// security

Security at ZenVerifier

Last updated · May 2026

Our customers trust us with the contact lists their businesses run on. This page describes what we do to protect that data — concretely. If anything here changes, we update it.

Infrastructure

  • Application hosted on Vercel (SOC 2 Type II, ISO 27001).
  • Database: Vercel Postgres, region-pinned (EU by default), encrypted at rest with AES-256.
  • File storage: Vercel Blob, encrypted at rest, with deterministic 30-day retention enforced by daily cron.
  • Authentication: Clerk (SOC 2 Type II) — we never store passwords or auth secrets.
  • Verification engine: GDPR-compliant, EU-region processing, ISO 27001 certified.
  • Transactional email: Resend, isolated to a dedicated sending subdomain (updates.zenverifier.com) with SPF, DKIM, and DMARC.

Encryption

  • In transit: TLS 1.2 minimum, 1.3 preferred. HSTS set on the apex with a one-year max-age.
  • At rest: AES-256 across the database, blob storage, and managed services. Backups inherit the same encryption.
  • Application secrets: stored in Vercel’s encrypted environment variables, never committed to source control. Rotated when team members leave.

Access control

  • Production access limited to founders + on-call engineering.
  • SSO required for all internal tools.
  • Database access is read-only by default; write access requires elevated session and is audit-logged.
  • We follow the principle of least privilege — sub-processor accounts have only the scopes required for the service.

Data retention

  • Uploaded lists: auto-deleted 30 days after upload. Enforced by a daily cron that drops both the database row and the blob copy.
  • Single email checks: kept indefinitely as a cache so re-verifying the same address is free for you.
  • Audit logs: 2 years.
  • Backups: point-in-time recovery with a 14-day retention window. Backups are deleted on the same schedule as live data plus the 14-day window.

What we don’t do

  • We don’t train AI models on your contacts.
  • We don’t share your data with advertising networks or data brokers.
  • We don’t store payment card numbers — Stripe handles those end-to-end.
  • We don’t run third-party tracking pixels on the marketing site.

Vulnerability reporting

If you find a security issue, please email security@zenverifier.com with details and steps to reproduce. We respond within 48 hours, prioritise based on impact, and credit researchers (with consent) on this page once a fix is shipped. We don’t currently run a paid bug bounty but appreciate responsible disclosure.

Compliance roadmap

  • SOC 2 Type II audit underway. Report available under NDA when complete.
  • GDPR & UK GDPR aligned via the Data Processing Addendum.
  • ISO 27001 planned for the year following SOC 2.

Contact

Security questions, vendor security questionnaires, or vulnerability reports: security@zenverifier.com. For non-urgent questions, our team responds within two business days.

Security · ZenVerifier · ZenVerifier