Company-scoped data boundaries
Every request, query, export, and report is scoped by company_id. Attachments follow the same boundary via polymorphic associations.
Cross-tenant reads/writes are prevented by design in the application layer and reviewed during code changes.
Strict scoping
Controllers, models, and queries enforce company_id checks before data access.
Least privilege
Role-based permissions restrict who can view, export, or modify sensitive records.
Attachment safety
Uploads are stored with tenant-aware paths/IDs and validated on every download route.
Encryption in transit and at rest
All web traffic is protected with HTTPS/TLS. Sensitive fields can be encrypted at the application layer where applicable. Backups and object storage use encryption-at-rest offered by the provider.
| Layer | Details |
|---|---|
| Transport | TLS for browser ↔ app and app ↔ storage/database connections where supported. |
| At Rest | Provider-managed encryption for databases, volumes, and object storage. |
| Secrets | Environment variables and keys stored outside source control; rotated on change. |
Granular roles & permissions
Role-based access control (RBAC) ensures users only see and do what their role permits across CRM, HR, Accounting, Projects, and more.
RBAC
ADMIN / MANAGER / STAFF roles map to module capabilities. Custom rules can be added as needed.
Approvals
Built-in approval steps for HR, payroll, and People Ops reduce risky single-actor changes.
Sessions
Modern authentication with secure cookies; idle and absolute session timeouts configurable.
Traceable by default
Key actions are logged with actor, time, and context. Exports and sensitive changes (e.g., payroll, HR records) are recorded for accountability.
Action logs
Create/update/delete events stored with metadata for investigations.
Export tracking
CSV/PDF exports can be tracked with purpose and requester identity.
Alerting hooks
Integrate logs with external alerting/monitoring pipelines if desired.
Resilience and recoverability
Regular, automated backups with periodic restore tests. Backups are encrypted and retained per policy, with requests for early purge supported for offboarded tenants.
| Frequency | Daily snapshots (plus point-in-time options where supported). |
| Retention | Rolling retention policy; tenant-level data purge supported on verified requests. |
| Testing | Periodic test restores validate recovery procedures. |
Responsible AI within strict boundaries
ZofooAI works inside the suite. It respects tenant boundaries, adheres to role permissions, and logs usage for admins. Prompts and responses can be reviewed where enabled.
Tenant-safe
AI calls are scoped to the current tenant context; cross-tenant data is never mixed.
Visibility
Admin-level visibility into prompts and actions helps with oversight and audits.
Safe fallbacks
When AI is unsure, the UI encourages human confirmation over silent changes.
Secure-by-default engineering
We follow OWASP-aligned practices: input validation, output encoding, CSRF protection, prepared statements, dependency scanning, and code reviews focused on multi-tenant safety.
Framework hygiene
Laravel security features (CSRF tokens, auth middleware) used consistently.
Secrets management
Environment-based secrets; no credentials in code; rotation on change.
Dependency care
Regular updates and vulnerability checks for third-party packages.
Prepared for the unexpected
We maintain an incident runbook covering identification, containment, eradication, recovery, and post-mortem. Affected customers are notified in accordance with our policies and applicable laws.
Classification
Events triaged by severity and impact; escalation paths are predefined.
Communication
Timely customer comms and updates on Status for service incidents.
Post-mortems
Blameless reviews; corrective actions tracked to completion.
Reliability & monitoring
We monitor uptime and key application metrics. Maintenance windows are announced in advance whenever possible.
| Status page | Live Service Status with incident history and scheduled maintenance. |
| Rate limits | Reasonable defaults to protect overall system health. |
| Resource isolation | Per-tenant scoping reduces blast radius of noisy neighbors at the app layer. |
Retention, deletion, and export
You can export data (CSV/PDF) per module. Upon verified offboarding, production data is deleted on request following our retention policy; backups age out per schedule.
Right to export
Admins can export records from CRM, HR, Accounting, etc., subject to role permissions.
Deletion
Data deletion on verified admin request; backup entries expire naturally per retention.
Privacy
See Privacy Policy and Terms for details.
Practical controls aligned with best practices
We align our controls with widely recognized frameworks (e.g., OWASP ASVS principles). If you have specific compliance needs or questionnaires, contact us and we’ll collaborate.
| Area | Control Examples |
|---|---|
| Application | CSRF protection, input validation, parameterized queries, output encoding. |
| Access | RBAC, least privilege, session security, secure password storage. |
| Operations | Backups, restore tests, monitoring, incident runbooks. |
Security FAQ
Do you encrypt data?
Yes—TLS in transit, and encryption at rest via our infrastructure provider. Sensitive app fields can be encrypted at the application layer.
How is tenant data isolated?
All access is scoped by company_id at the application layer; attachments and exports follow the same boundary.
Can I get a copy of my data?
Yes. Admins can export module data (CSV/PDF) based on role permissions.
What happens if there’s an incident?
We follow our incident runbook and notify affected customers as required. Updates are posted on the Status page for service disruptions.
Do you run vulnerability scans?
We review dependencies regularly and apply updates. We welcome responsible disclosure—reach out via Contact.
Do you support SSO or MFA?
Authentication uses secure modern defaults. Reach out for current SSO/MFA options suitable for your plan.