An overview of the security practices we use to protect Zovaty users and their data. This page is informational and does not constitute a warranty or certification.
This page is provided for transparency. It is not legal advice and does not create warranties or guarantees beyond what is stated.
Security
Last updated: June 30, 2026
Our approach
Security is an ongoing process, not a one-time setup. We designZovaty with defense in depth: authenticated access, least privilege, encrypted transport, and server-side handling of sensitive operations. No system is perfectly secure; we work to reduce risk and respond to issues responsibly.
Authentication (Supabase Auth)
- User accounts are managed through Supabase Auth with industry-standard session handling.
- Passwords (when used) are hashed and managed by the auth provider — we do not store plaintext passwords.
- Sessions use secure cookies and are refreshed through our application middleware.
- Protected routes require a valid authenticated session before accessing builder, dashboard, and billing features.
OAuth login
You may sign in with third-party providers such as Google or GitHub. OAuth redirects are configured to trusted callback URLs on our domain. We receive only the profile information needed to create and maintain your account (such as email and name), as permitted by the provider.
Database and access control
- Application data is stored in Supabase PostgreSQL with Row Level Security (RLS) policies.
- Users can access only their own profile, websites, credits, and billing history rows.
- Sensitive mutations (credit deductions, billing webhooks) run through security-definer RPCs or server-only service roles.
- Direct client access to privileged tables is restricted.
Server-side AI keys
AI provider API keys are stored as server environment variables and are never exposed to the browser or prefixed with NEXT_PUBLIC_. AI requests are initiated from server actions and API routes so keys remain on the server.
Payment security
Payments are processed by Lemon Squeezy, a dedicated payment platform. Card data is collected and stored by the payment provider according to their PCI-compliant infrastructure. Our application receives billing events through signed webhooks; we verify webhook signatures before updating subscriptions or granting credits.
Billing details: Refund Policy · billing@zovaty.com
Transport and infrastructure
- Traffic is served over HTTPS in production.
- Security headers (such as frame protection and content-type options) are configured at the application layer.
- Published customer sites may use separate caching rules from the main application.
- Hosting and deployment follow provider best practices (e.g., Vercel, Supabase).
Data protection practices
- Principle of least privilege for production credentials
- Separation of client-safe and server-only environment variables
- Credit and billing idempotency to prevent duplicate charges or grants
- Audit logging for credit history and payment events
- Regular dependency updates and production build validation
For how we handle personal data, see our Privacy Policy.
Your responsibilities
- Use a strong, unique password or OAuth provider with two-factor authentication enabled.
- Do not share account credentials or API keys.
- Review AI-generated and published content before making it public.
- Report suspected vulnerabilities or unauthorized access promptly.
Reporting security issues
If you believe you have found a security vulnerability, please email hello@zovaty.com with a description and steps to reproduce. Please do not publicly disclose issues until we have had a reasonable opportunity to investigate. We appreciate responsible disclosure.