Security is foundational to how we build ZeroFi. This page summarizes the practices we use to protect your data and how security researchers can report issues to us. It is a description of our program, not a contractual guarantee.
Data protection
- Encryption in transit: all traffic to and from the Services is served over HTTPS/TLS.
- Encryption at rest: our database and object storage encrypt data at rest.
- Tenant isolation: business data is isolated using row-level security so one organization cannot access another's records.
- Least privilege: access to production data is restricted to authorized personnel on a need-to-know basis.
Authentication & access
- Passwords are hashed by our authentication provider; we never store plaintext passwords.
- Business-ownership claims require email verification before an account is activated; unverified claims are held for manual review.
- Administrative functions are gated behind privileged, audited roles.
Application safeguards
- Server-side input validation and parameterized database access to guard against injection.
- Rate limiting and abuse controls on public endpoints, including per-client and global ceilings, to protect against spam and resource exhaustion.
- Fraud controls on advertising (click de-duplication, bot filtering, and budget enforcement) and outbound-email safeguards (suppression lists and address validation).
Infrastructure
We build on reputable cloud providers, including Supabase (managed Postgres, authentication, and storage), Vercel (application hosting and CDN), and vetted third parties for email, payments, and AI processing. These providers maintain their own security certifications and controls.
Payments
Card payments are handled by PCI-compliant payment processors (e.g., Stripe). We do not store full card numbers on our systems.
Monitoring & response
We log security-relevant events and monitor for anomalies. In the event of a security incident that affects your data, we will investigate, take corrective action, and notify affected users as required by applicable law.
Responsible disclosure
We welcome reports from the security community. If you believe you've found a vulnerability, please email security@zerofi.ai with details and steps to reproduce. We ask that you:
- Give us a reasonable time to investigate and remediate before public disclosure.
- Avoid privacy violations, data destruction, service degradation, or accessing more data than necessary to demonstrate the issue.
- Do not run automated scans that degrade the Services or test with other users' accounts without consent.
Acting in good faith under these guidelines, we will not pursue legal action for your research. We appreciate and acknowledge researchers who help keep ZeroFi safe.
Your role
Use a strong, unique password, keep your credentials private, and contact us immediately at security@zerofi.ai if you suspect unauthorized access to your account.
Contact
Security questions or reports: security@zerofi.ai. ZeroFi is a product of Nirvana Consulting Company (ainirvana.ai).