Enterprise
Built for the procurement bar.
Zenovay was designed for GDPR readiness from day one. The trust bundle below has every artefact your security and legal teams ask for — without a sales call.
Trust bundle
Every artefact your buyer, security, and legal teams typically request — public and downloadable.
Data Processing Agreement (DPA)
GDPR Article 28 contract covering scope, duration, sub-processing, transfers, and audit rights.
Read the DPASubprocessor list
Current and optional sub-processors, with location, transfer mechanism (DPF / SCCs), and primary purpose.
View subprocessorsPrivacy policy
How visitor data is collected, used, retained, and deleted — including the cookieless tracker model.
Read the privacy policySecurity summary
Encryption, access control, audit logging with hashed IPs, breach notification, and our subprocessor certifications.
Read the security summaryAcceptable use policy
What you can and cannot run on Zenovay — useful for your security review and risk assessment.
Read the acceptable use policyLive status page
Real-time uptime, incident history, and component health for every Zenovay service.
Open status.zenovay.comHow Zenovay is built
A short architecture overview for your security and engineering reviewers.
Zenovay runs on Cloudflare Workers globally, with the primary PostgreSQL database hosted on Supabase in eu-central-1 (Frankfurt). All analytics events flow through edge endpoints with sub-100ms latency.
Stripe handles all payment processing — primary account number (PAN) data never touches Zenovay infrastructure. PCI DSS Level 1 obligations sit with Stripe.
Transactional and operational email is delivered through Resend. AI-powered features (insights, natural-language analytics) call OpenAI through Cloudflare's AI Gateway, scoped to opt-in features only.
The cookieless tracker uses window-scoped, in-memory visitor IDs and daily-salted SHA-256 hashes for de-duplication. No cookies, no localStorage, no fingerprinting. Audit logs store only salted IP hashes — plaintext IPs are never persisted.
International data transfers from US-based subprocessors (Stripe, Resend, OpenAI) are governed by the EU-US Data Privacy Framework where the recipient is DPF-certified, plus 2021 Standard Contractual Clauses (Module 2) where SCCs apply. The full mechanism is documented in our DPA.
Data retention by plan
Retention is plan-tiered. Audit logs (administrative trail) are retained for 24 months across all plans and purged daily.
| Plan | Analytics retention | Audit logs |
|---|---|---|
| Free | 1 year | 24 months |
| Pro | 2 years | 24 months |
| Scale | 4 years | 24 months |
| Enterprise | Custom (4-year default) | 24 months |
Subprocessor certifications
Zenovay is designed for GDPR readiness and works with security-certified infrastructure providers. Below are the certifications held by the subprocessors that handle Zenovay customer data — these are not Zenovay's own certifications.
Cloudflare
Edge compute, KV, R2, CDN, Pages, AI Gateway
SOC 2 Type II, ISO 27001, ISO 27018
Supabase
Primary PostgreSQL database (eu-central-1, Frankfurt)
SOC 2 Type II
Stripe
Payment processing, billing, subscriptions
PCI DSS Level 1 (PAN data never touches Zenovay)
Cross-border transfers
US-based subprocessors (Stripe, Resend, OpenAI)
EU-US DPF + 2021 Standard Contractual Clauses (Module 2)
Zenovay itself is not SOC 2 / ISO 27001 / HIPAA / PCI DSS certified. We rely on the audited posture of the subprocessors above and operate under our own internal controls described in the DPA and security summary.
Buyer FAQ
The questions enterprise buyers ask us most often. If yours isn't here, talk to sales.
The primary database is Supabase PostgreSQL in eu-central-1 (Frankfurt) since 24 April 2026. Cloudflare R2 (heatmap screenshots) is configured with EU data location preference. Cloudflare Workers run on the global edge network for sub-100ms latency.
Customer analytics data lives in the EU. A small number of subprocessors are US-based (Stripe, Resend, OpenAI via Cloudflare AI Gateway); transfers to those parties are governed by the EU-US DPF where the recipient is DPF-certified, plus 2021 Standard Contractual Clauses (Module 2) where SCCs apply. Full details in the DPA.
GDPR Article 17 cascade: account deletion clears Supabase (analytics tables and auth records), cancels Stripe customer and subscription, purges Cloudflare KV (sessions, security keys, rate-limit counters, MCP quota), removes Cloudflare R2 objects (heatmap screenshots for owned websites), and sends a localised confirmation email through Resend.
Yes. The GDPR Article 20 personal-data export endpoint (/api/account/data-export) is available on every plan, including Free. It returns your profile, websites metadata, team memberships, and your own audit trail in a machine-readable format.
GPC is honoured end-to-end. The client checks navigator.globalPrivacyControl on mount and switches the consent banner to essentials-only. The server reads Sec-GPC: 1 on incoming requests; when set, behavioural enrichment (B2B identification, profiling) is skipped and the visitor row is flagged gpc_opted_out.
When data-cookieless is enabled, the tracker uses window-scoped, in-memory visitor IDs that vanish on page unload. For de-duplication the server computes a daily-salted SHA-256 hash of (IP-subnet + User-Agent). No cookies, no localStorage, no fingerprinting. Audit logs store only the salted IP hash — plaintext IPs are never persisted.
Audit logs (administrative trail across all customers) are retained for 24 months and purged daily by a scheduled job. Analytics events follow the per-plan retention shown in the table above (Free 1 year, Pro 2 years, Scale 4 years, Enterprise custom).
On Enterprise, yes. Default is 4 years and we can configure both shorter and longer windows on request, subject to legal-hold and compliance constraints. Free, Pro, and Scale use the published per-plan defaults.
Yes. Single sign-on is available on Scale and Enterprise plans. Enterprise SAML connections support SCIM-style user provisioning and team-membership sync.
Enterprise customers get a custom SLA covering uptime, response time, and incident communication. The public status page (status.zenovay.com) shows real-time uptime and incident history for every plan.
Ready to brief your security team?
Talk to sales for SSO, custom retention, signed DPA, and a procurement-ready security pack.