Skip to content

Data inventory — ZevCloud

Categories of data ZevCloud holds. Field-by-field detail lives in the schema folder under zevcloud-backend/src/common/database/schema/. This page is the DPO's overview — the schema is the source of truth for exact columns and types.

What we don't store

ZevCloud does not store the customer's email, password, or KYC data. Those live in ZevID. We address customers by their accountId (a UUID issued by ZevID) and read identity fields on demand via the ZevID internal API.

Identity references (not the identity itself)

Category What we hold Schema
Account pointer accountId (UUID issued by ZevID) on every team-membership / billing / audit row every owning table
ZevID enrollment sync Whether this account is enrolled in ZevCloud + their tier — written into ZevID, not stored locally n/a (ZevID-owned)

Team + collaboration data

Category What we hold Schema
Team Team name, owner account id, created/updated timestamps teams.schema.ts
Team membership Per-account team membership + role team-members.schema.ts
API keys Hashed keys + scopes for programmatic access api-keys.schema.ts (hash only — plaintext shown once at creation)

Service + deployment data (customer-controller, ZevCloud-processor)

Category What we hold Schema
Service Service name, type (app / static / DB / worker), team, server allocation services.schema.ts
Service settings Build commands, runtime config, port + healthcheck service-settings.schema.ts
Environment variables Encrypted at rest (AES-256-GCM via the field-crypto service); plaintext is write-only after the isSecret: true flag flips env-vars.schema.ts
Deployment events Per-deploy metadata (commit hash, status, started/finished timestamps) deployments.schema.ts
Build / runtime logs Streamed to the Coolify host; not centrally stored by ZevCloud n/a — ephemeral on Coolify volume

Domain registration + DNS

Category What we hold Schema
Registered domain FQDN, status, registry, expiry, auto-renew flag registered-domains.schema.ts
Domain contacts (registrant, admin, billing, tech) Encrypted at rest (FIELD_ENCRYPTION_KEY AES-256-GCM); registry submits required PII for ICANN/NIRA compliance domain-contacts.schema.ts
EPP auth code Encrypted at rest; used for transfer-in/out column on registered_domains
DNS records Mirror of the Cloudflare zone (CF is source of truth; we keep a mirror for fallback reads + ZPIP attribution) dns-records.schema.ts
Domain orders (cart) Cart state for multi-domain purchases domain-orders.schema.ts

Billing data

Category What we hold Schema
Invoice Header + line items + amount + status; total billed / paid invoices.schema.ts
Subscription Recurring billing schedule, plan id, next renewal date subscriptions.schema.ts
Payment method Tokenised reference (ZevPay's token; no card numbers, BVN, or bank-account credentials stored by ZevCloud) payment-methods.schema.ts
Plan / TLD pricing Sellable plans + per-TLD pricing matrix (no PII) plans.schema.ts, tlds.schema.ts
Credits ledger ref Pointer into ZevID's Zev Credit balance (ZevID is the canonical ledger) n/a — read via ZevID API

Audit + admin

Category What we hold Schema
Admin audit log Every admin action against a customer resource (mark-paid, refund, attach-external-domain, force-delete-alias, etc.) — actor admin id, target resource, before/after where relevant admin-audit-logs.schema.ts
ZPIP token + delivery audit Inbound consent + outbound webhook deliveries outbound-zpip.schema.ts, plus the inbound audit captured in the ZPIP middleware

Special categories (NDPA Sensitive Personal Data)

Not applicable. ZevCloud does not collect biometric, health, racial/ethnic, political, religious, sexual-orientation, or genetic data. KYC outcome (the one place biometric-derived data could land) is held by ZevID — see ZevID's data inventory.