Security | Zojo

Last updated: 5 May 2026.

Hosting & data residency

EU-hosted, EU-processed. Call audio, transcripts and AI analysis stay within the European Economic Area. No production data leaves the EEA.
Encryption in transit. TLS 1.2+ for all client-server traffic; HSTS enforced on the marketing site and the application.
Encryption at rest. AES-256 for object storage and databases. Backups are encrypted with separately-managed keys.
Key management. Encryption keys are managed by our cloud provider's KMS with audit logging and rotation policies.

Application security

SSO. SAML 2.0 and OIDC supported for customer tenants, including SCIM provisioning on request.
Role-based access control. Per-tenant roles for Admin, Manager, Rep, Auditor, with least-privilege defaults.
Audit log. Authentication, configuration changes and privileged actions are recorded and retained for at least twelve months.
Per-tenant isolation. Customer data is logically separated and access is gated on tenant identity at every layer.
Secrets management. No long-lived credentials in source. Production secrets are rotated and scoped per environment.
Dependency hygiene. Automated vulnerability scanning of dependencies and container images on every build.

AI providers, zero data retention

Transcription runs in-house on Zojo's EU infrastructure. Call audio is never sent to a third-party speech-to-text service. For scoring and coaching feedback we use third-party large language model providers, operated under zero-data-retention (ZDR) contracts: data passed to a model provider is not retained after the inference completes and is never used to train provider models.

PII & sensitive data never leave Zojo

We do not send personally identifiable information or sensitive customer data to third-party processors. Before any content reaches an external AI provider, our EU-hosted pre-processing pipeline strips identifying signals, including:

Customer and rep names, email addresses and phone numbers
Account, policy, payment-card and bank-account numbers
Government identifiers (NI / NHS / passport / driving-licence numbers)
Postal addresses and date-of-birth
Any other field your tenant flags as sensitive in your scorecard configuration

The redacted version is what's used for scoring and coaching. Original audio and full transcripts remain inside Zojo's EU infrastructure under your access controls.

Our current sub-processor list is shared as part of contracting and is also available on request, email security@zojo.io. We notify customers in advance of material changes.

Compliance & certifications

UK GDPR. Zojo is a controller for marketing data and a processor for customer call data. Registered with the UK Information Commissioner's Office, registration C1844310.
SOC 2 Type I. Targeted within nine months of platform launch.
ISO 27001. Roadmapped to follow SOC 2.
PECR. Cookie and electronic-marketing practices follow ICO 2023 guidance, see our Cookie policy.

People & access

Background checks on staff with production access.
Mandatory MFA on all employee accounts that can reach production.
Just-in-time elevation for break-glass production access; all sessions logged.
Annual security awareness training and quarterly phishing simulations.

Incident response

We maintain a documented incident response runbook with defined severity levels, on-call rotation and customer-notification timelines. In the event of a personal-data breach we will notify affected controllers without undue delay and in any event within 72 hours of becoming aware. In line with UK GDPR Article 33.

Reporting a vulnerability

If you believe you've found a security issue in Zojo, please email security@zojo.io. We commit to:

Acknowledging your report within two working days.
Working with you in good faith to triage, fix and disclose.
Not pursuing legal action against researchers acting in line with reasonable disclosure practices.

Asks from buyers

Need our latest SIG / CAIQ. Security questionnaire, sub-processor list, or DPA? Email security@zojo.io or ask your Zojo contact.

Security at Zojo