All data is encrypted at rest and in transit (AES-256 for sensitive vault tokens, TLS 1.2+ enforced for transit). We employ strict role-based access controls and robust session management with automatic expiration limits.
All payment data is handled by our PCI-compliant processing partner, Stripe, meaning raw credit card information never touches our servers. The main operational Postgres database is hosted in highly secure US-based data centers with automated point-in-time backups. We do not store customer credentials in plaintext; all authentications are secured via bcrypt password hashing algorithms.
01.Where is customer data stored?
US-based Postgres database (Floot infrastructure)
02.Is data encrypted at rest?
Yes, AES-256 for sensitive tokens, database-level encryption
03.Is data encrypted in transit?
Yes, TLS 1.2+ enforced on all connections
04.Do you support SSO/SAML?
Not currently. Authentication via email/password with bcrypt hashing and JWT session tokens
05.What is your password policy?
Bcrypt hashed, no plaintext storage, session tokens auto-expire
06.Do you have a SOC 2 report?
Not yet. We are a Series Seed stage company. Contact us for our security overview
07.How do you handle payment data?
All payment processing handled by Stripe (PCI DSS Level 1 compliant). We never store card numbers
08.Who are your subprocessors?
Listed at zolvaritech.com/subprocessors (Stripe, Resend, Google Gemini, UploadThing, OneSignal, Floot)
09.What is your data retention policy?
Detailed at zolvaritech.com/data-retention. Account data until deletion, financial records 7 years
10.Do you have an incident response plan?
Yes, documented at zolvaritech.com/incident-response. 72-hour notification commitment
11.How do you handle data deletion requests?
Users can request deletion via dashboard or email. We comply within 30 days per GDPR
12.Do you have a DPA available?
Yes, downloadable at zolvaritech.com/dpa
13.Where are your servers located?
United States
14.Do you conduct penetration testing?
We perform regular security reviews. Contact security@zolvaritech.com for details
15.How is API access controlled?
API keys with scoped permissions, rate limiting, and automatic rotation support
16.Do you have role-based access controls?
Yes. Platform roles: admin, buyer, creator, affiliate, user. Each role has distinct permissions
17.How do you handle third-party integrations?
All third-party tokens encrypted with AES-256 in our Token Vault with access logging
18.What happens if a breach occurs?
Immediate containment, 72-hour notification, root cause analysis, permanent remediation
19.Do you have business continuity/disaster recovery?
Automated database backups, infrastructure redundancy via cloud provider
20.Can we get a custom security review?
Yes. Contact security@zolvaritech.com or your account representative
All external integrations use official OAuth 2.0 authorization flows. We never ask for or store your third-party passwords.
Connecting your Shopify store is safe and easy. We use Shopify's official app authorization, meaning you never share your passwords with us. We request only the minimum read-only scopes required ("read_products", "read_orders"). You always stay in control and can revoke access at any time from your Shopify Settings > Apps.