Security & Compliance

Your security is our priority

Full transparency on how we protect your data. We do not promise perfection — we promise transparency and response.

Infrastructure

  • Runs on Cloudflare Workers — global edge, Saudi visitors served from Jeddah + Riyadh POPs
  • D1 database with Time Travel (30-day recovery)
  • Secrets stored in Cloudflare Secrets — not readable from code
  • HSTS + preload + TLS 1.3 enforced

Application security

  • Strict CSP: frame-ancestors none, script-src self
  • CSRF enforced on all /api/admin/* operations
  • HMAC-SHA256 on every Hub webhook
  • IP + User-Agent binding on transfer tokens
  • Rate limiting on /login and /sso/callback (KV-backed)
  • XSS prevention: whitelist for status/plan/error params
  • Open-redirect prevention: sanitizeNext locked to APP_DOMAIN

Privacy & compliance

  • PDPL compliant (Saudi Personal Data Protection Law) via Cloudflare's certified cross-border DPA
  • No raw IP storage — only truncated SHA-256 hash
  • Central storage: Cloudflare D1 in the EU (EEUR region). Will migrate to a Saudi region as soon as Cloudflare offers one for D1
  • Content delivery: Cloudflare edge POPs in Jeddah + Riyadh (≈20-40ms for Saudi visitors)
  • Full audit log (app_audit_logs) for every sensitive operation
  • 14-day personal data recovery (PDPL §15)
  • Instant account deletion from /account → "Delete account"

Vulnerability reporting

  • If you discover a vulnerability, please email z@zayenha.com
  • Responsible researchers may be rewarded.
  • Please do not publish details until we confirm a fix (we aim for 30 days).

Security review for enterprises

We provide full security questionnaires, SOC 2 (in preparation), and custom SLAs for Enterprise.

Contact security team