• Headquartered in Milton, ON, Canada
  • SOC 2 Type II readiness in progress
  • GDPR · CCPA · PIPEDA compliant
  • +1 (905)-798-6999
  • info@zemora.ai
Request access →
⚡ Security & Trust

Security Overview

Last Updated: May 19, 2026

At Zemora.ai, we handle communications data on behalf of our customers — calls, messages, emails, and the contacts behind them. We treat that responsibility seriously. This page summarizes the security practices that protect your data and the data of the people you communicate with.

01How We Protect Your Data

🔒

Encryption Everywhere

Data is encrypted in transit (TLS 1.3) and at rest (AES-256). Nothing sensitive travels or sits unencrypted.

🔑

Secrets Management

API keys, OAuth tokens, and credentials are stored in a managed secrets vault — never in our database.

👤

Least-Privilege Access

Only engineers who need access to a customer's data have it, scoped per-customer. Every access is logged.

🛡️

Multi-Factor Auth

MFA is required on all internal systems and administrative accounts.

🌎

Data Residency

Customer data is stored in North American cloud regions by default. EU residency available on request.

⏱️

Retention Controls

You control how long conversation data is kept. Deletion requests are honored permanently within 30 days.

02Compliance & Standards

We are a Canadian company headquartered in Ontario, and we align our practices with the following frameworks and regulations:

  • PIPEDA (Canada) — compliant
  • GDPR (EU/UK) — compliant; Data Processing Addendum available on request
  • CCPA / CPRA (California) — compliant
  • TCPA & A2P 10DLC (US SMS) — registered and compliant
  • Google API Services User Data Policy — Limited Use compliant (see our Google API Disclosure)
  • SOC 2 Type II — independent assessment in progress (target Q4 2026)

03Application & Infrastructure Security

  • Regular dependency scanning and patching of known vulnerabilities
  • Code review required before changes reach production
  • Isolated environments for development, staging, and production
  • Automated, encrypted backups retained for 30 days
  • Continuous monitoring for unusual activity and abuse

04How We Handle Google & Microsoft Data

For products that connect to your Google or Microsoft account (such as Zemora Email), we follow strict Limited Use principles: data is used only to deliver the features you've enabled, is never sold, is never used for advertising, and is never used to train general-purpose AI models.

Read more: Full detail is in our Google API Disclosure and Privacy Policy.

05Reporting a Vulnerability

We welcome reports from security researchers. If you believe you've found a vulnerability in our systems, please email security@zemora.ai with details and steps to reproduce. We will acknowledge your report, investigate promptly, and keep you updated. Please give us a reasonable opportunity to address the issue before any public disclosure.

06Data Requests

To request a Data Processing Addendum (DPA), a list of sub-processors, or to exercise your data rights, email legal@zemora.ai or privacy@zemora.ai. We typically respond within 24-48 hours.

07Contact Information

Questions about our security practices? We're here to help.

Get in Touch

We typically respond within 24-48 hours.

security@zemora.ai privacy@zemora.ai 🌐 www.zemora.ai 📍 764 Challinor Terrace, Milton, ON L9T 7V5