Isolated workspaces
Every organization gets its own isolated sandbox container and persistent/workspace volume. Tasks in the same organization share that workspace by design, while different organizations never share containers, browser state, or files.
The plan controls only the idle window. Free sandboxes sleep after 15 minutes of no activity; paid sandboxes sleep after 24 hours. Sleeping frees runtime resources, but files remain on disk and the next task restarts the same workspace.
Network egress
Browser and fetch-style outbound requests pass through a safety check that blocks private-network and cloud-metadata addresses before the connection opens.
Your team can switch the sandbox network from the default open mode to locked mode, which blocks outbound traffic. Domain allow-list entries can be managed now, but per-domain forwarding enforcement is still staged rather than active.
Secrets vault
Credentials are AES-256-GCM-encrypted at rest. Secrets are exposed to the sandbox by default so shell and integration workflows can use them; admins can mark individual secrets as redaction-only so they stay out of the sandbox environment.
A redactor scrubs every persisted log (the agent's reasoning, tool output, observations) for known secret values — so even if the agent echoes a credential by accident, the saved transcript has the masked form and the original is unrecoverable from logs.
Prompt injection defenses
ZOYYA treats anything it reads from the web, an uploaded file, an email body, or a webhook payload as potentially adversarial. The agent is instructed to ignore instructions embedded in scraped content, and tool outputs are labelled so the model can't mistake them for user intent.
Approval gates are configurable. By default, workspaces use Bypass mode and the agent runs allowed tools without pausing. Your team can switch to Ask permission or add per-tool rules so selected actions pause for review before they run.
Authentication & sessions
Sessions are signed with a strong server-side secret. Passwords are hashed with a modern, deliberately slow algorithm. Two-factor auth is available via any standard authenticator app. Changing your email requires confirmation at the new address before it takes effect.
Personal API keys are hashed at rest — the plaintext is shown to you exactly once at creation and is never recoverable. Revoke from Settings → API keys at any time.
Every authenticated action requires either a same-origin browser session or a bearer API key. Cross-site request forgery is blocked at the edge.
Audit log
Every change that matters — secrets, schedules, integration connects, approval decisions, account changes — is recorded with actor, IP, and user-agent. Retention depends on plan tier (7 days on Free, up to a year on Max).
Admins can export the audit log as CSV from Governance → Audit and answer "what happened?" questions in seconds.
Data handling
See the Privacy Policy for full data-handling details.
Quick summary: ZOYYA stores your account info, task data, artifacts, and metadata. Task objectives and intermediate outputs are sent to the LLM provider you select. We don't train on your data and we don't sell or share with ad networks. Backups are retained for 30 days.
Report a vulnerability
Found a security issue? Email [email protected] with reproduction steps. We'll acknowledge within 48 hours.
We don't yet have a formal bug bounty, but we'll publicly credit responsible disclosures and back-pay rewards when the bounty launches.