Security & Data Handling

How we handle your data, and the platforms we trust with it.

Written for clients and their procurement teams. The certified platforms your deployment runs on, how customer data flows through them, our alignment with Singapore's PDPA, and what happens if something goes wrong.

Version v1.1

Effective 22 April 2026

Owned by Ryan Chua

Legal policy zelixlabs.com/privacy

The short version

🔐 Your customer data never lives on a Zelix server. It sits in platforms you own the accounts for, each of them independently SOC 2 or ISO 27001 certified.
🚫 We do not train AI on your conversations. We do not share your deployment with other clients. We do not sell your data in any form.
🔑 Access is named and revocable. Typically two or three Zelix team members have scoped admin access to your accounts. You can revoke any of them at any time through your platform's own user management.
🇸🇬 For Singapore clients, we act as your Data Intermediary under PDPA. We support your obligations for consent, retention, access rights, and breach notification.
🚨 If a platform upstream has an incident, we tell you within one business day. If Zelix itself has an incident, we follow PDPA's mandatory notification framework.

§ 01

🧭 Our approach: two deployment models, both transparent.

Zelix Labs is a Singapore-based agency operated by Zeta Media Pte Ltd, a Singapore-registered company. A dedicated Zelix Labs Pte Ltd entity is currently in registration; until then, all agreements, invoices, and data-controller obligations rest with Zeta Media Pte Ltd. We do not own or operate a customer data platform of our own. What we do is design, configure, deploy, and maintain AI agent systems on top of third-party platforms that already carry SOC 2 or ISO 27001 certifications. For every engagement, we operate in one of two deployment models. Your specific build document records which model applies to you.

Model A · default

Client-owned

You hold every platform account in your deployment: respond.io, Make.com, GoHighLevel, Meta Business, and any other platform in the stack. Billing goes to you. Zelix is added as a scoped admin under your user management with the minimum role each task requires.

Your customer data flows from Meta, through the platforms you signed up for, where our team observes, configures, and improves the agents. We never hold an account that stores your data.

No Zelix DPA is required beyond your existing professional services agreement. Each platform's own data processing terms govern the platform's handling of your data.

Model B · on request

Zelix-managed

Zelix holds select platform accounts on your behalf, typically the workflow automation layer (Make.com, n8n, or similar). This is for clients who prefer not to set up or manage automation platforms directly, either because the operational overhead is not worth it or because they want one point of accountability for the whole stack.

Your customer data still originates from your customers on WhatsApp, but it is processed through workspaces that Zelix operates on your behalf. On termination, we export your scenarios and either hand them over or migrate them into an account of your own.

In this model, Zelix signs a Data Processing Agreement (DPA) with you. Because we are now processing your customer data on infrastructure we hold, we are acting as your Data Intermediary in the fuller PDPA sense. The DPA covers scope, subprocessors, security measures, breach notification, and deletion on termination. Available on request.

Everything else on this page applies equally to both models. The certified platforms, the data flow, the PDPA posture, the access controls, the incident response SLAs: the same commitments regardless of who holds which account.

What this means for your compliance team. Zelix does not hold SOC 2 or ISO 27001 certifications directly. We are an agency, not a certified SaaS firm. What we are is a configuration and refinement layer on top of platforms that do hold those certifications. If your compliance team asks for Zelix's SOC 2 report, we do not have one, because we are not the infrastructure provider. The platforms below carry those attestations, and those reports are what you would reference in your own compliance documentation. Our own operating security (team access, device encryption, internal process) is documented in sections 6 and 7 below.

§ 02

🏛️ The platforms we build on.

Every active Zelix deployment runs on some combination of the platforms below. Your specific build document names which ones apply to you. All certification claims here refer to each vendor's public attestations, not Zelix's.

The platforms below apply regardless of deployment model (see §01). In Client-owned mode, you hold the accounts directly. In Zelix-managed mode, Zelix holds the designated platforms on your behalf under a signed DPA. The certifications and data locations are the same either way.

Understanding SOC 2 and ISO 27001

Every vendor we rely on holds one or both of two industry certifications. If your procurement team has asked about security posture, they almost certainly asked about these. Here is what each one actually means, in plain language.

Attestation · United States

SOC 2

AICPA-aligned audit, reissued annually

5 trust-service criteria the vendor can be audited against

An American auditing standard from the AICPA (American Institute of Certified Public Accountants). An independent CPA firm reviews whether a vendor has documented, tested controls to protect customer data.

Certification · International

ISO 27001

ISO/IEC 27001:2022, valid three years

93 security controls audited across four themes

An international information-security management standard published by ISO and IEC. An accredited certification body audits the vendor's entire security management system, with annual surveillance audits in between recertifications.

The five Trust Service Criteria SOC 2 can audit

A SOC 2 report covers one or more of these five areas. The more the vendor opts into, the broader the audit. Most SaaS firms include Security at minimum; the strongest vendors include all five.

Security

Systems are protected against unauthorised access, use, and disclosure.

Availability

Services are available and operational as promised in the service agreement.

Processing integrity

Data is processed completely, accurately, on time, and only with proper authorisation.

Confidentiality

Information flagged as confidential is protected throughout its lifecycle.

Privacy

Personal information is collected, used, retained, and disposed of per commitments to individuals.

SOC 2 Type I versus Type II

You will see both quoted. The difference matters. When a vendor says "SOC 2 Type II", that is the stronger attestation.

Point-in-time

SOC 2 Type I

A snapshot. The auditor checks whether the right controls are in place on a single day. Useful as a starting signal, but it does not prove the vendor actually operates those controls day after day.

Audited 6 to 12 months

SOC 2 Type II

The stronger attestation. The auditor reviews whether those controls operate effectively across a sustained window, typically 6 to 12 months of real operation. When we say a platform is "SOC 2 Type II", this is what we mean.

Side-by-side comparison

Aspect	SOC 2	ISO 27001
Origin	United States (AICPA)	International (ISO/IEC)
Auditor	Independent CPA firms	Accredited certification bodies
What's audited	Trust Service Criteria (up to 5)	Information Security Management System, 93 controls
Audit cadence	Type II covers 6 to 12 months, reissued annually	Initial certification, annual surveillance, valid 3 years
Most common in	US tech and SaaS procurement	Europe, Asia, public-sector procurement

In practice for you. When a platform we rely on is both SOC 2 Type II and ISO 27001 certified, it has passed two independent audits: one American, one international. The overlap covers almost anything your procurement team will ask about at the platform layer. That is typically enough evidence to satisfy most Singapore, Malaysia, and regional enterprise reviews.

Our platform stack

respond.io

WhatsApp & AI agent runtime

Omnichannel conversation management; hosts the AI agents that reply to your customers.

CertificationISO 27001:2022 certified.
Data locationInfrastructure hosted on major cloud providers; specific region depends on workspace.
You ownYou sign up for respond.io directly. The workspace is in your name, billed to you, and transferable.
Our accessOur team is added as workspace admins or agents under your user management.

respond.io/security

Make.com

Workflow automation

Connects your platforms to each other: CRM to payments, booking calendar to WhatsApp, ad manager to lead tracker.

CertificationSOC 2 Type II and ISO 27001 certified. GDPR-aligned.
Data locationEU-hosted (Celonis group, Czech Republic and Germany).
You ownYou hold the Make.com account. Our team is added as team members under your organisation.
Our accessScoped to the scenarios we have built for your deployment.

make.com/en/security

GoHighLevel (GHL)

All-in-one CRM alternative

For clients who prefer an all-in-one CRM with funnels, email, SMS, and WhatsApp in one place.

CertificationSOC 2 compliant. Hosted on AWS infrastructure (US).
Data locationPrimarily US AWS regions.
You ownYou sign up for GHL directly. The sub-account is in your name.
Our accessSub-account admin access through your agency dashboard.

gohighlevel.com/security

Meta / WhatsApp Business API

Messaging backbone

Delivers messages between your customers and your AI agents. Your WhatsApp Business phone number is registered through Meta in your company's name.

CertificationOperates under Meta's enterprise data handling framework.
Data locationMeta global infrastructure.
EncryptionEnd-to-end encrypted in transit.
You ownYour WhatsApp Business Account (WABA) is issued to your company, not Zelix. We help you through the setup.

business.whatsapp.com/policy

OpenAI

AI model provider

Provides the GPT-5.4 model that powers the agents running inside respond.io. Each customer message is sent to OpenAI's API for a single inference, then the response is returned to respond.io.

CertificationSOC 2 Type II. Enterprise data handling commitments published.
TrainingAPI data is not used to train OpenAI's models. This is a default, not a setting you have to toggle.
RetentionAPI inputs and outputs are retained by OpenAI for up to 30 days for abuse monitoring, then deleted.
Our accessNo direct OpenAI account on Zelix's side for your deployment. The API call is made from respond.io.

openai.com/enterprise-privacy

Vercel

Hosts zelixlabs.com (no customer data)

Hosts this website. No client customer data is stored here. We mention it only for completeness.

CertificationSOC 2 Type II and ISO 27001 certified.
Data locationGlobal edge network.

vercel.com/security

§ 03

🔁 How data flows through your deployment.

The path a single customer message takes through a typical Zelix deployment on respond.io with AI agents. Every link in the chain is a named platform above.

Customer sends a WhatsApp message. It enters Meta's infrastructure end-to-end encrypted in transit.

Meta forwards the message to respond.io via the WhatsApp Business API, against your WABA number.

respond.io routes the message to your AI agent. The agent reads the thread history, your knowledge base, and your contact fields in respond.io.

respond.io calls OpenAI's API with the conversation context. OpenAI returns a reply. The API payload is not used to train OpenAI's models.

respond.io sends the reply back to Meta, which delivers it to the customer on WhatsApp.

If a Make.com scenario is wired in (for example, creating a CRM record, sending a payment link), Make.com receives a webhook from respond.io and executes the scenario against the other platforms you have connected.

If the agent hands off to a human, your team picks up the conversation inside respond.io. The AI stops replying.

Throughout this flow, Zelix team members may observe conversations inside respond.io for weekly review and quality improvement, but we do not transit conversation data through our own infrastructure.

§ 04

🇸🇬 PDPA alignment (for Singapore clients).

Singapore's Personal Data Protection Act 2012 (PDPA), updated 2020 and 2021, governs the collection, use, disclosure, and care of personal data. For your Zelix deployment, you are the Data Controller and Zelix is acting as your Data Intermediary under Section 2(1) of the Act.

As your Data Intermediary, our obligations and commitments are as follows.

Purpose limitation. We process your customer data only within the scope of our written engagement with you. We do not process it for any other purpose, including Zelix marketing, internal analytics, or benchmarking across other client deployments.
Protection (Section 24). We maintain reasonable security arrangements appropriate to the personal data we handle, including two-factor authentication on all internal accounts that can access client platforms, access on a least-privilege basis, and device-level encryption on team laptops.
Retention limitation. We do not retain personal data beyond the active engagement plus the offboarding window (see section 8 below). Internal working documents related to your deployment are deleted or anonymised within 30 days of engagement closure.
Access and correction (Sections 21 and 22). If one of your customers makes an access or correction request, we will help you execute it on your respond.io or GHL account within the timelines PDPA requires.
Transfer limitation (Section 26). Personal data may be transferred outside Singapore when using platforms hosted overseas (see section 2 above). These transfers occur under each platform's published data-transfer safeguards. We can provide the relevant links on request for your compliance file.
Data breach notification. Under PDPA's mandatory breach notification framework (effective February 2021), if we become aware of a notifiable breach (one that is likely to cause significant harm or affects 500 or more individuals), we will notify you within 24 hours so you can meet your own 3-calendar-day notification deadline to the PDPC.
Accountability. Ryan Chua is the named contact for all security and data concerns. Contact details are at the foot of this page.

For clients on the Zelix-managed deployment model (see §01), we sign a Data Processing Agreement (DPA) with you before the engagement starts. The DPA codifies the PDPA obligations above as a contract between us, names the subprocessors we use, and covers breach notification and deletion on termination. The template is available on request, and is typically signed as part of engagement onboarding.

What PDPA does not require of an agency like Zelix. We are not required to register as a Data Protection Officer (DPO) under PDPA in the same way a standalone controller must. However, Ryan is named as the accountable contact. For clients whose procurement teams require a formal DPO on their side, we can support you in setting up that role; we cannot act as your DPO.

§ 05

🚫 What we never do with your data.

Some of the strongest commitments are the ones we can state in the negative. These are absolute.

We do not train AI models on your customer conversations. OpenAI does not train on API data by default. respond.io does not train on your workspace data. No Zelix-specific model exists that we would train on your conversations even if we could.
We do not share your data, prompts, or deployment configurations with any other client. Each Zelix engagement is siloed at both the platform level and our internal process level.
We do not sell, rent, or monetise your data in any form. Our commercial relationship with you is a retainer for professional services. That is the only revenue we take from your engagement.
We do not retain copies of customer data after your engagement ends. Build documents and internal working files are deleted or anonymised within 30 days of offboarding, except where retention is legally required (for example, invoices and tax records, which we retain for 5 years per Singapore IRAS requirements but which do not contain customer-level data).
We do not use your deployment as a public case study without your written permission. Any client name, screenshot, or data point that appears in Zelix marketing comes from clients who have explicitly signed off.

§ 06

🔑 Access controls on our side.

Named access only. Every Zelix team member who touches your accounts is named in your build document. Typically two or three people: a senior operator, a reviewer, and (for ad-heavy deployments) a paid-media specialist.
Least privilege. We request the minimum platform role necessary. If "agent" access on respond.io is enough, we do not request "owner" access.
No shared credentials. Every team member logs in with their own identity on each platform. We do not share passwords or use shared inboxes to access client platforms.
Two-factor authentication. Mandatory on every internal account that can reach a client platform.
Revocation is one click. You can remove any Zelix team member's access at any time through your platform's user-management panel. Access revocation is instant on the platform side. We ask that you notify us at the same time so we can update our internal records.
Offboarding our own team members. When a Zelix team member leaves the company or rotates off your project, we remove their access from every client platform within one business day of the rotation taking effect.

§ 07

📁 Where Zelix keeps working documents.

Beyond the platforms above, Zelix maintains a small set of internal working documents per engagement. These contain configuration notes, knowledge base source files, prompt histories, change logs, and sometimes anonymised test conversations. For full transparency, here is where they live.

Google Workspace (Drive, Docs, Sheets). Build documents, source knowledge base files, and change logs. Google Workspace is SOC 2 Type II, ISO 27001, and ISO 27018 certified. Access is restricted to the named project team.
Notion and Airtable. Client trackers and feedback logs. Both are SOC 2 compliant. Access restricted to the named project team.
WhatsApp groups. Day-to-day communication with your internal team. Screenshots of agent behaviour, flagged issues, and quick fixes flow through these groups. End-to-end encrypted in transit per WhatsApp's standard. Messages are retained on the devices of participants per WhatsApp's default policy.

Where possible, we keep customer-identifiable data out of these internal systems. Screenshots shared in WhatsApp groups are pseudonymised where practical (customer name and phone number blurred). When a screenshot genuinely needs to show the problem, it remains in the group for the duration of the active engagement and is deleted during offboarding.

§ 08

👋 When your engagement ends.

Whether you pause a retainer, move to another agency, or bring operations in-house, here is exactly what happens.

Your platform accounts stay with you. respond.io, GHL, Meta Business Manager, Make.com, and every other platform we configured remain in your name under your billing. Nothing needs to transfer.
We remove our access within 5 business days. Our team members are removed from your platform user lists. You can also do this yourself immediately.
We delete internal working documents within 30 days. Google Drive, Notion, Airtable records related to your deployment are deleted or fully anonymised. Our retention of invoices and tax records is separate and required by Singapore law (IRAS, 5 years).
You get a final change log and handover note. On request, we export the full change history of your deployment and send it to your team before closing.
WhatsApp groups close. Active WhatsApp groups between Zelix and your team are closed. Messages remain on participants' devices per WhatsApp's defaults; we delete them from our side where the group is archived.

§ 09

🔒 Sensitive data in chat.

Your AI agents are explicitly instructed, under the Zelix AI Agent Standard at zelixlabs.com/ai-standards, never to request, store, or repeat sensitive data in chat. This covers:

Payment card numbers, CVVs, or expiry dates
Passwords, OTPs, or authentication codes
Full ID or passport numbers
Full dates of birth
Specific medical records or diagnoses

Where payments are required, they are routed through external gateways (Airwallex, Stripe, Meta Pay, or your preferred provider) using secure links sent inside the chat. The customer completes the transaction on the gateway, not the chat window. Zelix agents never see card details.

If sensitive data is accidentally shared by a customer (some customers do paste their NRIC or their card number unprompted), the agent is instructed not to quote it back and to route the conversation to a human operator on your team for appropriate follow-up.

§ 10

🚨 Incident response.

If a platform we rely on has an incident

Our team monitors vendor status pages continuously. OpenAI's status page in particular is on our live watch: status.openai.com.
If your deployment is affected, we notify you within one business day with what happened, what your exposure is (or is not), and what is being done upstream.
If the incident rises to the level of a PDPA notifiable breach (significant harm or 500+ individuals affected), we assist with your 3-day notification obligation to the PDPC.

If Zelix itself experiences an incident affecting your data

We contain and begin investigating within 24 hours of discovery.
We notify you within one business day with scope, impact, and ongoing actions.
We assist with any PDPA or GDPR notification you are required to file.
We publish a written post-incident report to you within 14 days covering root cause, remediation, and prevention. If the incident affected more than one client, we anonymise the report across accounts.

We have not had a notifiable data breach to date. That is a fact as of this document's effective date, not a promise about the future. This section exists so that if one happens, the response is already defined and the clock is already running.

§ 11

📋 Subprocessor list.

The third parties that may process personal data as part of running your Zelix deployment. In Client-owned mode (see §01), you have directly accepted each platform's standard Data Processing Terms on signup. In Zelix-managed mode, Zelix operates the designated platforms on your behalf, and we sign a per-client DPA that names these subprocessors explicitly and governs how Zelix handles your data on its own tenancy. A DPA template is available on request.

Subprocessor	Purpose	Location	Attestation
respond.io	WhatsApp conversation management and AI agent runtime	Regional cloud	ISO 27001:2022 · link
OpenAI	GPT-5.4 model inference	US, EU	SOC 2 Type II · link
Make.com	Workflow automation	EU (Celonis group)	SOC 2 Type II, ISO 27001 · link
GoHighLevel	CRM alternative (where used)	US (AWS)	SOC 2 · link
Meta (WhatsApp Business API)	Message delivery	Global	Meta enterprise data framework
Google Workspace	Internal build documents, KB sources	Global	SOC 2 Type II, ISO 27001, ISO 27018
Notion	Internal client trackers	US (AWS)	SOC 2 Type II
Airtable	Internal feedback logs	US (AWS)	SOC 2 Type II
Vercel	Hosts zelixlabs.com (no client customer data)	Global edge	SOC 2 Type II, ISO 27001
Airwallex / Stripe	Payment processing (where used)	Global	PCI-DSS Level 1

If we add a new subprocessor that materially changes your data handling, we notify you in the monthly digest and update this page with a dated changelog entry.

§ 12

📌 Version & changelog.

This page is versioned. Material changes (new subprocessors, changed SLAs, new retention rules) produce a new version with a dated entry below. Clients on an active retainer receive a one-line email for every version bump.

v1.1 22 April 2026 Current

Named two deployment models explicitly in §01: Client-owned (default) and Zelix-managed (on request). Documented that in Zelix-managed mode, Zelix holds select platform accounts on the client's behalf, signs a Data Processing Agreement (DPA) with the client, and acts as Data Intermediary in the fuller PDPA sense. DPA template available on request. Updated §02, §04, and §11 to reflect the two-model framing.

v1.0 12 February 2026

First publication of the Zelix Labs security and data handling page. Documents platform stack (respond.io, Make.com, GoHighLevel, Meta, OpenAI, Vercel, Google Workspace, Notion, Airtable), PDPA alignment under Data Intermediary framing, data-flow walkthrough, incident-response SLAs, and subprocessor list.

If you have questions about anything on this page, or if your procurement team needs additional documentation for their compliance file, message us directly. We will get you what you need.

Ryan Chua

Co-Founder, Zelix Labs · Named contact for security and data concerns

WhatsApp · +65 9668 6186 Email · ryan@zelixlabs.com Legal policy · zelixlabs.com/privacy

Message us on WhatsApp

Zelix Labs (operated by Zeta Media Pte Ltd), Singapore · Security & Data Handling · v1.1 · Effective 22 April 2026
This page complements the Zelix privacy policy and the Zelix AI Agent Standard. For legal compliance questions, contact ryan@zelixlabs.com.