Skip to main content
ZZypflow

Security

How Zypflow protects business and client data.

A plain-English overview of the controls behind data storage, authentication, infrastructure, compliance, and public API exposure.

Last updated 21 April 2026

1. Data handling

Zypflow stores application data in Supabase, including PostgreSQL data and supporting storage used by the product. Data is hosted in the EU, encrypted at rest by the underlying infrastructure provider, and separated at the application layer with organisation-scoped access controls.

  • Business, lead, booking, and review records are stored per organisation.
  • Row Level Security is used to keep customer data scoped to the right workspace.
  • Only the minimum data needed to run automations, reminders, and reporting is stored.

2. Authentication

Authentication is handled through Supabase Auth for email and password sign-in plus supported OAuth providers. Passwords are not stored in plain text in the application and session handling is delegated to the auth layer rather than custom code in page components.

  • Supabase Auth manages password hashing and session issuance.
  • Protected dashboard routes verify session state before rendering sensitive pages.
  • Workspace membership and role checks are used to limit access to private data.

3. Infrastructure

Zypflow is designed around Oracle Cloud compute, with Cloudflare managing public DNS and edge-level domain controls. Host-level firewall rules are managed with iptables so each service exposes only the ports it needs.

  • Oracle Cloud infrastructure is split by role rather than exposing every service on one host.
  • Cloudflare manages domain routing and acts as the first layer in front of public traffic.
  • iptables rules are used to restrict inbound access and keep private services off the public internet.

4. Compliance

Zypflow is built for UK service businesses and is operated with UK GDPR obligations in mind. The public site includes cookie consent controls, a published cookie policy, and a Data Processing Addendum for businesses that need it.

5. API security

Public routes are protected with rate limits, request validation, and signature checks on sensitive webhook endpoints. Cross-origin behaviour is kept explicit so embedded widgets can work without turning the entire API into an open target.

  • Rate limiting is applied across AI, messaging, portal, widget, and billing routes.
  • Webhook signature verification is enforced for providers such as Stripe and Cal.com.
  • CORS is handled explicitly for public widget endpoints instead of being broadly open.
  • Input validation runs at system boundaries before business logic executes.