How Zonevex handles your data

Every record in Zonevex is scoped to an organization_id. The application database enforces this at the query layer: no API call can return a row that doesn’t belong to the calling organization. This is a hard architectural rule, not a configuration setting — the codebase has automated checks that fail the build if a query is written without organization scoping.

Practically: your lease documents, parcel geometries, and queue data are never visible to another customer’s users, queries, or reports. There is no “cross-organization” mode.

In transit: All connections to Zonevex use TLS 1.2 or higher. HTTP requests redirect to HTTPS. Internal service-to-service traffic uses TLS within the AWS VPC.

At rest: AES-256 encryption on uploaded documents (S3 server-side encryption) and on the relational database (RDS). Backups are encrypted with the same keys, retained 30 days, and stored within the same region.

Customer access: Authentication via email + password with strong password requirements; SSO (SAML / Google Workspace) available on request. Role-based access within an organization (admin, editor, viewer).

Internal access: Production data access is limited to the founder. Access requires multi-factor authentication and is logged. No vendor support staff have access to production today; if/when this changes, we will update this page and notify customers in advance.

Lease PDFs and supporting documents are processed for legal-description extraction, instrument-type classification, expiration-date detection, and signature verification. Processing happens in your tenant; outputs (parsed structured data) are stored alongside the source document.

Third-party LLM use: Document parsing uses an OpenAI API call with the relevant text passages. We have an enterprise data-processing addendum with OpenAI specifying that submitted content is not used for model training and is retained at most 30 days for abuse monitoring. We can share the DPA on request.

No training on your data: We do not train models on customer documents. We do not aggregate customer data into shared models or benchmarks without explicit, written, opt-in consent.

Deletion: You can request deletion of any document, project, or organization at any time. We process deletion requests within 7 calendar days. Backups retained beyond that window are purged within 30 days of the deletion request.

For the free portfolio audit and any pre-contract evaluation, we sign a mutual NDA before reviewing your documents. We can sign yours, or send ours — whichever your legal team prefers.

We recommend you also send only the parcels and projects you want audited. We do not need your entire CRM or full historical archive to produce a useful report.

Email ryan@zonevex.com with subject “NDA before audit” and we’ll route the right paperwork.

Zonevex is an early-stage company. We are not yet SOC 2 or ISO 27001 certified. We don’t want to put a misleading badge on this page; if certification is a procurement requirement for your team, tell us and we’ll discuss timeline. We are operating on the controls described above and document them so we can move toward certification when the customer base justifies the audit cost.

For customers with strict procurement requirements, we’re open to contractual data-handling commitments in the MSA that mirror SOC 2 Type II control language even before certification.

In the event of a security incident affecting customer data, affected customers will be notified within 72 hours of confirmation, with the information available at that time and a commitment to follow-up updates as the investigation progresses. Notification will include scope, suspected cause, mitigation steps already taken, and remaining risk.

To report a suspected vulnerability or incident: ryan@zonevex.com with subject “Security incident report.”