Security & trust

Assurance you can inspect

Zansn builds infrastructure to prove AI systems are trustworthy, so we hold our own tooling to the same standard. The open-source packages run locally, transmit nothing, and are open to audit. This page states what is true today, including what we are not yet.

Local-firstRuns on your machine or CI
No phone-homeNo account, no telemetry
You own the evidencePortable, inspectable packs

How we handle data

Local-first by default

The open-source zansn toolkit and its framework adapters run entirely on your machine or in your own CI. They read the traces your agent already produces and build an evidence pack locally. Nothing is sent to Zansn Labs.

No data leaves your environment

There is no account, no API key, and no phone-home in the open-source packages. You can verify this: the source is public and permissively licensed, and the packages declare no network dependencies.

You own the evidence

An evidence pack is a portable JSON or Markdown artifact you keep. Attach it to a pull request, an experiment record, or a review. If you later choose hosted Zansn, you decide what to send and when.

Sensitive fields are redacted before storage

The assurance pipeline hashes configured sensitive fields and flags outputs that cross a privacy boundary, so evidence records capture what happened without persisting raw secrets or personal data.

Auditable, open source

The developer tooling is Apache-2.0 licensed and readable on npm and GitHub. Assurance you cannot inspect is not assurance; the local primitives are open by design.

Minimal dependency footprint

The adapters ship as peer-dependency-only packages with no runtime dependencies of their own, so adopting Zansn does not expand your supply-chain surface.

Maps to recognised assurance frameworks

Evidence packs are designed to map technical experiments to recognised AI assurance and risk-management practices. This is a mapping, not a certification claim.

NIST AI RMF
Trustworthy-AI risk functions
ISO/IEC 42001
AI management system
EU AI Act
High-risk AI obligations
OWASP Agentic Top 10
Agentic AI security risks

Compliance posture

Zansn Labs is pre-launch. We are not yet certified against SOC 2, ISO/IEC 27001, or ISO/IEC 42001, and we do not claim to be. Our evidence work is designed to map to recognised AI assurance and risk-management frameworks, and formal certification of the hosted platform is on the roadmap as it matures. We will state certification status here plainly as it changes.

Common questions

Does the open-source tooling send my data anywhere?
No. It runs locally and produces a local evidence pack. There is no telemetry and no account.
What about the website contact form?
Enquiries are delivered by email (via Resend) to reach our team, and used only to respond to you. They are never sold or shared. Do not include secrets or sensitive production data in a first message.
Where is sensitive data in an evidence pack?
Configured sensitive fields are hashed before they are recorded, and outputs that match a privacy-boundary pattern are flagged as findings rather than stored verbatim.
How do I report a vulnerability?
Through the contact page. Please do not include secrets, private customer data, or sensitive traces in public issues or examples.

Security questions or a vulnerability to report?

Reach our team directly. Please do not include secrets or sensitive production data in a first message.

Get in touch