β Back to Home
Security at ZodForge
Security is our top priority. We implement industry-leading practices to protect your data and ensure service reliability.
Enterprise-Grade Security
10-layer defense in depth architecture β’ 99.99% uptime β’ SOC 2 ready
π Data Encryption
In Transit
- TLS 1.3 encryption (HTTPS only)
- Perfect Forward Secrecy (PFS)
- Strong cipher suites (AES-256-GCM)
- HSTS enabled (Strict-Transport-Security)
At Rest
- AES-256 database encryption (Supabase)
- API keys hashed with bcrypt (cost 12)
- Encrypted backups
- No plaintext secrets in code
βοΈ Infrastructure Security
Hosting & Providers
- Railway: API hosting with isolated containers, automatic scaling, and DDoS protection
- Vercel: Landing page on global edge network with instant failover
- Supabase: PostgreSQL database with row-level security and automated backups
- Stripe: PCI DSS Level 1 certified payment processing (we never see card numbers)
Network Security
- DDoS Protection: Cloudflare-level protection on all endpoints
- Rate Limiting: Tiered limits to prevent abuse (10-100 req/hour)
- IP Allowlisting: Optional for Enterprise customers
- WAF (Web Application Firewall): Blocks common attack vectors
π API Security
Authentication
- Bearer token authentication (API keys)
- Keys are 64-character cryptographically random strings
- Keys are hashed before storage (bcrypt, never reversible)
- Rotate keys anytime from dashboard
- Keys are never logged or exposed in error messages
Request Validation
- Zod schema validation on all inputs
- Sanitization to prevent injection attacks
- Content-Type enforcement (JSON only)
- Request size limits (max 1MB payload)
Data Handling
Zero Data Retention: Your schemas are processed in real-time and never stored beyond temporary processing.
- API requests are logged for 7 days (debugging only), then permanently deleted
- Logs contain only metadata (timestamps, status codes), not schema content
- Third-party AI providers (OpenAI, Anthropic) do not train on your data (per their enterprise agreements)
π₯ Access Control
Internal Access
- Principle of Least Privilege: Employees only access systems they need
- Multi-Factor Authentication (MFA): Required for all admin accounts
- SSH Key Authentication: No password-based server access
- Audit Logs: All access logged and monitored
- Background Checks: For employees with production access
Customer Access
- Email-based authentication (magic links or OAuth)
- API key management dashboard
- Usage analytics and monitoring
- Team management for Enterprise (role-based access control)
π Monitoring & Incident Response
24/7 Monitoring
- Real-time uptime monitoring (UptimeRobot + StatusPage)
- Error tracking and alerting (Sentry)
- Performance metrics (response times, throughput)
- Security event logging (failed auth attempts, anomalies)
- Automated health checks every 30 seconds
Incident Response
We have a documented incident response plan:
- Detection: Automated alerts trigger within 1 minute
- Assessment: On-call engineer investigates (15 min SLA)
- Containment: Isolate affected systems, prevent spread
- Communication: Status page updated, customers notified
- Resolution: Fix issue, restore service
- Post-Mortem: Document root cause, implement prevention
β Compliance & Certifications
πͺπΊ GDPR Compliant
- Data Processing Agreements (DPA) available
- EU data residency option (Enterprise)
- Right to access, rectify, and delete data
- 30-day data breach notification
πΊπΈ CCPA Compliant
- Transparent data collection practices
- Do Not Sell My Data honored
- California resident rights respected
- Privacy policy clearly disclosed
In Progress
- SOC 2 Type II: Audit in progress (expected Q2 2026)
- ISO 27001: Information security management certification (roadmap)
- HIPAA: Healthcare compliance for medical data (upon customer request)
π‘οΈ Vulnerability Management
Security Testing
- Automated Scanning: Weekly Snyk scans for dependency vulnerabilities
- Penetration Testing: Annual third-party pentests
- Code Review: Security-focused reviews for all changes
- OWASP Top 10: Protected against common web vulnerabilities
Patch Management
- Critical security patches deployed within 24 hours
- Dependencies updated weekly (automated Dependabot)
- Zero-downtime deployments for patches
Bug Bounty Program
Coming Soon: We're launching a bug bounty program to reward security researchers who responsibly disclose vulnerabilities.
For now, report security issues to: security@zodforge.dev
π€ Third-Party Security
We carefully vet all third-party services and ensure they meet our security standards:
| Service | Purpose | Certifications |
|---|---|---|
| Stripe | Payment processing | PCI DSS Level 1, SOC 2 |
| Supabase | Database hosting | SOC 2 Type II, GDPR |
| OpenAI | AI refinement | SOC 2, no training on data |
| Anthropic | AI fallback | SOC 2, no training on data |
π‘ Security Best Practices for Users
Help us keep your account secure:
β Do
- Store API keys in environment variables
- Use separate keys for dev/staging/prod
- Rotate keys regularly (every 90 days)
- Enable MFA on your account
- Monitor usage for anomalies
- Use HTTPS in all API requests
β Don't
- Commit API keys to version control
- Share API keys with others
- Use the same key across projects
- Expose keys in client-side code
- Ignore rate limit errors
- Send unencrypted requests
π§ Security Contact
Found a security vulnerability? Please report it responsibly:
Email: security@zodforge.dev
We take all reports seriously and will respond within 24 hours. Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Your contact information (for follow-up)
Please do not publicly disclose until we've had a chance to address the issue.
π Commitment to Transparency
Security is a continuous journey. We publish quarterly security updates and maintain a public changelog of security improvements. Questions? Email security@zodforge.dev