Data Security Statement

# 2Zone Therapy – Data Security Statement v1.0

**Effective Date:** 6 August 2025  
**Last Updated:** 23 October 2025  

---

## 1. Our Commitment
We protect user data through strong encryption, limited access, and proactive monitoring.

---

## 2. Hosting & Backups
- Production servers in secure **EU** data centres.  
- Encrypted, redundant backups with regular restore tests.  
- Access restricted to authorised technical staff.

---

## 3. Encryption & Credentials
- **At rest:** AES-256 for databases and files.  
- **In transit:** HTTPS/TLS 1.3 enforced across all domains.  
- **Credentials:** PassPhrases hashed (Argon2/bcrypt).

---

## 4. Access Control & Audit
- Role-based, least-privilege access.  
- MFA for admin access.  
- Audit trails for access, deletion, and critical operations.

---

## 5. AI & Third-Party Integrations
- **OpenAI** and **ElevenLabs** receive only the minimum data needed to provide responses.  
- Temporary processing only; no long-term retention by providers beyond service delivery (per their terms).  
- Covered by confidentiality and data-processing agreements.

---

## 6. Incident Response
- Continuous monitoring and alerting.  
- If a data breach is confirmed, we notify affected users and, where required, authorities within **72 hours** (GDPR Art. 33).

---

## 7. Security Contact
Report concerns or suspected vulnerabilities to: **security@2zonetherapy.com**

---