Legal Center Security & Compliance

Security & Compliance

Effective Date: February 16, 2026  |  Last Updated: February 28, 2026

ZeroSuite implements comprehensive security controls across all products. This page documents our technical security measures, compliance posture, and responsible disclosure program.

Table of Contents

  1. Technical Security Measures
  2. Product-Specific Compliance
  3. Vulnerability Management
  4. Incident Response
  5. Responsible Disclosure / Bug Bounty
  6. Compliance Summary
  7. Contact

1. Technical Security Measures

1.1 Transport Security

  • TLS 1.3 enforced on all API endpoints and web interfaces
  • HTTP Strict Transport Security (HSTS) headers with a minimum max-age of one year
  • Certificate pinning implemented in mobile applications (Déblo.ai iOS and Android)
  • Automated certificate renewal and monitoring

1.2 Data at Rest

  • AES-256 encryption for all sensitive data stored on disk
  • Encrypted database volumes on Hetzner infrastructure
  • iOS Keychain and Android Keystore used for local application data on mobile devices
  • Encryption keys managed with strict access controls and regular rotation

1.3 Authentication

  • bcrypt with per-user salts for all password storage (no plaintext passwords)
  • JWT tokens with short expiry periods for session management
  • OTP-based multi-factor authentication via otpx.dev
  • API key authentication with per-key scoping and rotation capabilities

1.4 Infrastructure

  • Hetzner EU data centers in Germany and Finland, subject to European data protection standards
  • Cloudflare CDN, Web Application Firewall (WAF), and DDoS protection
  • Network segmentation between production, staging, and development environments
  • No public SSH access to production servers
  • Automated security patching for operating systems and dependencies

1.5 Access Controls

  • Role-based access control (RBAC) for all internal systems
  • Principle of least privilege enforced across all access grants
  • Audit logs maintained for all administrative actions
  • Regular access reviews and deprovisioning for departing personnel

2. Product-Specific Compliance

2.1 0fee.dev (PCI DSS)

ZeroSuite is not a card data environment. Card PANs (Primary Account Numbers) never touch ZeroSuite servers. Payment forms load directly from PCI DSS-compliant providers (Stripe, PayPal, and others).

ZeroSuite stores only:

  • Last 4 digits of payment cards (for display purposes)
  • Token references (provider-issued, non-reversible)
  • Transaction metadata (amounts, currencies, timestamps, status)

2.2 GDPR

2.3 COPPA

  • Parental consent flow implemented for Déblo.ai (children under 13)
  • Data minimization for minor users
  • See Child Protection Policy for full details

2.4 SOC 2

SOC 2 Type II certification is currently in the planning phase. Target certification: Q4 2026. Controls are being implemented and documented in advance of the formal audit process.

3. Vulnerability Management

  • Automated Scanning: Continuous dependency scanning for known vulnerabilities in all production codebases.
  • Manual Reviews: Monthly manual security reviews of critical code paths and configuration.
  • Penetration Testing: Annual penetration testing conducted by qualified third-party security firms.
  • Patching SLA:
    • Critical vulnerabilities: patched within 24 hours
    • High severity: patched within 72 hours
    • Medium severity: patched within 14 days
    • Low severity: patched in the next scheduled release

4. Incident Response

ZeroSuite maintains a formal incident response plan with the following phases:

  1. Detection: Automated monitoring and alerting systems detect anomalies and potential security events.
  2. Triage (1 hour): Initial assessment of severity, scope, and impact within one hour of detection.
  3. Containment: Immediate measures to prevent further damage or data exposure.
  4. Eradication: Root cause identification and removal of the threat.
  5. Recovery: Restoration of affected systems and verification of integrity.
  6. Post-mortem: Documented analysis of the incident with lessons learned and preventive measures.

GDPR Breach Notification

  • Notification to the relevant supervisory authority within 72 hours of becoming aware of a personal data breach
  • Notification to affected users without undue delay for high-risk breaches
  • Documentation of all breaches, including facts, effects, and remedial actions taken

Security incidents: Report to [email protected]

5. Responsible Disclosure / Bug Bounty

5.1 Scope

The following domains and their APIs are in scope for security research:

  • All *.zerosuite.dev domains
  • All *.0fee.dev domains
  • All *.otpx.dev domains
  • All *.deblo.ai domains
  • Associated API endpoints

5.2 Out of Scope

  • Denial-of-service (DoS/DDoS) attacks
  • Social engineering attacks against ZeroSuite employees or users
  • Physical attacks against ZeroSuite offices or data centers
  • Automated vulnerability scanning that generates excessive traffic

5.3 How to Report

  • Email: [email protected] with subject "Vulnerability Report"
  • Include: description of the vulnerability, steps to reproduce, potential impact, and any proof-of-concept code

5.4 Our Commitment

  • Acknowledgment within 48 hours of receipt
  • Status update within 7 days
  • No legal action against good-faith security researchers who comply with this policy
  • Recognition in our security researcher hall of fame (planned for zerosuite.dev/security)

6. Compliance Summary

Regulation Scope Status
GDPR (EU 2016/679) All products, EU users Compliant
COPPA (US) Déblo.ai Compliant
PCI DSS 0fee.dev SAQ A (card data never stored)
Google Play Families Policy Déblo.ai Android Compliant
Apple App Store Section 1.3 Déblo.ai iOS Compliant
SOC 2 Type II All products Planned Q4 2026

7. Contact

For security-related inquiries, vulnerability reports, or compliance questions: