Security Overview
Zipy Security Overview
We believe that consumer experience data is very important for your business and security of this data is equally important.
Hence to provide our customers peace of mind we follow certain security standards and practices, which will constantly keep evolving to protect the data against any security breaches.
Our customers can control what data Zipy will record and store. Any data that our customers deem sensitive should not be recorded and Zipy will not store it.
The following are the best practices followed by Zipy to ensure the security of our customers data.
System Security
Servers and Networking
All production servers running Zipy are hosted on Google Cloud and support only https connections on port 443.
All recorded data transmitted from customer products to Zipy servers is over https and hence encrypted and secure. We support SSL certificates on all our network API endpoints.
Our website is also secure and supports https.
Storage Security
We are storing all customer data in Google Cloud Platform which allows multi layer access, encryption and monitoring.
Each customer data is stored in a separate bucket.
Data is stored in an encrypted manner using Google-managed keys. (Objects are encrypted automatically using keys that Google manages on Zipy’s behalf)
We plan to use Customer-managed keys going forward.
Employee Access
We use Google account roles and policies to verify employee account identity. We also provide two factor authentication for all sensitive data access. All Google Cloud based access is based on Google accounts.
Application Security
Sensitive Data
Any data that is sensitive to the customer shall not be recorded by Zipy unless specified or enabled by the customer. Zipy provides configuration parameters to allow the customers to enable and disable what data is recorded by Zipy.
All recorded data is transferred over https ( Data security in transit)
All recorded data is stored in encrypted format in separate customer partitions ( Data security in store)
SDK ( javascript) which is embedded in customers code
The sdk is hosted at a secure endpoint on the Google cloud and it cannot cause security vulnerabilities as all the communication endpoints are behind SSL certificates and only allow an https connection.
Every customer has a unique sdk key which can only be used by them. It is verified and authenticated in Zipy backend before storing any data for that customer. There is an additional handshake Zipy provides before any communication is initiated with Zipy servers for recording and storing data.
Developer interface
Our developer console - app.zipy.ai allows only authenticated users to login. We support standard JWT email authentication and SSO currently.
All current developer console REST APIs are over https.
Last updated