Back to Zenova

Security

Last updated: February 21, 2026

Our Security Commitment

At Zenova, we take security seriously. We understand that you trust us with your productivity data, calendar information, and in some cases, payment details. This page outlines our security practices and how you can report security issues.

Security Measures

  • Encryption in Transit: All data is transmitted over HTTPS using TLS 1.3
  • Encryption at Rest: Google OAuth tokens are encrypted using AES-256-GCM
  • Secure Authentication: We use Supabase Auth with secure session management
  • Database Security: PostgreSQL with row-level security and encrypted connections
  • Payment Security: All payments processed through Stripe (PCI DSS compliant)
  • Regular Updates: Dependencies are regularly updated for security patches
  • Input Validation: All user inputs are validated and sanitized
  • Rate Limiting: API endpoints are protected against abuse

Responsible Disclosure

We appreciate the security community's efforts in helping keep Zenova secure. If you believe you've found a security vulnerability, please report it to us responsibly.

How to Report

Please send security reports to: security@zenova.sh

Include the following details:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Suggested fix (if any)
  • Your contact information for follow-up

Our Commitment to You

  • We will acknowledge receipt of your report within 48 hours
  • We will investigate and provide updates on our progress
  • We will not take legal action against researchers who follow responsible disclosure
  • We will credit researchers (with their permission) for validated reports
  • We aim to fix critical vulnerabilities within 30 days

Scope

The following are in scope for security testing:

  • https://zenova.sh and subdomains
  • API endpoints at https://zenova.sh/api/*
  • Mobile and desktop applications (when available)

The following are out of scope:

  • Third-party services (Supabase, Stripe, Google)
  • Social engineering attacks
  • Physical security testing
  • Denial of Service (DoS) attacks
  • Testing that affects other users' data

Security Headers

We implement the following security headers:

  • X-Frame-Options: DENY - Prevents clickjacking
  • X-Content-Type-Options: nosniff - Prevents MIME sniffing
  • Content-Security-Policy - Restricts resource loading
  • Referrer-Policy - Controls referrer information

Data Protection

Learn more about how we protect your data in our Privacy Policy.

Contact

For security inquiries, email us at: security@zenova.sh