Skip to main content

Encryption

All data is encrypted at rest using AES-256 and in transit over TLS 1.2+. API keys are stored as one-way hashes — the raw key is never persisted after the initial display to you.

Authentication

  • API keys are project-scoped. Each key can only write events to the project it was created for.
  • Dashboard login supports email/password, OAuth (GitHub, Google), magic link, and TOTP two-factor authentication.
  • SSO (SAML/OIDC) is available on the Team plan and above.
Rotate any key at any time from Settings → API Keys. The old key stays valid for 24 hours to allow zero-downtime rollover.

Tenant isolation

Every organization’s data is isolated at the storage layer. Queries from one organization cannot access another organization’s data — this is enforced at the data layer, independently of application logic.

Prompt and response data

Zespan does not store prompt text or LLM responses by default. The SDK sends token counts, latency, cost, and structured metadata. Raw content is never transmitted unless you explicitly opt in: 
zespan.init({
  apiKey: "zsp_...",
  storePrompts: false, // disable prompt storage (on by default)
});
Your data is never used to train any AI model — by Zespan or any third party.

PII redaction

For structured fields (tags, metadata), the SDK automatically redacts values under common sensitive key names before events are sent. Default redact list covers password, token, secret, api_key, authorization, ssn, credit_card, and more. Extend or replace the list at init: 
zespan.init({
  apiKey: "zsp_...",
  redactKeys: ["user_email", "phone_number", "patient_id"],
});
See PII redaction for the full default list and pattern-based redaction.

Audit logging

Every privileged action in the dashboard is written to an immutable audit log:
  • API key creation and revocation
  • Project creation and deletion
  • Alert and guardrail changes
  • Team membership changes
  • Billing updates
Each entry records timestamp, acting user, organization scope, action type, and source IP. Available in Settings → Audit Log. Entries cannot be modified or deleted, even by organization owners.

Data controls

Full control over your data — what’s collected, how long it’s kept, and how to get it out or delete it.

Prompts and responses off by default

Zespan stores prompt and completion text by default with PII redaction applied before transmission. Set storePrompts: false to disable prompt storage entirely — only token counts, latency, cost, and metadata will be sent.

PII redaction at ingest

The SDK redacts sensitive values from tags and metadata fields before events are transmitted. The default list covers password, token, secret, api_key, authorization, ssn, credit_card, and more. Extend it at init: 
zespan.init({
  apiKey: "zsp_...",
  redactKeys: ["user_email", "phone_number", "patient_id"],
});
Pattern-based redaction (regex) is also supported. See PII redaction.

Configurable data retention

Each project’s retention window can be configured independently. Data older than the retention window is automatically and permanently deleted — you don’t need to manage cleanup manually.

Export your data

Download a complete export of your account data from Settings → Privacy → Export my data. The archive includes your account details, project metadata, and all stored events. Delivered within 24 hours.

Erase your data

  • Delete a project: Settings → Projects → Delete project — all event data purged within 24 hours.
  • Delete your organization: Settings → General → Danger zone — all data across all projects permanently and irreversibly deleted.
  • Delete your account: Settings → Privacy → Delete my account — removes your user record and cascades deletion across all associated data.

Data access requests

Request a structured copy of everything Zespan holds about your account from Settings → Privacy → Request my data. Requests are tracked with a hard deadline — you receive a response within 30 days.

Self-hosted deployments

With the self-hosted option, Zespan has no access to your trace data, prompts, or user data — everything stays within your own infrastructure. See Self-hosting.

Responsible disclosure

Report security vulnerabilities to security@zespan.com. We respond within 48 hours and patch confirmed vulnerabilities within 14 days.