Security

At Zora Digital, security is a top priority. We implement industry-standard security practices to protect your data and ensure a safe experience.

Security Standards

Our application follows industry-recognized security frameworks and best practices:

  • OWASP Guidelines: We implement security measures aligned with the Open Web Application Security Project (OWASP) Top 10
  • Security Audits: Regular internal security assessments and code reviews
  • Continuous Monitoring: Real-time security event tracking and alerting
  • Secure Development: Security-first approach in our development lifecycle

Technical Security Measures

Infrastructure Security

  • SSL/TLS Encryption: All data transmitted between your browser and our servers is encrypted using industry-standard TLS 1.3
  • Secure Hosting: Application hosted on Vercel with enterprise-grade infrastructure and DDoS protection
  • Database Security: PostgreSQL database with encrypted connections and secure access controls
  • Environment Isolation: Separate development, staging, and production environments

Authentication & Access Control

  • Modern Authentication: Clerk-powered authentication with support for social logins (Google, etc.)
  • Password Security: Industry-standard password hashing and never storing passwords in plain text
  • Session Management: Secure session handling with automatic timeout and refresh mechanisms
  • Account Monitoring: Google Cross-Account Protection (RISC) for detecting hijacking, phishing, and unauthorized access

Payment Security

  • PCI Compliance: Payment processing through Stripe and PayPal (both PCI-DSS Level 1 certified)
  • No Card Storage: We never store your credit card details on our servers
  • Transaction Verification: Cryptographic webhook signature verification for all payment events
  • Fraud Prevention: Order ownership verification, amount validation, and suspicious activity monitoring
  • Transaction Limits: Enforced donation limits to prevent fraudulent transactions

Application Security

  • Input Validation: All user input is validated for type, length, and format to prevent injection attacks and DoS
  • Output Encoding: Proper encoding of all output to prevent XSS (Cross-Site Scripting) attacks
  • CSRF Protection: Built-in protection against Cross-Site Request Forgery attacks
  • Error Handling: Secure error handling that logs details server-side without exposing sensitive information to users
  • Rate Limiting: API rate limits to prevent abuse and brute-force attacks
  • Security Headers: Proper HTTP security headers (CSP, X-Frame-Options, etc.)

Data Protection

  • Data Encryption: Sensitive data encrypted at rest and in transit
  • Access Controls: Role-based access control ensuring users can only access their own data
  • Data Isolation: Strict user data separation in the database
  • Backup & Recovery: Regular automated backups with secure storage
  • Data Retention: Clear policies on data retention and secure deletion

OWASP Top 10 Coverage

We specifically address each of the OWASP Top 10 security risks:

1. Broken Access Control: Role-based access control, session management, and user data isolation
2. Cryptographic Failures: TLS encryption, secure password hashing, and encrypted data storage
3. Injection: Input validation, parameterized queries, and ORM usage (Prisma)
4. Insecure Design: Security-first architecture, threat modeling, and secure defaults
5. Security Misconfiguration: Hardened configurations, minimal permissions, and security headers
6. Vulnerable Components: Regular dependency updates and security patch management
7. Authentication Failures: Modern auth (Clerk), MFA support, and session security
8. Software & Data Integrity: Webhook signature verification and secure update mechanisms
9. Security Logging Failures: Comprehensive logging and security event monitoring
10. Server-Side Request Forgery: Input validation and URL whitelist controls

Third-Party Security

We carefully vet all third-party services we integrate with:

  • Clerk: SOC 2 Type II certified authentication provider
  • Stripe: PCI-DSS Level 1 certified payment processor
  • PayPal: PCI-DSS Level 1 certified payment processor
  • OpenAI: Enterprise-grade API with data privacy commitments
  • Vercel: SOC 2 compliant hosting infrastructure
  • Google Cloud: ISO 27001 certified infrastructure for RISC monitoring

Continuous Improvement

Security is an ongoing process. We continuously:

  • Monitor for new vulnerabilities in our dependencies
  • Review and update our security practices
  • Stay informed about emerging security threats
  • Implement security patches promptly
  • Conduct regular security assessments

Security Incident Response

In the unlikely event of a security incident, we have procedures in place to:

  • Quickly identify and contain the incident
  • Assess the impact and affected users
  • Notify affected users in accordance with applicable laws
  • Implement corrective measures
  • Conduct post-incident analysis to prevent recurrence

Responsible Disclosure

We welcome security researchers and users who discover potential vulnerabilities to report them responsibly. If you believe you've found a security issue:

Report a Security Issue

Please email us at security@zora.digital with:

  • A description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact assessment
  • Your contact information for follow-up

We aim to respond to security reports within 48 hours and will work with you to understand and address the issue promptly.

Questions?

If you have questions about our security practices, please contact us at security@zora.digital

Security Is a Shared Responsibility

While we implement robust security measures, we encourage users to practice good security hygiene: use strong, unique passwords, enable two-factor authentication, keep your devices secure, and be cautious of phishing attempts.

Last updated: November 17, 2025

NoteFlow - AI-Powered Note Taking