Security & control
Zsper is built so the most sensitive thing it holds — your thinking — never moves without your say-so. Here’s exactly how.
Principles
These aren’t promises bolted on after the fact — they’re how the product is wired. The safe path is the only path.
There is no auto-publish path. Every draft, every learned opinion, every retired belief waits for your explicit approval. Nothing that speaks in your voice ships without a human yes.
Your brain is your asset — for many founders, it's years of hard-earned market knowledge. It’s never sold, never used to train shared models, and always exportable. Delete a record — or your whole workspace — and it’s gone.
Bring-your-own-key credentials are encrypted at rest with AES-256-GCM. We never log or expose a raw key. Sessions are HMAC-signed cookies — a raw user id is never trusted.
MCP connectors are read-only and scoped to a single workspace. No mutation, no cross-workspace access, and suppressed or proposed records stay hidden. Revoke any token instantly.
Guarantees
At a glance
Publishing
No auto-publish; human approval gate on every stance
Authentication
Google OAuth; HMAC-signed sessions verified server-side
Secrets
BYOK keys encrypted with AES-256-GCM at rest
External access
MCP is read-only, workspace-scoped, and revocable
Isolation
Per-workspace brains — voices never cross-contaminate
Data ownership
Exportable and deletable; never used to train shared models
AI grounding
Drafts can’t invent facts, names, dates, or quotes
Fair use
Metered usage with caps; ownership re-checked on every action
Building toward SOC 2, DPDP-ready data practices, and a formal DPA for larger teams. Talk to us about enterprise requirements before you sign anything.