Security

1. Our Commitment to Security

At ZorroFlow, security is not an afterthought—it's fundamental to everything we build. We employ industry-leading practices to protect your email data and ensure your communications remain private and secure.

2. Data Encryption

Encryption in Transit

• TLS 1.3: All data transmitted between your devices and our servers is encrypted using the latest TLS 1.3 protocol
• HTTPS Only: Our website and API endpoints are accessible only via HTTPS
• MX Server Security: Email reception via our MX servers uses encrypted connections with SPF, DKIM, and DMARC authentication

Encryption at Rest

• Database Encryption: All email data stored in MongoDB is encrypted at rest using AES-256
• Attachment Storage: Email attachments in Supabase are encrypted using industry-standard encryption
• Backup Encryption: All database backups are encrypted before storage

3. Authentication & Access Control

User Authentication

• OAuth 2.0: Secure authentication via Google OAuth
• Session Management: Secure, HTTP-only cookies with CSRF protection
• JWT Tokens: Cryptographically signed tokens for API access
• No Password Storage: We never store passwords—authentication is delegated to trusted providers

Access Controls

• Row-Level Security: Database access restricted by user ID and permissions
• API Authentication: All API endpoints require valid authentication tokens
• Webhook Security: MX server webhooks use bearer token authentication
• Least Privilege: Services operate with minimal required permissions

4. Email Security

Email Authentication

• SPF Records: Sender Policy Framework to prevent email spoofing
• DKIM Signing: DomainKeys Identified Mail cryptographic signatures
• DMARC Policy: Domain-based Message Authentication for email validation
• Reverse DNS: Proper PTR records for email server identification

Spam & Malware Protection

• Spam Filtering: Integrated spam detection and filtering
• Virus Scanning: All incoming emails scanned for malware
• RBL Checking: Real-time blacklist verification (Spamhaus, SpamCop)
• Rate Limiting: Protection against email flooding and abuse

5. Infrastructure Security

Server Security

• Firewall Protection: UFW firewall with strict port access (22, 25, 80, 443 only)
• Fail2Ban: Automated blocking of brute-force attacks
• Security Updates: Regular system and security patch deployment
• Server Hardening: Industry-standard server security configurations

Hosting & Infrastructure

• Cloud Providers: Hosted on enterprise-grade platforms (Vercel, MongoDB Atlas, Supabase, Hetzner)
• Geographic Redundancy: Data replicated across multiple availability zones
• DDoS Protection: Built-in protection against distributed denial-of-service attacks
• Network Isolation: Separate networks for different service components

6. Application Security

• Input Validation: All user inputs sanitized and validated
• SQL Injection Prevention: Parameterized queries and ORM usage
• XSS Protection: Content Security Policy and output encoding
• CSRF Protection: Anti-CSRF tokens on all forms
• Dependency Scanning: Regular security audits of third-party libraries
• Code Reviews: Security-focused code review process

7. Data Privacy & Compliance

• Data Minimization: We collect only what's necessary for service operation
• User Data Control: You own your data and can export or delete it anytime
• No Data Selling: We never sell your data to third parties
• GDPR Ready: Infrastructure designed with GDPR principles in mind
• Audit Logs: Comprehensive logging for security monitoring and compliance

8. AI Security

AI Processing Security

• Secure API Calls: All AI API calls use encrypted connections
• Data Anonymization: Email content processed by AI is anonymized where possible
• No Training on Your Data: Your emails are never used to train AI models
• Provider Security: We use only reputable AI providers (Anthropic Claude, OpenRouter)

9. Incident Response

• Security Monitoring: 24/7 automated monitoring of security events
• Incident Response Plan: Documented procedures for security incidents
• Breach Notification: Immediate notification in case of data breach
• Regular Security Audits: Periodic security assessments and penetration testing

10. Security Best Practices for Users

To maintain the security of your account:

• Use Strong Authentication: Enable 2FA on your Google account
• Keep Credentials Secure: Never share your login credentials
• Monitor Account Activity: Regularly review your account for suspicious activity
• Logout from Shared Devices: Always sign out when using public computers
• Report Security Issues: Contact us immediately if you suspect a security issue

11. Certifications & Standards

• SOC 2: Working towards SOC 2 Type II compliance
• OWASP Guidelines: Following OWASP Top 10 security practices
• Industry Standards: Adhering to email industry security standards (RFC compliance)

12. Responsible Disclosure

We appreciate the security research community's efforts to help keep ZorroFlow secure. If you discover a security vulnerability, please report it responsibly:

• Email: security@zorroflow.com
• Response Time: We aim to respond within 24 hours
• Responsible Disclosure: Please allow us time to fix issues before public disclosure
• Recognition: We maintain a hall of fame for security researchers

13. Contact Us

If you have questions about our security practices:

• Email: security@zorroflow.com
  General Inquiries: love@zorroflow.com