Trust

Security at ZenScail

You’re handing us the keys to your inbox and calendar. We treat that access as a responsibility, not a convenience. Here’s how we keep it safe.

Last updated June 13, 2026

Our approach

Security at ZenScail starts from a single principle: access the least amount of your data needed, for the shortest time needed, and protect it at every step. Because we connect to email and calendar — some of the most sensitive data you own — we design conservatively and default to privacy.

Encryption

  • In transit: all traffic between you, ZenScail, Google, and AI providers is encrypted with TLS 1.2+.
  • At rest: our database and backups are encrypted using industry-standard AES-256.
  • Secrets: access tokens and your AI keys are encrypted with dedicated keys, separate from ordinary application data.

Access & permissions

When you connect Google, ZenScail requests only the scopes required for the features you use. We access your mailbox and calendar on demand to fulfil a request — we don’t bulk-download your data into a private archive. You can revoke our access at any time from your Google Account or from within the app.

Internally, access to production systems follows least-privilege rules. Only the minimum number of people can reach production, access is logged, and we never browse user content except when you ask us to investigate an issue.

Protecting your AI keys

ZenScail is built around bring-your-own-key. Your provider keys are encrypted at rest, decrypted only in memory at the moment of a request, and never written to logs or shown back to you in full. We don’t use your content or prompts to train any model. See our Privacy Policy for the full data commitments.

Infrastructure

ZenScail runs on reputable cloud providers with strong physical and network security. We isolate environments, keep dependencies patched, and apply secure defaults across our stack. Backups are encrypted and access-controlled, and we regularly review our configuration for drift.

Data minimisation

  • We store the minimum needed to deliver your brief and remember your preferences.
  • Generated summaries are pruned on a rolling basis rather than kept forever.
  • When you delete your account, we erase your data and revoke tokens within 30 days.

Authentication

Passwords are hashed with a modern, salted algorithm — never stored in plain text. Email sign-ups are verified with a one-time code before the account becomes active, and Google sign-in uses OAuth so we never see your Google password. We continuously work to add stronger options over time.

Monitoring & incident response

We monitor for anomalous activity, rate-limit sensitive endpoints, and maintain an incident-response process. If a breach ever affects your personal data, we’ll notify affected users and the relevant authorities as required by law, and explain what happened and what we’re doing about it.

Responsible disclosure

We’re grateful to the security community. If you discover a vulnerability, please report it privately to [email protected]with enough detail to reproduce it. Please don’t access other users’ data, degrade the Service, or disclose the issue publicly until we’ve had a reasonable chance to fix it. We’ll acknowledge your report promptly and keep you updated.

Found a vulnerability?

We welcome responsible disclosure and respond quickly. Please report any security issue directly to our team.

[email protected]