Security & Compliance

This Security & Compliance Statement describes the technical and organizational measures that Zelfium Inc. (ゼルフィウム株式会社), a company incorporated in Tokyo, Japan ("Zelfium," "we," "us," or "our"), implements to protect the confidentiality, integrity, and availability of data processed through our services, including the SymbolMAG personality assessment platform.

Because SymbolMAG processes personality data that may qualify as special category data under GDPR Article 9, we apply heightened safeguards throughout our infrastructure, data handling, and access control practices.

This statement should be read together with our Privacy Policy, Data Processing Agreement, and AI & Assessment Disclaimer.

Effective date: March 31, 2026

1. Infrastructure & Architecture

Zelfium operates a cloud-native architecture built entirely on managed infrastructure from industry-leading providers. We do not operate on-premise servers.

Frontend hosting: Vercel — global edge network with automatic SSL, DDoS protection, and SOC 2 Type II compliance.
API hosting: Railway — managed container infrastructure with automated deployments, isolated environments, and SOC 2 compliance.
Database: Supabase — managed PostgreSQL with built-in authentication, row-level security, automated backups, and SOC 2 Type II compliance.
CDN & DDoS protection: Cloudflare — global content delivery network with enterprise-grade DDoS mitigation, Web Application Firewall (WAF), and bot management.
Payments: Stripe — PCI DSS Level 1 certified payment processing. Zelfium never stores, processes, or transmits cardholder data directly.

All infrastructure providers maintain SOC 2 compliance or equivalent certifications. Geographic distribution across edge locations ensures low-latency access for users worldwide.

2. Encryption & Data Protection

Data in transit: All communications between clients, APIs, and databases are encrypted using TLS 1.3. HTTP Strict Transport Security (HSTS) is enforced across all domains to prevent protocol downgrade attacks.
Data at rest: Database storage is encrypted using AES-256 encryption provided by Supabase's underlying infrastructure. Backups are similarly encrypted.
API keys & secrets: All credentials are stored encrypted in platform-managed secret stores (Vercel Environment Variables, Railway Variables). Secrets are never exposed in client-side code, committed to version control, or logged.
Payment data: Payment processing is handled entirely by Stripe (PCI DSS Level 1 certified). Zelfium never stores credit card numbers, CVVs, or other cardholder data on its systems.
Assessment data: Personality profiles and assessment results are linked by UUID identifiers rather than directly to personally identifiable information (PII) where architecturally feasible, minimizing exposure in the event of unauthorized access.

3. Access Controls & Authentication

Role-based access control (RBAC): Internal systems enforce role-based permissions ensuring that personnel access only the data and functions necessary for their responsibilities.
Multi-factor authentication (MFA): Required for all administrative access to infrastructure, databases, and deployment platforms.
User authentication: OAuth 2.0 / OpenID Connect via Google, Microsoft, and Apple, in addition to email/password authentication. All authentication flows are managed through Supabase Auth.
Session management: User sessions are managed using secure, HTTP-only cookies with appropriate expiration policies. Tokens are never stored in localStorage or sessionStorage.
API authentication: Backend API access is protected via JWT tokens and API keys, with token validation on every request.
Least privilege: The principle of least privilege is applied to all system access, including database queries, API scopes, and infrastructure permissions.
Access reviews: Employee and contractor access to production systems is reviewed on a quarterly basis and revoked promptly upon role change or departure.

4. AI Data Handling

Zelfium integrates AI capabilities through external model providers. We apply strict data handling controls to ensure that user data is protected throughout the AI processing pipeline.

Zero-retention API: AI features are powered by OpenAI GPT-4o accessed via the zero-retention API. OpenAI does not retain input or output data beyond the duration of a single API request and does not use customer data for model training.
User-initiated only: Assessment responses and personality data are sent to AI models only when the user explicitly initiates AI-powered features (e.g., chat-based interpretation). Data is never sent to AI providers in the background or without user action.
No training on user data: No personality data, assessment responses, or user content is shared with any AI model training pipeline. Our contractual agreements with AI providers explicitly prohibit training on Zelfium user data.
Quality & safety monitoring: System prompts and AI outputs are monitored for quality, safety, and alignment with Zelfium's AI & Assessment Disclaimer.

For full details on how AI is used in our platform, please see our AI & Assessment Disclaimer.

5. Incident Response

Zelfium maintains a documented incident response plan with a designated security team responsible for detection, containment, notification, recovery, and post-incident review.

Detection: Real-time monitoring and alerting for anomalous activity across all infrastructure components, including unusual access patterns, failed authentication attempts, and unexpected data flows.
Containment: Immediate isolation procedures for affected systems to prevent further impact. Compromised credentials are revoked and rotated without delay.
Notification: Data controllers are notified within 24 hours of confirmed incidents. For incidents involving personal data of EU residents, notification to the relevant supervisory authority is made within 72 hours in accordance with GDPR Article 33.
Recovery: Automated backups with point-in-time recovery capability allow rapid restoration of affected data and services. Backup integrity is tested regularly.
Post-incident review: Every significant incident triggers a root cause analysis resulting in documented remediation actions. Findings are incorporated into security policies and procedures to prevent recurrence.
Severity classification: Incidents are classified by severity (P0 through P3) with defined escalation procedures, response time targets, and communication protocols for each level.

6. Compliance Roadmap

Zelfium is committed to meeting and maintaining compliance with applicable data protection and security frameworks. The table below reflects our current status and targets.

Framework	Status	Target
GDPR (EU General Data Protection Regulation)	Compliant	Ongoing
APPI (Japan Act on Protection of Personal Information)	Compliant	Ongoing
CCPA (California Consumer Privacy Act)	Compliant	Ongoing
EU AI Act	In progress	August 2, 2026
ePrivacy Directive	Compliant	Ongoing
SOC 2 Type II	Planned	Q4 2026
ISO 27001	Under evaluation	2027
PCI DSS	N/A (handled by Stripe)	N/A

Contact

For security-related inquiries, vulnerability reports, or compliance questions, please contact us at contact@zelfium.com.

For data protection matters, please also see our Privacy Policy and Data Processing Agreement.

1. Infrastructure & Architecture

Zelfium operates a cloud-native architecture built entirely on managed infrastructure from industry-leading providers. We do not operate on-premise servers.

Frontend hosting: Vercel — global edge network with automatic SSL, DDoS protection, and SOC 2 Type II compliance.

API hosting: Railway — managed container infrastructure with automated deployments, isolated environments, and SOC 2 compliance.

Database: Supabase — managed PostgreSQL with built-in authentication, row-level security, automated backups, and SOC 2 Type II compliance.

CDN & DDoS protection: Cloudflare — global content delivery network with enterprise-grade DDoS mitigation, Web Application Firewall (WAF), and bot management.

Payments: Stripe — PCI DSS Level 1 certified payment processing. Zelfium never stores, processes, or transmits cardholder data directly.

All infrastructure providers maintain SOC 2 compliance or equivalent certifications. Geographic distribution across edge locations ensures low-latency access for users worldwide.

2. Encryption & Data Protection

Data in transit: All communications between clients, APIs, and databases are encrypted using TLS 1.3. HTTP Strict Transport Security (HSTS) is enforced across all domains to prevent protocol downgrade attacks.

Data at rest: Database storage is encrypted using AES-256 encryption provided by Supabase's underlying infrastructure. Backups are similarly encrypted.

API keys & secrets: All credentials are stored encrypted in platform-managed secret stores (Vercel Environment Variables, Railway Variables). Secrets are never exposed in client-side code, committed to version control, or logged.

Payment data: Payment processing is handled entirely by Stripe (PCI DSS Level 1 certified). Zelfium never stores credit card numbers, CVVs, or other cardholder data on its systems.

Assessment data: Personality profiles and assessment results are linked by UUID identifiers rather than directly to personally identifiable information (PII) where architecturally feasible, minimizing exposure in the event of unauthorized access.

3. Access Controls & Authentication

Role-based access control (RBAC): Internal systems enforce role-based permissions ensuring that personnel access only the data and functions necessary for their responsibilities.

Multi-factor authentication (MFA): Required for all administrative access to infrastructure, databases, and deployment platforms.

User authentication: OAuth 2.0 / OpenID Connect via Google, Microsoft, and Apple, in addition to email/password authentication. All authentication flows are managed through Supabase Auth.

Session management: User sessions are managed using secure, HTTP-only cookies with appropriate expiration policies. Tokens are never stored in localStorage or sessionStorage.

API authentication: Backend API access is protected via JWT tokens and API keys, with token validation on every request.

Least privilege: The principle of least privilege is applied to all system access, including database queries, API scopes, and infrastructure permissions.

Access reviews: Employee and contractor access to production systems is reviewed on a quarterly basis and revoked promptly upon role change or departure.

4. AI Data Handling

Zelfium integrates AI capabilities through external model providers. We apply strict data handling controls to ensure that user data is protected throughout the AI processing pipeline.

Zero-retention API: AI features are powered by OpenAI GPT-4o accessed via the zero-retention API. OpenAI does not retain input or output data beyond the duration of a single API request and does not use customer data for model training.

User-initiated only: Assessment responses and personality data are sent to AI models only when the user explicitly initiates AI-powered features (e.g., chat-based interpretation). Data is never sent to AI providers in the background or without user action.

No training on user data: No personality data, assessment responses, or user content is shared with any AI model training pipeline. Our contractual agreements with AI providers explicitly prohibit training on Zelfium user data.

Quality & safety monitoring: System prompts and AI outputs are monitored for quality, safety, and alignment with Zelfium's AI & Assessment Disclaimer.

For full details on how AI is used in our platform, please see our AI & Assessment Disclaimer.

5. Incident Response

Zelfium maintains a documented incident response plan with a designated security team responsible for detection, containment, notification, recovery, and post-incident review.

Detection: Real-time monitoring and alerting for anomalous activity across all infrastructure components, including unusual access patterns, failed authentication attempts, and unexpected data flows.

Containment: Immediate isolation procedures for affected systems to prevent further impact. Compromised credentials are revoked and rotated without delay.

Notification: Data controllers are notified within 24 hours of confirmed incidents. For incidents involving personal data of EU residents, notification to the relevant supervisory authority is made within 72 hours in accordance with GDPR Article 33.

Recovery: Automated backups with point-in-time recovery capability allow rapid restoration of affected data and services. Backup integrity is tested regularly.

Post-incident review: Every significant incident triggers a root cause analysis resulting in documented remediation actions. Findings are incorporated into security policies and procedures to prevent recurrence.

Severity classification: Incidents are classified by severity (P0 through P3) with defined escalation procedures, response time targets, and communication protocols for each level.

6. Compliance Roadmap

Zelfium is committed to meeting and maintaining compliance with applicable data protection and security frameworks. The table below reflects our current status and targets.

Framework

Status

Target

GDPR (EU General Data Protection Regulation)

Compliant

Ongoing

APPI (Japan Act on Protection of Personal Information)

Compliant

Ongoing

CCPA (California Consumer Privacy Act)

Compliant

Ongoing

EU AI Act

In progress

August 2, 2026

ePrivacy Directive

Compliant

Ongoing

SOC 2 Type II

Planned

Q4 2026

ISO 27001

Under evaluation

2027

PCI DSS

N/A (handled by Stripe)

N/A