Data Security Statement

# 🔐 2Zone Therapy / HealthGPT – Data Security Statement v1.5

**Effective Date:** 6 August 2025  
**Last Updated:** 27 February 2026  

---

## 1. Our Commitment

2Zone Therapy and HealthGPT are built with security-first architecture.

We protect user data using:

- Strong encryption  
- Limited-access infrastructure  
- Continuous monitoring  
- Zero-knowledge credential handling  
- Strict internal access control  

Health and AI-generated data is treated as sensitive personal information and handled accordingly.

---

## 2. Hosting & Infrastructure

- Production servers are hosted in secure **EU data centres**.
- Servers operate behind hardened firewalls and restricted access layers.
- Administrative access is limited to authorised personnel only.
- Encrypted, redundant backups are maintained.
- Periodic restore tests are performed to ensure recovery integrity.

We separate development and production environments.

---

## 3. Encryption Standards

### 3.1 Data at Rest
- Databases and stored files are encrypted using **AES-256** or equivalent encryption standards.
- Sensitive configuration files are stored outside public web directories.

### 3.2 Data in Transit
- HTTPS/TLS 1.3 is enforced across all domains.
- HSTS headers are enabled where supported.
- API communication with external providers is encrypted.

---

## 4. Credential Security

We operate a **zero-knowledge credential model**:

- Secret PassPhrases are never stored in plain text.
- PassPhrases are hashed using **Argon2 or bcrypt**.
- Brute-force protection and rate-limiting are enforced.
- Session tokens are securely generated and rotated.

Administrative access requires:

- Multi-factor authentication (MFA)
- IP monitoring
- Activity logging

---

## 5. Access Control & Audit Logging

We apply a **least-privilege access model**:

- Role-based permissions
- Limited database privileges
- Segmented internal services

Critical operations are logged, including:

- Account activation
- Data deletion
- Protocol generation
- GC balance adjustments
- Payment confirmations

Logs are retained securely for security and compliance purposes.

---

## 6. AI & Third-Party Processing

HealthGPT uses third-party AI services to generate responses.

### 6.1 OpenAI Processing
- Only the minimum necessary user input is transmitted.
- No full database access is granted.
- Data is transmitted securely via encrypted API channels.
- Processing follows OpenAI’s enterprise data-handling standards.

### 6.2 Text-to-Speech (TTS)
Where voice output is generated:
- OpenAI’s TTS services (e.g., Onyx models) are used.
- Text is transmitted securely.
- Audio files are stored under controlled server directories.

We do not grant third-party providers persistent database access.

---

## 7. Payment Security

- Payments are processed by secure third-party processors (e.g., Stripe).
- We do not store full credit card details.
- Payment confirmations are validated via secure webhooks.
- Transaction metadata is logged for reconciliation and fraud protection.

---

## 8. Data Minimisation

We collect only what is necessary to:

- Deliver AI-generated health guidance
- Track Guidance Credits (GCs)
- Process payments
- Maintain account security

We do not collect:

- Government ID numbers
- Biometric identifiers
- Banking credentials

---

## 9. Incident Response & Breach Protocol

We maintain continuous monitoring for:

- Unauthorised access attempts
- Abnormal login activity
- Payment anomalies
- API misuse

If a data breach is confirmed:

- Affected users will be notified without undue delay.
- Regulatory authorities will be notified within **72 hours** where required (GDPR Art. 33).
- Immediate containment and remediation measures will be initiated.

---

## 10. User-Controlled Data Deletion

Users may request:

- Full account deletion
- Protocol deletion
- AI log deletion
- Voice note deletion

Deletion requires:

1. Secret PassPhrase confirmation  
2. Email verification  
3. Final confirmation step  

Once completed, deletion is permanent and irreversible.

---

## 11. Security Testing & Updates

We:

- Regularly update server software
- Patch known vulnerabilities
- Monitor dependency updates
- Review access logs

Security practices evolve continuously as the platform grows.

---

## 12. Responsible Disclosure

If you discover a vulnerability or security concern, please report it responsibly to:

**security@2zonetherapy.com**

We investigate all reports and will respond appropriately.

---

## 13. Continuous Improvement

Security is not static.

As HealthGPT expands — including TEL analytics, AI enhancements, and protocol generation — security architecture is reviewed and upgraded accordingly.

---

**2Zone Therapy / HealthGPT**  
Committed to protecting your health data and digital identity.