Security Policy

1. Our Commitment

At Zipd, security is foundational to everything we build. We employ a defense-in-depth strategy to protect our B2B SaaS platform and the financial business data entrusted to us by our customers. Our security program is designed to safeguard the confidentiality, integrity, and availability of Subscriber Data through multiple layers of technical, administrative, and physical controls.

2. Infrastructure

The Zipd platform is hosted entirely within the United States on enterprise-grade cloud infrastructure. Our backend services run on Google Cloud Run with Cloud SQL for managed database hosting, providing automated scaling, high availability, and built-in redundancy. Our frontend is served via Vercel's edge network for low-latency delivery. All infrastructure is managed with infrastructure-as-code (Terraform) to ensure consistent, auditable deployments.

3. Data Encryption

All data transmitted between clients and our servers is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256 encryption, including database storage and backups. Encryption keys are managed by Google Cloud's Key Management Service (KMS) with automatic key rotation. All database backups are encrypted and stored in geographically redundant locations within the United States.

4. Authentication & Access Control

Zipd implements a robust authentication and authorization framework:

• JWT tokens are issued as httpOnly, secure cookies — tokens are never exposed in response bodies or client-side JavaScript
• Multi-factor authentication (MFA) is available for all accounts, supporting TOTP and email-based verification
• Role-based access control (RBAC) with five hierarchical role levels: Owner, Admin, Manager, Member, and Viewer
• All API endpoints are permission-gated — every request is validated against the user's role and organization membership
• Session management with automatic token rotation and configurable expiration policies

5. Application Security

Our application is built with security best practices at every layer:

• All user input is validated through Django REST Framework serializers before processing
• Database queries use parameterized ORM queries exclusively — no raw SQL is permitted in the codebase
• CSRF protection is enforced on all state-changing requests
• CORS whitelisting restricts cross-origin requests to approved domains only
• Content-Security-Policy headers are configured to prevent XSS and data injection attacks
• Automated dependency vulnerability scanning runs on every deployment to identify and remediate known vulnerabilities

6. Data Isolation

Zipd operates a multi-tenant architecture with strict organization-scoped data isolation. Every data record is associated with an organization via a foreign key relationship, and all queries are scoped to the requesting user's organization. Row-level isolation ensures that no cross-tenant data leakage can occur — users can only access data belonging to their own organization, enforced at both the application and database query layers.

7. Audit Logging

Zipd maintains immutable, append-only event logs for all significant actions within the platform. Our audit logging infrastructure includes:

• DealEvent and TaskEvent logs that record every mutation to pipeline and task data
• AccessAuditLog entries for permission changes, role modifications, and administrative actions
• AuthEvent records for login attempts, password changes, and session management
• Every log entry includes the actor, timestamp, and a description of the change performed
• Audit trails are designed to be compatible with SEC 17a-4 requirements for financial services record retention

8. Incident Response

Zipd maintains documented incident response procedures for security events. In the event of a confirmed data breach affecting Subscriber Data, we will notify affected customers in accordance with Cal. Civ. Code § 1798.82 and any other applicable breach notification laws. Notifications will include the nature of the breach, the categories of data affected, and the remediation steps taken. To report a security concern, contact us at [email protected].

9. Vulnerability Disclosure

Zipd operates a responsible disclosure program. If you discover a potential security vulnerability in our platform, please report it to [email protected]. We ask that you:

• Provide sufficient detail to reproduce the vulnerability
• Allow us a reasonable period (up to 90 days) to investigate and remediate before public disclosure
• Refrain from accessing or modifying other users' data during your research

We are committed to acknowledging receipt of vulnerability reports within two business days and providing regular updates on remediation progress.

10. Compliance Roadmap

Zipd is actively pursuing SOC 2 Type I certification. Our platform has been designed from the ground up to handle financial services business data with appropriate controls, including immutable audit trails, role-based access control, encryption at rest and in transit, and organization-scoped data isolation. We are committed to achieving and maintaining industry-recognized compliance certifications.

11. Employee Security

Access to production systems and Subscriber Data is granted on a least-privilege, need-to-know basis. All team members with access to production infrastructure undergo security awareness training. Access privileges are reviewed regularly and revoked promptly upon role changes or separation.

12. Contact