← Legal Documents

Security

Last updated: January 2025

Zin Content takes the security of your data seriously. This page describes the security measures in place across ZinApp and our underlying infrastructure.

Contact: info@zincontent.com

Backend infrastructure — Xano

Your data is stored and processed by Xano, a backend-as-a-service platform built to enterprise security standards. Xano holds the following certifications and compliance accreditations:

  • SOC 2 and SOC 3 — independently audited security controls
  • ISO 27001 — information security management
  • ISO 27701 — privacy information management
  • ISO 9001 — quality management
  • GDPR compliant

Xano’s infrastructure runs on Google Cloud Platform and includes:

  • Encryption at rest for all stored data
  • Firewall and Anti-DDoS protection
  • Continuous access monitoring
  • Regular penetration testing
  • Automated backups

Full details are available at security.xano.com.

Application security

  • Authentication — ZinApp uses httpOnly session cookies for authentication. The cookie cannot be accessed by JavaScript, protecting against cross-site scripting (XSS) attacks.
  • Ownership enforcement — every API request is scoped server-side to the authenticated user. You can only ever read, write, or delete your own data.
  • Password handling — passwords are never stored in plain text. Hashing is handled by Xano’s built-in secure password functions.
  • Payment data — card details are never processed or stored by Zin Content. All payment handling is managed entirely by Stripe, a PCI DSS compliant payment processor.

Frontend hosting — Cloudflare Pages

ZinApp’s frontend is hosted on Cloudflare Pages, which provides:

  • Global CDN delivery with DDoS protection
  • HTTPS enforced on all connections
  • Automatic SSL certificate management

Responsible disclosure

If you discover a security vulnerability in ZinApp, please report it responsibly by emailing info@zincontent.com. We will acknowledge your report within 48 hours and work to address the issue promptly. We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.