ZipFields

1. Our Security Commitment

ZipFields stores some of the most sensitive personal information that exists — government ID numbers, passport details, financial information, and health identifiers. We take that responsibility seriously. Security is not an afterthought at ZipFields — it is foundational to how we build and operate our platform.

2. Data Encryption

All data handled by ZipFields is encrypted both in transit and at rest.

• In transit: All communications between your device and ZipFields are encrypted using TLS 1.2 or higher. We do not support unencrypted HTTP connections.
• At rest: All data stored in our database is encrypted at rest using AES-256 encryption provided by Supabase, our database infrastructure provider.
• Passwords: User passwords are never stored in plain text. They are hashed using bcrypt with a unique salt per user. ZipFields staff cannot read your password under any circumstances.

3. Authentication and Access Control

• User authentication is handled through Supabase Auth, which implements industry-standard JWT-based session management.
• Email verification is required to activate all new accounts.
• Row-level security (RLS) policies are enforced at the database level, ensuring that each user can only access their own data regardless of application-level controls.
• Business accounts are completely isolated from user accounts. A business can only access user data that the user has explicitly approved.
• Internal access to production data is restricted to essential personnel only and is logged.

4. Infrastructure Security

• Hosting: ZipFields is hosted on Vercel, which provides DDoS protection, automatic HTTPS, and global content delivery with security hardening.
• Database: Our database is hosted on Supabase, which is SOC 2 Type 2 certified and undergoes regular third-party security audits.
• Payments: All payment processing is handled by Stripe, which is PCI DSS Level 1 certified. ZipFields never stores payment card data.
• Source code: Our codebase is stored in a private GitHub repository. No secrets, API keys, or credentials are stored in source code.

5. Vulnerability Management

ZipFields maintains the following response timelines for identified security vulnerabilities:

• Critical / High severity: Addressed as soon as possible, with a target resolution of within 7 days of identification.
• Medium severity: Addressed within 30 days of identification.
• Low severity: Addressed within 90 days of identification.

We review dependencies regularly and apply security patches promptly. We use automated dependency scanning to identify known vulnerabilities in our software stack.

6. Data Breach Response

In the event of a confirmed data breach affecting personal information, ZipFields will:

• Contain the breach and assess its scope as quickly as possible
• Notify affected users directly by email within 72 hours of becoming aware of the breach, as required under PIPEDA and applicable law
• Report the breach to the Office of the Privacy Commissioner of Canada and any other required regulatory bodies
• Provide affected users with a clear description of what data was affected, what we are doing about it, and what steps they can take to protect themselves

7. API Security

ZipFields provides API access to approved business partners and integrations. All API access is subject to the following controls:

• All API requests must be authenticated using secure API keys issued by ZipFields
• API keys are scoped to specific permissions and can be revoked at any time
• All API access is logged and monitored for unusual activity
• API partners must agree to our API Terms, which prohibit storing, reselling, or misusing any data obtained through the API
• User consent is required before any data is returned via API, regardless of the requesting party

8. Data Minimization and Retention

ZipFields collects only the personal information necessary to provide our services. We do not collect or retain data beyond what is described in our Privacy Policy. When an account is deleted, all associated personal data is permanently deleted or anonymized within 30 days.

9. Third-Party Security

ZipFields carefully evaluates the security posture of all third-party providers before integrating them. We only use providers that maintain recognized security certifications (SOC 2, PCI DSS, ISO 27001 where applicable) and that contractually commit to protecting user data in accordance with applicable law.

10. Responsible Disclosure

If you believe you have identified a security vulnerability in ZipFields, please report it to us immediately at hello@zipfields.com with the subject line "Security Vulnerability Report." Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and address it. We commit to acknowledging your report within 48 hours and providing a status update within 7 days.

11. Contact

For security-related inquiries, contact us at:

Email: hello@zipfields.com

Website: www.zipfields.com