Skip to main content
Legal Document

Security & Compliance

Last updated May 2, 2026Questions? security@getzerodue.com

Quick Facts

  • TLS 1.2+ in transit and AES-256 at rest (managed database); 2FA secrets are additionally encrypted under a dedicated per-environment key.
  • OAuth 2.0 sign-in with Google — we never see your social password.
  • 2FA via TOTP with any authenticator app (Google Authenticator, Authy, 1Password, etc.).
  • Brute-force protection with rate-limiting, progressive lockout, and CAPTCHA.
  • Stripe (PCI-DSS Level 1) handles all card data — no card numbers ever hit our servers.
  • Workspace-scoped queries — every database query is filtered by your workspace identifier to prevent cross-tenant data access.

Our Commitment to Security

You're trusting us with sensitive financial data. We treat that as a hard constraint, not a marketing line. Every layer of the stack — encryption, authentication, infrastructure, code — is built defensively and reviewed by every engineer who ships against this codebase.

Data Encryption

Your data is encrypted at every stage:

  • Encryption in Transit: All data transmitted between your device and our servers is encrypted using industry-standard TLS (1.2 and above).
  • Encryption at Rest: Your financial data is encrypted at rest by our managed PostgreSQL provider using AES-256.

Authentication & Access Control

We secure access to your account using modern authentication standards:

  • OAuth 2.0: Sign in securely with Google using the Authorization Code Flow with one-time code exchange — we never store your social media passwords.
  • Two-Factor Authentication (2FA): Add a second layer of protection using any TOTP-based authenticator app (Google Authenticator, Authy, etc.). Your 2FA secret is additionally encrypted with a dedicated per-environment key before storage.
  • JWT Sessions: Authenticated sessions use signed JSON Web Tokens with short expiry times. Tokens are automatically invalidated on password reset. All active sessions can be revoked from your account settings.
  • Brute-Force Protection: Login attempts are rate-limited and monitored. Repeated failures trigger account lockout with email notification to the account owner.

Infrastructure Security

Our application is hosted on industry-leading cloud infrastructure that provides robust physical and network security, including DDoS mitigation, firewalls, and regular patching.

Workspace Isolation

We enforce a strict architecture so that your workspace data is isolated from other users and workspaces. Every database query is scoped to your unique workspace identifier, which is designed to prevent data access across workspaces.

Payment Security

We do not store your full credit card information on our servers. All payment processing is handled by Stripe, a PCI-DSS Level 1 compliant payment processor, ensuring your billing information is handled with the highest level of security.

Monitoring & Incident Response

We log security events and suspicious activity, with automated alerting on anomalies. In the event of a security incident, we follow a documented incident-response process to investigate, mitigate, and notify affected users as required by applicable law.

Report a Security Vulnerability

If you believe you have discovered a security vulnerability in our application, please report it to us responsibly at security@getzerodue.com. Do not publicly disclose the issue until we have had a chance to address it. We appreciate the security community's help in keeping our platform safe.

You can also find our security disclosure policy at getzerodue.com/.well-known/security.txt