Skip to content

Security architecture — ecosystem-wide

Cross-cutting security controls that apply across every Zev product. Per-product specifics live in each product's security.md — this page is what's true for ALL of them.

Trust boundaries

  • Public internet ↔ Zev product front-ends (web, mobile). Boundary: edge proxy + WAF (Cloudflare).
  • Public internet ↔ Zev product APIs. Boundary: TLS termination + auth (per-product token + ZPIP).
  • Zev productZev product (ZPIP). Boundary: mutual JWT-based auth, audience-bound tokens, per-call scope check.
  • Zev productexternal processor. Boundary: vendor-specific (TLS, API keys, mTLS where supported). Documented in third-parties.md per product.
  • Zev staffproduction data. Boundary: ZevID admin login + admin MFA, role-based access.

Authentication primitives

  • End-user authentication: ZevID (the identity provider). Single login, single MFA enrolment, used by every Zev product. Per-product flows in each product's security.md.
  • Service-to-service: ZPIP tokens (RS256, 5-min TTL, audience-bound). Spec: zpip.md.
  • Staff to production: ZevID admin login + admin MFA.

Encryption

  • At rest: every product uses Postgres TDE (or equivalent depending on managed-DB provider). Application-layer encryption is layered on top for sensitive fields (TOTP secrets, phone numbers in ZevID, payment-card data in ZevPay if applicable). Per-product specifics in security.md.
  • In transit: TLS 1.2+ everywhere. HSTS on user-facing surfaces.
  • Key management: master keys live in environment variables provided via the deployment platform's secret store. Rotation procedure documented in each product's security.md.

Logging + audit

  • Every admin-panel action lands in admin_audit_logs (in ZevID).
  • Every ZPIP token issuance lands in zpip_token_log (in ZevID).
  • Every authentication event lands in login_events (in ZevID).
  • Each product's domain actions land in product-local audit tables — referenced from each product's security.md.

Vulnerability management

  • Dependency scanning: GitHub Dependabot + SCA tool per product (TBD: standardise).
  • Security advisory triage: SLA — critical patched within 7 days; high within 30; medium next maintenance window.
  • Disclosure channel for external researchers: security@zevop.com (TBD if not yet active).

Penetration testing

Cadence TBD. Last test: TBD. Reports stored with the DPO; not public.

Backup + disaster recovery

  • Per-product backups + DR posture in each security.md.
  • RTO / RPO targets per product also there.

Open items

Things on the roadmap that affect ecosystem-wide security. Listed here as transparency for the DPO; not a commitment to a date unless one is given.

  • ⏳ Centralised SIEM / log aggregation across products.
  • ⏳ Quarterly access review automation.
  • ⏳ Cross-product secret rotation playbook.