Security at zForms

Encryption at Rest

• All data is encrypted at rest using AES-256 encryption
• Database backups are encrypted with separate encryption keys
• Encryption keys are managed using industry-standard key management systems
• Regular key rotation following security best practices

Encryption in Transit

• All data transmission uses TLS 1.3 or higher
• HTTPS enforced across all zForms domains and APIs
• Certificate pinning for enhanced security
• Perfect Forward Secrecy (PFS) enabled

Privacy-First Architecture

• We DO NOT collect: Form field values, user input, passwords, or PII
• We ONLY collect: Interaction metadata (focus, blur, submit events)
• IP addresses are anonymized before storage
• Session IDs are cryptographically hashed

Cloud Infrastructure

• Hosted on SOC 2 Type II certified cloud providers
• Multi-region redundancy for high availability
• Automated failover and disaster recovery
• Infrastructure as Code (IaC) with security scanning

Network Security

• DDoS protection and rate limiting
• Web Application Firewall (WAF) with OWASP rules
• Virtual Private Cloud (VPC) isolation
• Regular penetration testing and vulnerability assessments

Database Security

• Row-level security (RLS) policies enforced
• Principle of least privilege access control
• Automated backup with point-in-time recovery
• Database activity monitoring and alerting

Authentication

• Passwords hashed using bcrypt with per-user salts
• Multi-factor authentication (MFA) available
• OAuth 2.0 and SAML 2.0 support for enterprise SSO
• Session management with automatic timeout

Authorization

• Role-based access control (RBAC)
• API key management with scoped permissions
• Audit logs for all access and actions
• Regular access reviews and certification

Employee Access

• Strict principle of least privilege
• Background checks for all employees
• Security awareness training (quarterly)
• Access automatically revoked upon departure

Security Best Practices

Secure Development

• Security review for all code changes
• Automated security scanning in CI/CD pipeline
• Dependency vulnerability monitoring
• Regular security training for developers

Monitoring & Incident Response

• 24/7 security monitoring and alerting
• Automated threat detection and response
• Defined incident response procedures
• Post-incident analysis and improvements

Regular Audits

• Quarterly internal security audits
• Annual third-party penetration testing
• Continuous vulnerability scanning
• Bug bounty program for responsible disclosure

We take security vulnerabilities seriously and appreciate the security research community's efforts to help keep zForms and our users safe.

Reporting a Vulnerability

If you believe you've found a security vulnerability in zForms:

1. Email us at security@zforms.xyz
2. Provide detailed steps to reproduce the vulnerability
3. Allow us 90 days to address the issue before public disclosure
4. Do not exploit the vulnerability beyond what's necessary to demonstrate it

Security Questionnaire

Enterprise customers often require detailed security documentation. We maintain a comprehensive security questionnaire covering:

• Application security practices
• Infrastructure and network security
• Data protection and encryption
• Access control and authentication
• Compliance and certifications
• Incident response procedures

To request our security questionnaire or schedule a security review, contact: security@zforms.xyz