Ask Zac

Your account, your control

Zac can read settings, build plans, and execute changes across your entire Zoom environment. That's powerful — and it means security can't be an afterthought.

Nothing changes without your approval

Every configuration change passes through a four-layer approval chain before it touches your Zoom account.

Layer 1

LLM Prompt Rules

System-level instructions prevent the AI from executing changes autonomously. Every write action requires explicit user confirmation.

Layer 2

Preview & Confirm

Before any write, Zac shows you exactly what will change. You receive a single-use confirmation token to approve the action.

Layer 3

Backend Validation

The server rejects any write request that lacks a valid confirmation token. Tokens expire after 5 minutes and cannot be reused.

Layer 4

Database Constraint

The audit log table requires a foreign-key reference to a valid confirmation record. Changes without proof of consent cannot be stored.

Chain of Evidence

OAuth Consent Preview Shown User Confirmed Change Executed Audit Logged

Your credentials never touch our database in plain text

Zoom OAuth tokens are encrypted at rest with AES-256-GCM and wrapped with a per-workspace key derived via scrypt.

How we encrypt

  • AES-256-GCM authenticated encryption for all credentials
  • Unique key per workspace derived via scrypt KDF
  • Master key stored in infrastructure secrets manager, never in code
  • Random 16-byte IV generated per encryption operation
  • TLS 1.2+ for all data in transit

When you disconnect

Cryptographic erasure ensures your data becomes permanently unrecoverable.

  1. 1 OAuth tokens revoked at Zoom
  2. 2 Workspace encryption key permanently deleted
  3. 3 Encrypted data becomes unrecoverable (no key = no data)
  4. 4 Credential records deleted from database
  5. 5 Disconnection event logged to audit trail

Read-only by default. Write access only when you ask.

Zac requests the minimum OAuth scopes needed. Write permissions are only added when you explicitly choose to make changes.

Tier 1: Read-Only

Granted on connect

  • Account settings & plan details
  • User list & license assignments
  • Feature configuration state
  • Admin audit logs

Tier 2: Write on Request

Only when you ask

  • Modify account settings
  • Create & update groups
  • Enable & disable features
  • Manage call routing

We Never Access

Not requested, ever

  • Meeting content or recordings
  • Chat messages or files
  • Call recordings or voicemails
  • Meeting passwords

One-click kill switch

Revoke all Zac access instantly from your Settings page or directly from the Zoom Marketplace. Tokens are revoked immediately and cryptographic erasure begins.

Your data stays out of the AI

We strip personally identifiable information before any data reaches the language model, and we defend against every known prompt injection technique.

PII pseudonymization

Real names, emails, and IDs are replaced with opaque tokens before reaching the AI. The mapping is held server-side and reversed only in the response.

Before (your data)

alice@acme.com

After (sent to AI)

user_1@example.com

Prompt injection defense

Zac is tested against the full OWASP LLM Top 10 threat catalog. Every known injection vector is blocked at the input layer before reaching the model.

0%

Attack success rate

100%

OWASP LLM Top 10 pass

What the AI cannot do

No autonomous actions

The AI cannot execute changes to your Zoom account without going through the 4-layer approval chain.

No cross-tenant access

Each workspace is cryptographically isolated. The AI cannot read or reference data from other customers.

No system instruction disclosure

Prompt injection attempts to extract system instructions are detected and blocked at the input layer.

Every action logged, every change traceable

The audit trail captures every interaction with your Zoom account, creating an immutable record of who did what, when, and why.

What's recorded

  • Who — the admin user who initiated and confirmed
  • What — the setting changed, with before & after values
  • When — timestamp with millisecond precision
  • Confirmation token — proof of user consent
  • Zoom API request ID — correlates to Zoom's own audit trail

Why this matters

  • Compliance proof — demonstrate to auditors exactly what changed and who approved it
  • Rollback context — before/after values let you revert any change with confidence
  • Separation of concerns — clearly distinguish Zac-made changes from manual admin activity
  • Exportable logs — download your full audit history as CSV or JSON at any time

Standards & certifications

Zac is built to meet the security requirements of enterprise Zoom deployments.

SOC 2 Type II

In progress

Trust services criteria for security, availability, and confidentiality. Audit observation period underway.

OWASP Top 10

Compliant

Protected against all OWASP Top 10 web application security risks including injection, broken auth, and XSS.

OWASP LLM Top 10

Compliant

33 tests covering all LLM-specific threats. 100% pass rate across prompt injection, data leakage, and insecure output handling.

GDPR

Compliant

Cryptographic erasure on disconnect, data minimization by design, and Data Processing Agreement available on request.

Zoom Marketplace

Approved

Passed Zoom's security review process for Marketplace-listed applications, including OAuth scope audit and data handling review.

Webhook Security

HMAC-SHA256

All incoming webhooks are verified with HMAC-SHA256 signatures. Replay attacks are prevented with timestamp validation.

Questions about security?

We're happy to answer questions, provide our security documentation, or schedule a call with our engineering team.

security@askzac.ai Try Zac Free