integrations, and (3) operational/usage data necessary to run and secure the Service.
- Email address, name (if provided), and authentication identifiers
- Workspace identifiers, membership, and role assignments
- Tenant/workspace configuration (projects, preferences, settings)
- OAuth tokens and connection state (stored securely)
- Project mappings and integration scopes (per project)
- Identifiers like repository IDs, project keys, channel IDs
- GitHub / Bitbucket: commits, PR metadata, review activity (read-only)
- Confluence: pages and spaces, change history, comments, and page metadata (read-only)
- Jira: issues, status changes, assignments, comments metadata (read-only)
- Slack: channel messages where authorized (read-only)
Note: What we can access depends on the scopes you approve and the projects you map.
- Service reliability metrics (latency, error rates)
- Security events (auth events, access attempts, admin actions)
- Audit logs for key actions (where enabled)
We design logs to be useful for security and debugging while minimizing sensitive payloads.
How We Use Data
Core service delivery, security, product improvement, and support.
- Provide the Service (standup generation, summaries, metrics, dashboards, and collaboration workflows).
- Secure and operate the Service (authentication, rate limiting, abuse prevention, monitoring, incident response).
- Improve quality (debugging, performance tuning, feature iteration, reliability improvements).
- Customer support when you request help (investigating issues, answering questions, and resolving bugs).
We aim to access and process only what’s needed to generate your outputs. You control which integrations are connected and what projects/scopes are enabled.
AI Processing
How AI is used, what data is sent, and what we do not do.
Zaph uses AI to construct narrative summaries, standups, and insights based on Workspace Data you explicitly connect. AI requests are scoped to your workspace context.
- Use AI strictly for inference to generate outputs for your workspace
- Minimize prompts to relevant, authorized signals
- Prevent cross-tenant/workspace mixing in our application logic
- We do not sell Personal Data
- We do not use private workspace data to train shared or public AI models
- We do not allow cross-customer “shared memory” between workspaces
We may use third-party AI providers as subprocessors to process requests and return responses. We use these providers to generate outputs on your behalf, scoped to your workspace.
Important: Provider terms can evolve. We periodically review vendor controls and update our program as we grow and customer needs mature.
Integrations & OAuth Access
One-click OAuth, project-scoped permissions, and read-only access.
Zaph supports integrations including Slack, Jira, GitHub, Bitbucket, and Confluence. Connections are established via OAuth and require explicit user authorization.
- Read-only access: Zaph is designed to use read-only signals for summaries and metrics.
- Scopes per project: Integrations are mapped to projects and limited to configured scopes.
- Revocable: You can disconnect or revoke access at any time.
Note: The exact data accessible depends on the scopes granted during OAuth and how your workspace maps projects/repositories/channels.
We do not sell Personal Data. We share limited information with vendors only as needed to operate the Service (e.g., hosting, monitoring, email delivery, and AI inference).
- AWS (infrastructure and managed services).
- AI provider(s) used for inference.
- Operational tooling (monitoring, logging, email delivery) as required.
If you need a formal subprocessor list and DPA-style documentation for procurement, contact us at security@zaph.ai.
Security Program
Controls designed for modern SaaS security expectations.
Zaph is built on AWS and designed with secure-by-default principles: least privilege, strict workspace separation, and encryption-first architecture. As we grow, we are working toward SOC 2 (Type I) and building controls that align with the SOC 2 Trust Services Criteria.
- Encryption in transit (TLS)
- Encryption at rest
- Secrets stored, protected, and encrypted at rest
- Role-based access control (RBAC)
- Least privilege access policies for services and admins
- Secure authentication and optional MFA (where supported)
- Strict separation between workspaces/tenants in application logic
- Scoped tokens and project-level integration configuration
- Cross-tenant access protections and authorization checks
- Operational monitoring for reliability and performance
- Audit logging for key events (authentication/admin actions) where applicable
- Incident response and continuous improvement as the product matures
Zaph uses modern cloud primitives and managed services to reduce operational risk, apply standardized security controls, and support scalable, audited infrastructure patterns.
Data Retention
How long we keep data and how retention evolves.
We retain data for as long as needed to provide the Service, support customer requests, comply with legal obligations, and maintain security and reliability.
Retention practices may evolve as Zaph matures. Where feasible, we aim to minimize retention of sensitive payloads and keep only what is necessary for product functionality and security.
Your Choices & Rights
How you control data, integrations, and account settings.
- Disconnect integrations at any time to revoke access.
- Limit scopes by mapping integrations per project and granting only what you need.
- Request access or deletion of Personal Data by contacting us.
To request access, correction, or deletion, email support@zaph.ai or security@zaph.ai. We may need to verify your identity before processing requests.
International Transfers
Where data may be processed and why.
Zaph operates using cloud infrastructure and subprocessors that may process data in different geographic regions. Where applicable, we use contractual and technical measures designed to protect data during processing and transfer.
Children’s Privacy
Zaph is not intended for children.
Zaph is intended for business use and is not directed to children. We do not knowingly collect Personal Data from children. If you believe a child has provided us data, contact us and we will take appropriate steps to delete it.
Changes to This Policy
How we handle updates as the product evolves.
As an early-stage product, Zaph is actively evolving. We may update this Privacy Policy from time to time. If changes are material, we will provide notice in the Service or by other reasonable means.
Contact
Questions, requests, and vulnerability reporting.
This page is provided for transparency and trust. It is not legal advice. If you need a policy tailored to a specific jurisdiction (e.g., GDPR/UK GDPR/CCPA) or a formal Data Processing Addendum (DPA), contact us at security@zaph.ai.