Security Policy

This document provides a readable recap of Zebra AI’s security policies for ease of understanding. For the complete and binding details, please refer to our Terms of Service (ToS) and Privacy Policy (PP).

Note: wherever “GPT API” is mentioned below or in other documents, take into account that we are currently using OpenAI API, but can probably switch to another AI provider for some parts of the application: Anthropic.

Encryption: all communication with Zebra AI is encrypted with in-transit SSL / TLS (public-private key encryption), including login, sending messages from client to server and vice-versa, connecting and uploading data, exporting your dashboards etc. The server storage is also encrypted at rest using 256-bit AES encryption, meaning that any source data which is temporarily uploaded to our servers is encrypted for the duration of the session. After the session expires, source data is permanently deleted. Any persisted user or application data which is stored in the database, or any data stored by our subprocessors, is additionally encrypted at rest. More details are listed below in the section Where does your data go outside of Zebra AI?.

Login and registration:

Zebra AI will have free and paid tiers soon. Anyone will be able to register for a free account by simply logging into the Zebra AI app using Microsoft SSO (single sign-on). Registration is performed upon first time login.

When the user logs into Zebra AI for the first time, they see a form from Microsoft asking for simple permissions:

  • openid: Allows you to sign in to the app with your work or school account and allows the app to read your basic profile information.
  • profile: Allows the app to see your users’ basic profile (e.g., name, picture, user name, email address)

Once the user logs in, their authentication token is sent to our server which hosts the application. The application checks if the authentication token is valid (e.g. not expired, email is registered in our database), in which case it redirects the user to the main application page and sends the user info (e.g. name) to the client to display it.

Cookies: we store the authentication token as a cookie in the web browser so that the user doesn’t have to log-in every time he visits Zebra AI (until the token expires). Zebra AI does not read any other existing cookies from the user, meaning we don’t track any user browsing history or anything similar.

Uploading your data:

Zebra AI is a service running and self-contained in the Microsoft Azure cloud. Once you upload your data, for the duration of the session, we use data processing & statistical algorithms running fully within the service to manipulate with the data. The data is uploaded to our Zebra AI servers, hosted on Microsoft Azure, only for the duration of the session.

The only external calls we perform are to the GPT API service. We use highly engineered prompts with relevant parts of the data & statistical facts in order to generate descriptions and decisions on which charts to draw, etc. OpenAI guarantees that by using their API, neither inputs nor outputs are used for training. No user, personal, or broader context data are passed through. We try to minimize the amount of data sent to Open AI GPT API by various means such as but not limited to doing inference and generation on our servers, substituting datasets with descriptive statistics, using sampling, … 

Once the session ends (e.g. the user signs out, refreshes or leaves the Zebra AI page), the uploaded data is immediately deleted from the server. Your source data is not retained on our servers beyond the duration of the interactive session.
We do not store it, it is firewalled from other users using Zebra AI, and we never use it for training, fine-tuning, or in any other way beyond what is needed to generate the answers that you see.

We compute statistics based on the uploaded data and send it to GPT API with an engineered prompt to get GPT’s interpretation of the data slice / statistic, which is then shown on the screen (for chart titles, for summary & advice).

Connecting with Power BI:

When connecting to power BI, we require additional permissions from the user:

  • dataset.read.all The app can view all datasets for the signed in user and any datasets that the user has access to.
  • report.read.all Allows the app to make API calls that require read permissions on all reports, on your behalf.

Once approved, through a user interface, the user can select their workspace and dataset from PowerBI they wish to connect to. Users can write and execute arbitrary DAX queries on the dataset within Zebra AI which retrieves the data to be used for analysis.

Connecting to a PowerBI dataset and retrieving data is enabled only through a time-sensitive authentication token, which is provided to Zebra AI via the approval described above.

We store dataset metadata (dataset connection information, DAX queries which were executed in the past) in our database so that users will connect to previously used datasets easier, but we do not store the actual retrieved data from Power BI (it is stored only temporarily, deleted immediately after the session ends).

Storing / Sharing historical chats (“Stories”):

We store stories (chat history) in our database. Users are able to see their previous stories (including text, advice, and the charts), but are not be able to continue analysis on the chat, until they manually re-connect the dataset (because we don’t store the source dataset). All data required to render a story is stored in the database.

The user may delete a story from the history – when he does so, all associated data is permanently deleted from our database.

When users share stories with colleagues, copies of stories are created in the database for all users who are viewing the shared stories.

Dislike dashboards or charts:

Users are be able to explicitly click on a “dislike” button for a chart or AI answer in order to give us feedback and improve Zebra AI. When they click on dislike, we store the output (GPT generated text) as well as the input (user’s chat message, statistics computed in back end) on PostHog so it can later be used for manual review and understanding what lead to the bad AI answer.

Additional analytics tracking:

We track additional Zebra AI usage data using PostHog (a cloud service):

  • Various elements which are clicked on in the applications (buttons, fields, etc.)
  • Time elapsed from upload until dashboard was created (measuring application speed)
  • Data connection metadata: AI-detected business domain (e.g. sales, marketing, etc..).
  • Feedback form content which users can choose to fill-in through the application
  • Dashboard dislikes
  • Application performance tracking (GPT model responsiveness)

Paid users are able to switch of the analytics tracking. Note that none of above events are tracked by default for enterprise customers.

Additional system error tracking:

When our application crashes, we use Sentry (a cloud service) to automatically log the application crash context so we can debug the application and fix issues that users face. The log might include some context in terms of user uploaded data (some smaller parts or calculations performed on the data), which lead to the error / crash.

Where does your data go outside of Zebra AI?

We will never sell your personal information to third parties. However, we may share your information with our subprocessors who help us provide our services. For example, we may use a payment processor to process your payments. We only share the minimum necessary information with our subprocessors and require them to maintain at least the same level of security and privacy as Zebra AI.

List of subprocessors used:

  • Microsoft Azure:
    • Location of service hosting: West Europe
    • Encryption: In-transit and at rest (Database), In-transit and at rest (Server)
    • Nature of processing: Cloud hosting services and Database
    • What: We use Azure services to host Zebra AI. Azure processes, hosts and stores your account, license and application data.
    • Why: Azure provides Zebra AI a reliable, scalable and secure computing infrastructure. By utilizing Azure services, we can concentrate on delivering the best user experience without distractions.
  • Sentry:
    • Location of service hosting: United States
    • Nature of Processing: Logging and Monitoring
    • Encryption: In-transit and at rest
    • What: Sentry is used as one of our error logging platforms. We use Sentry to capture errors thrown within Zebra AI to better understand and resolve issues in real-time.
    • Why: To help us fix bugs, we send some data to Sentry, including your IP address and user ID. Your IP address helps us determine the general location where the error occurred, and it can also be used to identify bugs that are related to time zones. Your customer ID helps us quickly find and diagnose issues that are reported by our users in our customer support panel.
  • PostHog:
    • Location of service hosting: European Union
    • Nature of Processing: Anonymous Analytics Data
    • Encryption: In-transit and at rest
    • What: For our free users, we store anonymous application usage and application performance data in PostHog, including which elements are being clicked, time elapsed for AI responses and user feedback.
    • Why: To help us understand how to improve our application and which features we need to focus on, developers or product managers at Zebra BI might manually inspect the aggregated statistics or feedback messages retrieved into the system.
  • OpenAI:
    • Location of service hosting: United States
    • Encryption: In-transit and at rest
    • Nature of Processing: Backend support of certain product features
    • What:  We employ OpenAI’s GPT API, which gives access to powerful language models and machine learning tools that can be used to automate tasks or summarize texts, among other things.
    • Why: OpenAI’s GPT API is used to power the decisionmaking and text generation within Zebra AI based on aggregated statistics and data slices computed from your source data. OpenAI doesn’t use customer data for their internal training purposes or for otherwise improving their services.
  • Anthropic
    • Location of service hosting: United States
    • Security & Privacy: Anthropic Trust Center
    • Nature of Processing: Backend support of certain product features
    • What:  We employ Anthropic’s Claude API, which gives access to powerful language models and machine learning tools that can be used to automate tasks or summarize texts, among other things.
    • Why: Anthropics’s GPT API is used to power the decisionmaking and text generation within Zebra AI based on aggregated statistics and data slices computed from your source data. Anthropic is HIPAA and SOC 2 Type I and Type II compliant. Anthropic doesn’t use customer data for their internal training purposes or for otherwise improving their services. 

How Can I Export or Delete My Data?

You can request a copy of your personal information at any time by contacting us at support@zebrabi.com. We will respond to your request within a reasonable timeframe and provide you with a copy of your data in a commonly used format, such as CSV or JSON.

If you ever want to delete your data, deleting your account will permanently delete all of your data off our systems. This action is irreversible. Alternatively, you can request a deletion of a certain part of your data without deleting your account entirely.