AI Security at ZeroBounce
At ZeroBounce, we take a proactive and transparent approach to securing our AI systems. Our commitment is grounded in real-time monitoring, strict adherence to company-wide policies, and a rigorous validation process.
Post-Deployment Monitoring & Governance
All AI deployments are continuously monitored in real time. User inputs are retained for 30 days in accordance with our global data policy, after which they are securely deleted. Systems for appeal, override, decommissioning, incident response, and change management follow established company-wide security protocols.
Content Validation & Bias Mitigation
We ensure our AI generates accurate and responsible content by restricting input data to thoroughly vetted public sources—namely, our website and official documentation. Each AI release undergoes rigorous validation to mitigate risks like bias or hallucination.
Intrusion Detection & Security Controls
ZeroBounce AI systems are engineered with strong defenses against prompt injection, prompt priming, and model tampering. Our architecture prevents any unauthorized access or modification of prompts or models.
Transparency & Explainability
A built-in debug mode provides insights into the AI’s decision-making process, offering visibility into the data reviewed and increasing trust through explainability.
Data Handling & Protection
We do not ingest private or user-submitted datasets into our AI systems—only public data is used. Sensitive company data remains protected behind corporate firewalls and VPNs. Data deletion follows the same 30-day retention rule as the rest of the organization.
Threat Resistance & Risk Management
Threats like data poisoning or model inversion are not considered relevant due to the nature of our public data sources. However, all identified risks are documented and regularly assessed by our Quality Assurance team to ensure continued safety.
In-House AI Infrastructure
All AI models and infrastructure are developed and maintained in-house. We do not rely on third-party vendors, eliminating external exposure and ensuring full control over our AI ecosystem.
Leader in Email Validations
ZeroBounce is a leading online email validation system created to ensure that companies sending complex and high volume emails avoid deliverability issues. The system works by reducing and eliminating invalid, abuse, complaint, inactive, and spam-trap email addresses. These are email addresses that will either bounce or contribute to ruining your sending reputation. ZeroBounce also provides IP address validation and verification of key recipient demographics and has the ability to add missing information on certain emails, such as the name, gender and location of the owner.
We created a guide to help you navigate everything you need to be aware of when sending emails. It's the most comprehensive guide you'll find on the internet and we offer it for free, without any restrictions. You can read it here: THE COMPLETE GUIDE TO IMPROVE INBOX AND DELIVERABILITY
ZeroBounce is the most secure email validation system you can find. For us, the protection of your data comes first, so we don't cut cost in keeping it safe. We are registered with the BBB and approved for the EU Data Privacy Framework (DPF). We maintain enterprise contracts with all of our vendors, we operate our own data center and own our servers and hardware. We don't use third-party services, like Amazon, Azure, and other cloud services providers, to store your data.
GETTING STARTED
We'll get you up and validating with us really fast! Simply click this link for a walk-through on our validation service:
Validation Process
ZEROBOUNCE
California: 10 E Yanonali St, Santa Barbara, CA, 93101, US
Sales: 1-888-500-9521 (9-5 PST)
Email: office@zerobounce.net
Technical Support 24/7 (only via email): support@zerobounce.net
Support Options: /contact-us
ZeroBounce List of Sub-processors and Service Providers
What is a Sub-Processor?
A sub-processor is a third party engaged by a data processor to perform specific processing activities on behalf of a data controller. In the context of data protection and privacy regulations, such as the General Data Protection Regulation (GDPR), the following roles are defined:
- Data Controller: The entity that determines the purposes and means of processing personal data.
- Data Processor: The entity that processes personal data on behalf of the data controller.
- Sub-Processor: Any third party that the data processor uses to assist in processing the personal data.
In our case, in connection with ZeroBounce’s services such as email validation and list cleaning, a ZeroBounce customer (who acts as a data controller) outsources its data processing to a service provider (data processor - ZeroBounce). The service provider then hires another company (sub-processor) to perform some specialized task, like data storage. That third company becomes a sub-processor.
Under laws like the GDPR, data processors are required to obtain the controller's authorization before engaging sub-processors. Also, they must ensure that sub-processors adhere to the same data protection obligations as the original processor.
Due Diligence
ZeroBounce is committed to conducting thorough due diligence when engaging with third parties, ensuring that they are assessed prior to onboarding and as part of our annual risk management program.
We hold our service providers to strict contractual obligations, requiring them to process personal data solely for the purpose of delivering services to ZeroBounce. These contracts ensure that service providers comply with our commitments to ZeroBounce customers and adhere to applicable data protection laws.
List of Sub-processors
Sub-processors involved in processing customer registration data
| Name | Exchanged data | Purpose |
|---|---|---|
| LinkedIn Ads | Email address and cookie tracking data | Ad placement |
| Google Ads | Email address and cookie tracking data | Ad placement |
| Microsoft | Email address and cookie tracking data | Ad placement |
| Meta | Email address and cookie tracking data | Ad placement |
| Outbrain | Email address and cookie tracking data | Ad placement |
| Taboola | Email address and cookie tracking data | Ad placement |
| Quantcast | Email address and cookie tracking data | Ad placement |
Email address and cookie tracking data | Ad placement | |
| Quora | Email address and cookie tracking data | Ad placement |
| Hubspot | Email address | Marketing aggregator |
| Zendesk | Email address | Customer service ticketing and communication; also used in the limited instance where a customer submits a request for support using our chat function/form. |
| OpenAI | name, email address, purchase details, payment details and customer behaviour | Used to generate analytical reports and insights on ad performance, payment activity, subscription churn, and customer support interactions by processing pseudonymized operational data to identify trends, improve decision-making, and enhance user experience. |
| Mailchimp | Email address | Used as a backup provider to send transactional emails by processing recipient email addresses, message content, and delivery metadata to ensure reliable communication delivery. |
| TrustPilot | Email address | To send review invitations and collect genuine user feedback about our services. |
| G2 | Email address | To send review invitations and collect genuine user feedback about our services. |
Sub-processors involved in the email validation process
| Name | Exchanged data | Purpose |
|---|---|---|
| Cloudflare | Email address | Perimeter security, Web application firewall (WAF). Customer email addresses will be logged only in the case of API validation calls if the customer exceeds the technical recommendation of product usage (e.g., sending request limits, IP violations, etc.) |
Cloudflare - email address, purpose: perimeter security, web application firewall. Customer email address will be logged only in case of API calls validation if the client exceeds technical recommendation of product usage (e.g., sending request limits, IP violations etc.).
List of Service Providers
ZeroBounce works with the service providers listed below for email validation service delivery.
| Name | Purpose of processing | Exchanged data | Entity country |
|---|---|---|---|
| Okta | Identity management provider | Email address | US |
| Stripe | Payment gateway | Cardholder data | US |
| PayPal | Payment gateway | Cardholder data | US |
| M247 | Infrastructure hosting & internet provider | none | EU |
| DigitalRealty | Colocation hosting provider | none | US |
| Equinix | Colocation hosting provider | none | US |
| Cogent | Internet provider | none | US |
| NTT | Internet provider | none | US |
| Cloudflare | Internet provider | none | US |
| Atlassian | Project management | Limited email address | US |
| DocuSign | Electronic Signatures | Business User Data | US |
| Calendly | Meeting Organizer | Business User Data | US |
| Qwilr | Quote Tool | Business User Data | US |
| Slack | Communication Tool | Limited email address | US |
Updates to this page
Given the global scope of our business and the large number of customers we serve, our business needs and service providers may change periodically.
For instance, we may discontinue a service provider to streamline and reduce the number of providers we use or add a new service provider if it improves our ability to deliver our email validation service.
We will regularly update this page to reflect any changes, including the addition or removal of service providers or sub-processors.