Security

1. Infrastructure and hosting

BizEnzo runs on Vercel's global edge network with compute isolated per-region. Our primary database is hosted on Neon (PostgreSQL) with automatic failover, point-in-time recovery, and daily encrypted backups retained for 30 days. Static assets are served from Vercel's CDN over HTTPS. We do not run our own bare-metal servers; we rely on infrastructure providers that maintain SOC 2 Type II and ISO 27001 certifications.

2. Encryption

All data in transit is encrypted using TLS 1.2 or higher — we enforce HTTPS on every endpoint and redirect all HTTP requests. Data at rest in our database is encrypted with AES-256 managed by Neon's transparent database encryption. Sensitive fields such as API keys and webhook secrets are stored as environment variables in Vercel's encrypted secrets store and are never committed to source control or exposed in logs.

3. Authentication and access control

User authentication is powered by NextAuth.js with bcrypt-hashed passwords and support for OAuth providers (Google). Sessions use signed, HTTP-only, Secure cookies with short expiry. Multi-tenant data isolation is enforced at the database query level — every query includes a tenantId filter, and our API middleware verifies tenant ownership on every authenticated request.

Role-based access control (RBAC) restricts what each user can see and do within a tenant. Administrative actions (e.g., deleting records, changing billing) require elevated roles. BizEnzo staff do not have access to customer data except when explicitly granted temporary read-only access for support purposes, and all such access is logged.

4. Payment security

BizEnzo does not store, transmit, or process raw payment card data. All payment processing is handled by Stripe, which is certified as a PCI DSS Level 1 Service Provider — the highest level of payment security certification. We use Stripe's tokenisation and Stripe Elements to ensure card data never touches our servers.

5. Application security

Our development process includes: code review for all changes before merge to main; dependency scanning via GitHub Dependabot with automatic security patch pull requests; input validation and parameterised queries to prevent SQL injection; Content Security Policy (CSP) and other HTTP security headers; and rate limiting on public-facing API endpoints to mitigate abuse.

We perform regular internal security reviews and plan to commission an annual third-party penetration test as the platform scales. Results of any significant findings and their remediation status will be disclosed here.

6. Incident response

In the event of a confirmed security incident affecting customer data, BizEnzo will notify affected Business Owners within 72 hours of discovery, consistent with applicable privacy law requirements. Notifications will include a description of the incident, the categories of data affected, the steps we have taken to contain it, and recommended actions for affected users.

7. Your responsibilities

Security is a shared responsibility. We ask that you: use a strong, unique password for your BizEnzo account; enable two-factor authentication once it is available; promptly remove access for staff members who leave your business; and report any suspicious activity or potential vulnerabilities to us at security@bizenzo.com.

8. Vulnerability disclosure

We welcome responsible disclosure of security vulnerabilities. If you believe you have found a security issue in BizEnzo, please email security@bizenzo.com with a description of the issue and steps to reproduce. We will acknowledge your report within 2 business days and aim to resolve confirmed vulnerabilities within 30 days. We request that you do not publicly disclose the issue until we have had the opportunity to investigate and remediate.