Security
ZippyPro is built to keep your business data safe by default. We combine strong encryption, hardened infrastructure, and thoughtful product design so you don't have to be a security expert to use it confidently.
All customer data is encrypted in transit and at rest using modern, industry-standard encryption.
Multi-factor authentication, role-based access, and secure session management help keep accounts protected, even if a password is compromised.
Continuous monitoring, detailed audit logs, and protections against abusive traffic help us quickly spot issues and keep the platform stable and secure.
Encryption & Access Controls
Encryption
All customer data is encrypted in transit using modern TLS and at rest using strong industry-standard encryption. Database connections are encrypted end-to-end to prevent eavesdropping.
Multi-Factor Authentication
Time-based one-time codes (MFA) add a second layer of protection to account logins. Admins can require MFA for all team members to raise the security baseline.
Role-Based Access Control
Three permission levels — Admin, Manager, and Member — ensure people only see and change what they need for their role, reducing the impact of mistakes or compromised accounts.
Audit Logging
Sensitive actions such as data deletion, settings changes, and exports are recorded with timestamps, user identity, and source information so you can see who did what and when.
Rate Limiting
Built-in rate limits on API and authentication endpoints help prevent abuse, slow down bots, and protect against brute-force login attempts.
Session Management
Sessions automatically time out after a short period of inactivity, and we use modern, secure tokens with rotation to reduce risk if a device is lost or left unattended.
Infrastructure
Database & Authentication
We use a managed PostgreSQL database with built-in row-level isolation so each customer's data stays logically separated. Our database platform is independently audited under SOC 2 Type II to meet modern security and reliability standards.
Hosting & CDN
ZippyPro runs on a global edge hosting platform with automatic protection against large-scale attacks such as DDoS. The underlying infrastructure is SOC 2 Type II audited, giving you the same class of safeguards used by mature SaaS companies.
Payments
Payments are processed by a PCI DSS Level 1 certified provider. ZippyPro never stores or directly handles raw payment card numbers, reducing your exposure to card-related risk.
Communications
Messaging is handled by an established communications provider that maintains SOC 2 Type II compliance. Inbound webhooks are cryptographically signed and verified to ensure they actually come from our provider and haven't been tampered with.
Transactional email is delivered over encrypted channels (TLS) whenever supported by recipients' mail servers, avoiding plain-text transmission of sensitive content in transit.
AI Processing
AI-powered features are implemented through an API-only integration with a leading AI provider. Data sent to these APIs is used solely to power your features and is not used to train general-purpose models.
Data Protection
Multi-tenant Isolation
Each customer's data is logically isolated. Every database query is scoped to the authenticated account so one business cannot view or modify another's information.
Input Validation & Application Safety
All user input is strictly validated on the server to prevent injection attacks and accidental data corruption, keeping your workspace data clean and consistent.
Browser-Side Protections
We enforce a strict Content Security Policy and tight CORS rules so scripts only run from trusted sources and APIs only accept requests from approved domains, helping mitigate common web attacks like XSS.
Secure Authentication for Crew
Crew Portal logins support modern, device-based authentication (such as biometrics on supported devices), and biometric data never leaves the user's device or is stored by ZippyPro.
PIN Security
Crew PINs are stored in a one-way, cryptographically protected form. Plain-text PINs are never stored or logged.
Error Monitoring
Production systems are continuously monitored for errors. We capture and alert on issues while scrubbing sensitive data from error reports to protect user privacy.
Data Backup & Recovery
Automated Backups
Your data is backed up automatically on a daily schedule with point-in-time recovery available within a defined retention window. Backups are stored in a separate region from the primary database to reduce the impact of regional incidents.
Recovery Capabilities
In the event of accidental deletion or data corruption, we can restore your workspace to a recent point in time within that retention window, helping you get back on track quickly.
Self-Serve Data Export
Workspace owners can export their data on demand from the in-app Data Export settings, so you always retain control and can keep your own copies when needed.
For security questions or to report a vulnerability, contact security@zippypro.app