Security & Compliance

Transparent overview of the technical and organizational measures we apply to protect customer data.

Last Updated: 16 September 2025

At a Glance

Encryption

TLS 1.2+ in transit; provider managed encryption at rest (storage + backups).

Access Control

Role-based least privilege; MFA enforced for engineering & admin consoles.

Monitoring

Centralized logging & anomaly alerting; time‑bound incident escalation paths.

Technical Measures

  • Network Managed perimeter via hosting provider (Vercel) & API rate limiting.
  • Encryption HTTPS everywhere; secrets stored in secure environment variables; hash & salt for credentials (if stored).
  • Application Security Dependency scanning, linting, SAST in CI roadmap; principle of least privilege for API keys.
  • Data Segregation Logical tenant separation enforced at application layer.
  • Backups Provider-native snapshot/backups (daily) with integrity checks.
  • Logging Central structured logs with retention and access restrictions.
  • Vulnerability Management Critical patches prioritized; external reports via Vulnerability Disclosure Policy.
  • Secrets No secrets committed; rotation on suspected exposure.

Organizational Measures

  • Training Security & privacy awareness for staff with system access.
  • Onboarding / Offboarding Account provisioning through request workflow; revocation within 24h of departure.
  • Access Review Quarterly review of privileged roles.
  • Change Control PR-based code review; protected main branch.
  • Incident Response 4-stage process: Detect → Assess → Contain → Notify; drills at least annually.
  • Third Parties Subprocessors vetted (see Subprocessor List) for security posture.

Incident Response & Breach Notification

We classify incidents by impact & data sensitivity. Confirmed personal data breaches trigger notification of affected customers without undue delay and, where legally required (e.g., GDPR), within 72 hours of confirmation.

  • Detection via monitoring alerts or external report
  • Containment & eradication tasks owned by engineering lead
  • Forensic log preservation
  • Customer & regulatory notification workflows
  • Post-incident review & control improvements

Data Retention & Deletion

Data CategoryTypical RetentionDeletion Method
Account profileLifecycle + 30 daysLogical deletion & scheduled purge
Payment metadataPer tax/audit (7 yrs NZ)Provider managed (Stripe)
Support tickets24 monthsTicket system purge
Analytics events14 months (aggregated)Auto-expiry
Backups30 days rollingAutomated snapshot lifecycle

Retention periods may adjust based on legal obligations or customer configuration.

Subprocessors

Operational third parties with potential access to limited personal data. Full details & change log: /subprocessors.

  • Infrastructure & hosting: Vercel
  • Payments: Stripe
  • Authentication / database: Firebase
  • Analytics & performance: Google Analytics, Vercel Analytics
  • Communication (email): (Add provider if applicable)

AI & Automated Processing

We do not train AI models on customer personal data and do not perform automated decision making with legal or similarly significant effects. Limited internal tooling may perform non-persistent formatting of creative briefs.

Questions or Security Reports

For suspected vulnerabilities, please use our /vulnerability-disclosure page. For privacy matters: alex@zuvohq.com; for urgent security incidents: support@zuvohq.com.

This overview is informational and does not grant contractual commitments beyond those in the Client Agreement, Terms of Service, and DPA.