Legal & Trust

Security & Data Protection

Security is not an afterthought at Zerqano — it is built into every layer of our architecture. This page documents how we protect your data, who can access it, and what we do when things go wrong.

Last updated: 2026-05-25TLS 1.3 · AES-256 · RLS · MFASOC 2 Type II roadmapGDPR · UK GDPR · CCPA

Encryption

TLS 1.3 · AES-256

Multi-tenancy

RLS enforced

Compliance

GDPR · SOC 2 roadmap

Review cycle

Annual / incident

1. Security overview

Zerqano is a B2B SaaS platform that processes sensitive business data including inventory records, purchase orders, supplier information, financial transactions, and AI-generated forecasts. We treat the security of that data as a core product responsibility — not just a compliance checkbox.

Data in transit

TLS 1.3 (min 1.2)

Data at rest

AES-256

Tenant isolation

PostgreSQL RLS

Auth standard

Supabase / JWT

Password hashing

Bcrypt / Argon2

Error monitoring

Sentry (EU)

We follow a defence-in-depth strategy: multiple independent security layers so that if one control fails, others remain. Our security programme covers physical infrastructure (via our cloud providers), network, application, data, and operational layers.

2. Multi-tenant architecture & isolation

Every Zerqano customer is a separate tenant. Tenant isolation is enforced at multiple levels so that no user or organisation can access another's data — even in the event of application-layer bugs.

Row-Level Security (RLS)

All database tables have PostgreSQL Row-Level Security policies enabled. Every read and write operation is scoped to the authenticated user's tenant ID. Queries that bypass RLS at the application layer are blocked at the database level.

JWT-scoped requests

Every API request requires a valid Supabase JWT. The JWT contains the user's ID and organisation. All service-layer queries pass this identity context — there is no way to query data for a different tenant without a valid token for that tenant.

Logical database separation

While tenants share the same PostgreSQL cluster, all data tables include a created_by / org_id column and RLS policies enforce ownership. No cross-tenant data joins are possible via normal query paths.

Vector store isolation

Qdrant vector collections are namespaced per user. Semantic search and cross-sell queries are always filtered by user ID to prevent cross-tenant retrieval.

3. Authentication & access control

3.1 User authentication

  • Passwords are one-way hashed using Bcrypt or Argon2 — we cannot recover your password.
  • All sessions use short-lived JWTs (15-minute access tokens + 7-day refresh tokens). Tokens are rotated on each refresh.
  • OAuth 2.0 / OIDC is supported for Google and Microsoft SSO. Tokens are never stored plain-text.
  • Time-based One-Time Password (TOTP) multi-factor authentication is available and recommended for all users.
  • Failed login attempts are rate-limited with exponential back-off to mitigate brute-force attacks.
  • Session invalidation is immediate on sign-out and account deactivation.

3.2 Role-based access control (RBAC)

  • Users are assigned roles (Owner, Admin, Member, Viewer) within their organisation.
  • API endpoints validate role permissions before performing write operations.
  • Administrative operations (bulk deletes, pipeline configuration changes) require Owner or Admin roles.

3.3 API keys & service accounts

  • API keys are generated with cryptographically secure randomness and stored as hashes.
  • Keys can be scoped with read-only or read-write permissions and revoked at any time.
  • Service-role credentials used internally are never exposed to the frontend or API responses.

4. Encryption

4.1 Encryption in transit

  • All traffic between client and server uses TLS 1.3 (minimum TLS 1.2). Older protocol versions are rejected.
  • HTTP Strict Transport Security (HSTS) headers enforce HTTPS-only access with a 1-year max-age.
  • WebSocket connections (MCP server) are established over WSS (WebSocket Secure).
  • API-to-database connections use TLS for all subprocessors (Supabase, Qdrant).

4.2 Encryption at rest

  • All database volumes are encrypted at rest using AES-256, managed by Supabase (AWS KMS).
  • Uploaded file storage is encrypted at rest. Encryption keys are rotated annually.
  • Backups are encrypted with the same AES-256 standard before being stored off-site.

4.3 Secrets management

  • All API keys, database credentials, and private keys are stored as encrypted environment variables — never hardcoded in source code.
  • Secrets are rotated at least annually and immediately upon suspected compromise.
  • CI/CD pipelines use separate, scoped secrets and do not share production credentials.

5. Network & infrastructure security

  • Hosting. Our backend API runs on a Hostinger VPS (EU datacenter) with a hardened Ubuntu configuration. Our frontend is hosted on Vercel's global edge network.
  • Firewall. UFW firewall rules restrict inbound traffic to HTTPS (443), SSH (on a non-standard port, key-only), and application ports. All other inbound traffic is dropped.
  • DDoS protection. Vercel's edge network provides DDoS protection for frontend traffic. The API layer uses rate limiting via slowapi to reject abusive request patterns.
  • SSH access. Server SSH access is restricted to key-based authentication only — password authentication is disabled. Access keys are rotated and managed per-engineer.
  • CORS. Cross-Origin Resource Sharing is configured with an allowlist of authorised origins (zerqano.com, www.zerqano.com). Wildcard origins are not permitted in production.
  • Port exposure. Internal services (database, vector store, MCP) are not exposed on public ports. All internal communication uses private network channels.

6. Application security

Our development practices follow the OWASP Top 10 framework. The key controls we implement for each category:

OWASP categoryOur controls
A01 Broken Access ControlPostgreSQL RLS on all tables; RBAC on all API routes; JWT-scoped queries; no user-controlled SQL.
A02 Cryptographic FailuresTLS 1.3 in transit; AES-256 at rest; Bcrypt/Argon2 for passwords; no MD5/SHA1.
A03 InjectionParameterised queries / ORM for all DB access; input validation via Pydantic; LLM prompt sanitisation.
A04 Insecure DesignSecurity reviewed in design phase; threat modelling for new features; DFD review for data flows.
A05 Security MisconfigurationHSTS, CSP, X-Content-Type-Options, X-Frame-Options headers; no debug endpoints in production.
A06 Vulnerable ComponentsAutomated dependency scanning in CI/CD (Dependabot / pip-audit); weekly review.
A07 Identity & Auth FailuresMFA available; brute-force rate limiting; short-lived JWTs; secure cookie attributes.
A08 Software & Data IntegritySigned commits; environment variable management; no eval() or dynamic code execution.
A09 Security Logging & MonitoringSentry error tracking; server access logs; anomaly alerting; 12-month log retention.
A10 SSRFOutbound requests use an allowlist; user-supplied URLs are not fetched server-side.

6.1 Content Security Policy (CSP)

All pages are served with a strict Content-Security-Policy header that restricts script execution to known safe origins, prevents inline scripts, and blocks dangerous directives like unsafe-eval.

6.2 Rate limiting & abuse prevention

All public API endpoints are rate-limited per IP and per authenticated user. Rate limit headers are returned with each response. Endpoints that perform heavy computation (e.g., pipeline runs) have additional per-user concurrency limits.

6.3 Input validation

All API request bodies are validated against Pydantic schemas at the API boundary. File uploads are validated for type, size, and content before processing. Malformed requests are rejected with a 422 response — they never reach the database layer.

7. AI & third-party API security

Zerqano uses OpenAI (and optionally Groq) for large language model inference. The following controls govern how Customer Data is handled in AI processing:

  • Data minimisation. Only the minimum necessary context from Customer Data is sent to LLM APIs. Full file contents are summarised or chunked before transmission where possible.
  • No model training on Customer Data. Our API agreements with OpenAI and Groq include opt-out from model training on API-submitted data. Customer Data is not used to train public models.
  • Prompt injection defences. User-supplied content passed to LLMs is sanitised and wrapped in system-level delimiters. LLM outputs are treated as untrusted and validated before being stored or displayed.
  • API key scoping. Third-party API keys are scoped to minimum required permissions and stored as encrypted secrets — never exposed in logs or responses.
  • Subprocessor DPAs. All AI providers are covered by Data Processing Agreements and are bound by GDPR Article 28 obligations.

8. Employee security & internal access

  • Principle of least privilege. Team members are granted access only to the systems and data required for their role. Access is reviewed quarterly.
  • MFA required. All internal accounts (GitHub, cloud providers, SaaS tools) require MFA. Hardware security keys are encouraged for privileged access.
  • Security training. All team members complete security awareness training on onboarding and annually thereafter, covering phishing, social engineering, and secure coding practices.
  • Access provisioning & deprovisioning. Access is provisioned on a need-to-know basis and revoked immediately on role change or departure.
  • No direct production database access. Customer Data queries in production require documented justification and are logged in our audit trail.
  • Confidentiality agreements. All team members and contractors sign NDAs covering Customer Data and business confidential information.

9. Monitoring & alerting

  • Error monitoring. Sentry is integrated across the API and frontend. All unhandled exceptions are captured, alerted, and triaged within our on-call rotation.
  • Access logging. All API requests are logged with timestamp, endpoint, HTTP method, response status, and user ID (no request bodies). Logs are retained for 12 months.
  • Anomaly detection. Unusual access patterns — including abnormally high request rates, access from new countries, and bulk data export attempts — trigger automated alerts.
  • Uptime monitoring. External uptime checks run every 60 seconds. Automated alerts are sent if any critical endpoint is unavailable for more than 2 minutes.
  • Dependency scanning. Automated tools (Dependabot, pip-audit) scan dependencies weekly for known CVEs and alert our engineering team.

10. Incident response

We maintain a documented Incident Response Plan (IRP) that is reviewed and tested annually. Our process covers:

D

Detection

Automated monitoring and manual reports trigger incident creation. On-call engineer is paged within 5 minutes.

C

Containment

Affected systems are isolated. Compromised credentials are revoked. Service may be temporarily degraded to prevent further damage.

I

Investigation

Root cause analysis (RCA) is conducted. Logs are preserved. Scope of customer data impact is assessed.

N

Notification

If personal data is breached, affected customers are notified within 72 hours (GDPR Art. 33). Supervisory authorities are notified as required. Severity and scope are communicated transparently.

R

Remediation

Vulnerability is patched. Security controls are strengthened. Affected customers are provided guidance on any required actions.

P

Post-incident review

Full RCA report produced within 5 business days. Lessons learned are incorporated into security programme. Summary shared with affected customers on request.

11. Backup & disaster recovery

ComponentBackup frequencyRetentionRTO target
PostgreSQL databaseDaily automated + WAL7 days PITR4 hours
File storageDaily snapshot30 days4 hours
Vector embeddingsWeekly snapshot4 weeks8 hours
Application configOn-change via version controlIndefinite1 hour

Backups are stored in a geographically separate location from the primary infrastructure and are encrypted at rest. Restore tests are conducted at least quarterly. Our Recovery Point Objective (RPO) target is 24 hours for all tiers.

12. Compliance roadmap

GDPR (EU) & UK GDPR

Implemented

Data Processing Agreements, privacy-by-design, DSAR process, 72-hour breach notification.

CCPA / CPRA (California)

Implemented

No-sale policy, right to delete, right to know, verifiable consumer request process.

SOC 2 Type II

Roadmap 2026–2027

Trust Services Criteria for Security, Availability, and Confidentiality. Controls gap assessment in progress.

ISO 27001

Roadmap 2027

Information Security Management System. Formal certification planned post-SOC 2.

OWASP Top 10

Implemented

All OWASP Top 10 categories addressed in our secure development lifecycle (see Section 6).

PCI DSS (Payments)

Delegated to Stripe

We do not store, process, or transmit card data. Stripe is our PCI-DSS Level 1 certified payment processor.

13. Responsible disclosure & bug bounty

Found a vulnerability? We want to know.

We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue, please report it to security@zerqano.com with “Security Report” in the subject line.

What to include in your report

  • Description of the vulnerability and its potential impact.
  • Steps to reproduce (proof-of-concept if available).
  • Any technical details (URLs, request/response samples, screenshots).

Our commitments to researchers

  • We will acknowledge your report within 2 business days.
  • We will not pursue legal action against researchers acting in good faith under this policy.
  • We will keep you informed of progress toward a fix.
  • We will credit researchers in our security advisories (unless you prefer anonymity).
  • For confirmed critical vulnerabilities, we offer recognition rewards on a case-by-case basis.

Out of scope: Denial-of-service attacks, social engineering of Zerqano staff, physical security, or vulnerabilities in third-party services outside our control.

14. Security contact

Security vulnerabilities: security@zerqano.com

Privacy & data requests: privacy@zerqano.com

General legal enquiries: legal@zerqano.com

Response time: Security reports acknowledged within 2 business days. Confirmed critical vulnerabilities are patched within 7 days.

For privacy rights requests and our full data protection policy, see our Privacy Policy. For the terms governing use of the Service, see our Terms of Service.

Document information

Document: Zerqano Security & Data Protection

Version: 1.2.0

Last reviewed: 2026-05-25

Encryption standard: TLS 1.3 · AES-256

Language: English (governing)

Security contacts

Vulnerabilities: security@zerqano.com

Privacy & data: privacy@zerqano.com

General legal: legal@zerqano.com

This document was last reviewed on 2026-05-25. Zerqano reviews its security posture continuously and updates this page upon significant infrastructure changes, new compliance achievements, or at least annually. To report a vulnerability or request our security questionnaire, contact security@zerqano.com. Historic versions are available on request.