Security

Infrastructure

• Hosting: Vercel (application) and Supabase (database, EU region — Frankfurt)
• Encryption in transit: TLS 1.2+ for all connections
• Encryption at rest: AES-256 for databases and backups
• Network: private connections between services where available; all public endpoints behind HTTPS

Access control

• Role-based access control on all internal systems
• Multi-factor authentication required for all personnel
• Least-privilege principles — staff access only the data they need to do their job
• Access logs reviewed regularly

Secrets and credentials

• All API keys, tokens, and secrets stored in dedicated vaults
• Client WhatsApp access tokens encrypted at rest
• Secrets rotated on personnel changes

Data isolation

• Each Operator’s data is logically isolated at the database layer (row-level security)
• No cross-tenant data access

Sub-processors

See our Privacy Policy for a current list of sub-processors. Data Processing Agreements are in place with all sub-processors.

Incident response

We have defined procedures for security incidents, including:

• 24-hour internal escalation
• Customer notification within 72 hours of a confirmed breach
• Root-cause analysis and remediation tracking

Report a security issue: security@zatio.io

Compliance

• UK GDPR and EU GDPR
• Spanish LOPDGDD
• EU AI Act (Art. 50 — AI transparency)
• WhatsApp Business Policy and Meta Platform Policies

Contact

Security enquiries: security@zatio.io