AI Security at ZeroBounce

At ZeroBounce, we take a proactive and transparent approach to securing our AI systems. Our commitment is grounded in real-time monitoring, strict adherence to company-wide policies, and a rigorous validation process.

Post-Deployment Monitoring & Governance

All AI deployments are continuously monitored in real time. User inputs are retained for 30 days in accordance with our global data policy, after which they are securely deleted. Systems for appeal, override, decommissioning, incident response, and change management follow established company-wide security protocols.

Content Validation & Bias Mitigation

We ensure our AI generates accurate and responsible content by restricting input data to thoroughly vetted public sources—namely, our website and official documentation. Each AI release undergoes rigorous validation to mitigate risks like bias or hallucination.

Intrusion Detection & Security Controls

ZeroBounce AI systems are engineered with strong defenses against prompt injection, prompt priming, and model tampering. Our architecture prevents any unauthorized access or modification of prompts or models.

Transparency & Explainability

A built-in debug mode provides insights into the AI’s decision-making process, offering visibility into the data reviewed and increasing trust through explainability.

Data Handling & Protection

We do not ingest private or user-submitted datasets into our AI systems—only public data is used. Sensitive company data remains protected behind corporate firewalls and VPNs. Data deletion follows the same 30-day retention rule as the rest of the organization.

Threat Resistance & Risk Management

Threats like data poisoning or model inversion are not considered relevant due to the nature of our public data sources. However, all identified risks are documented and regularly assessed by our Quality Assurance team to ensure continued safety.

In-House AI Infrastructure

All AI models and infrastructure are developed and maintained in-house. We do not rely on third-party vendors, eliminating external exposure and ensuring full control over our AI ecosystem.

zb_list

What is a Sub-Processor?

A sub-processor is a third party engaged by a data processor to perform specific processing activities on behalf of a data controller. In the context of data protection and privacy regulations, such as the General Data Protection Regulation (GDPR), the following roles are defined:

Data Controller: The entity that determines the purposes and means of processing personal data.
Data Processor: The entity that processes personal data on behalf of the data controller.
Sub-Processor: Any third party that the data processor uses to assist in processing the personal data.

In our case, in connection with ZeroBounce’s services such as email validationⓘ and list cleaning, a ZeroBounce customer (who acts as a data controller) outsources its data processing to a service provider (data processor - ZeroBounce). The service provider then hires another company (sub-processor) to perform some specialized task, like data storage. That third company becomes a sub-processor.

Under laws like the GDPR, data processors are required to obtain the controller's authorization before engaging sub-processors. Also, they must ensure that sub-processors adhere to the same data protection obligations as the original processor.

Due Diligence

ZeroBounce is committed to conducting thorough due diligence when engaging with third parties, ensuring that they are assessed prior to onboarding and as part of our annual risk management program.

We hold our service providers to strict contractual obligations, requiring them to process personal data solely for the purpose of delivering services to ZeroBounce. These contracts ensure that service providers comply with our commitments to ZeroBounce customers and adhere to applicable data protection laws.

List of Sub-processors

Sub-processors involved in processing customer registration data

Name

Exchanged data
Purpose
LinkedIn Ads

Email address and cookie tracking data
Ad placement
Google Ads

Email address and cookie tracking data
Ad placement
Microsoft

Email address and cookie tracking data
Ad placement
Meta

Email address and cookie tracking data
Ad placement
Outbrain

Email address and cookie tracking data
Ad placement
Taboola

Email address and cookie tracking data
Ad placement
Quantcast

Email address and cookie tracking data
Ad placement
Reddit

Email address and cookie tracking data
Ad placement
Quora

Email address and cookie tracking data
Ad placement
Hubspot

Email address
Marketing aggregator
Zapier

Email address
Marketing aggregator
Zendesk

Email address
Customer service ticketing and communication; also used in the limited instance where a customer submits a request for support using our chat function/form.
OpenAI

name, email address, purchase details, payment details and customer behaviour
Used to generate analytical reports and insights on ad performance, payment activity, subscription churn, and customer support interactions by processing pseudonymized operational data to identify trends, improve decision-making, and enhance user experience.
Mailchimp

Email address
Used as a backup provider to send transactional emails by processing recipient email addresses, message content, and delivery metadata to ensure reliable communication delivery.
TrustPilot

Email address
To send review invitations and collect genuine user feedback about our services.
G2

Email address
To send review invitations and collect genuine user feedback about our services.

Sub-processors involved in the email validationⓘ process

Name

Exchanged data
Purpose
Cloudflare

Email address
Perimeter security, Web application firewall (WAF). Customer email addresses will be logged only in the case of API validation calls if the customer exceeds the technical recommendation of product usage (e.g., sending request limits, IP violations, etc.)
Amazon Web Services

Email address
Regional Data Residency. Facilitates localized storage of validation files within the customer's preferred geographic region to ensure compliance with local data sovereignty requirements.

Cloudflare - email address, purpose: perimeter security, web application firewall. Customer email address will be logged only in case of API calls validation if the client exceeds technical recommendation of product usage (e.g., sending request limits, IP violations etc.).

List of Service Providers

ZeroBounce works with the service providers listed below for email validationⓘ service delivery.

Name
Purpose of processing

Exchanged data
Entity country
Okta
Identity management provider

Email address
US
Stripe
Payment gateway

Cardholder data
US
PayPal
Payment gateway

Cardholder data
US
M247
Infrastructure hosting & internet provider

none
EU
DigitalRealty
Colocation hosting provider

none
US
Equinix
Colocation hosting provider

none
US
Cogent
Internet provider

none
US
NTT
Internet provider

none
US
Cloudflare
Internet provider

none
US
Atlassian
Project management

Limited email address
US
DocuSign
Electronic Signatures

Business User Data
US
Calendly
Meeting Organizer

Business User Data
US
Qwilr
Quote Tool

Business User Data
US
Slack
Communication Tool

Limited email address
US

Updates to this page

Given the global scope of our business and the large number of customers we serve, our business needs and service providers may change periodically.

For instance, we may discontinue a service provider to streamline and reduce the number of providers we use or add a new service provider if it improves our ability to deliver our email validationⓘ service.

We will regularly update this page to reflect any changes, including the addition or removal of service providers or sub-processors.