Confidentiality by design
Security — Vision Engine
For properties above €15M, the leak of a single image can cost millions in reputation, negotiation, or relationships. Confidentiality is not a feature — it is a hard architectural constraint.
Authentication
Phishing-resistant by design
- Magic-link sign-in, no password — nothing to phish, nothing to brute-force.
- Admin WebAuthn (Touch ID / Hello / hardware key) — the browser cryptographically refuses to sign a challenge on a typosquat domain.
- Recovery codes mandatory at enrollment, sha256+server-pepper hashed.
- Per-action audit — every admin read is logged with hashed IP/UA, never stored in clear.
Confidentiality
No data leaks accidentally
- Systematic EXIF stripping at upload — GPS, camera model, date taken: removed before any storage. ICC color profile preserved for fidelity.
- Strict private bucket — no read without a server-issued signed URL, max 5-minute TTL.
- Forensic watermarking — every render carries a discreet cryptographic identifier in the bottom-right corner. A leak = immediate traceability to the (user, project) source.
- Production logs sanitized — UUIDs, emails, JWTs, API keys, signed-URL tokens: 11 patterns auto-redacted.
Controlled sharing
Revocable, audited links — never 24h non-revocable
- Stable links on the Vision Engine side, ephemeral Supabase signed URL (5 minutes) generated only on access.
- One-click revocation + per-access audit log (timestamp, IP hash, User-Agent hash).
- Configurable TTL: 1h / 6h / 24h. Optional view limit ("max 3 opens").
- No browser cache on shared links (no-store + no-referrer headers).
Hosting & jurisdiction
Data in EU, processing framed
- Database + storage: Frankfurt, EU (Supabase eu-central-1). AES-256 encryption at rest.
- Compute: Vercel (US-East), global edge CDN for static pages.
- AI rendering: Replicate (US), ephemeral transit only, zero retention. The render is immediately re-uploaded into our private bucket.
- All transfers outside the EU are framed by the Standard Contractual Clauses of the European Commission.
Incident response
72h regulator, 48h client, full traceability
- Regulator notification within 72 hours per GDPR Art. 33 if applicable.
- Client notification within 48 hours as soon as a risk is identified, per our DPA.
- Watermark forensics: from a leaked render, source identification in under 5 minutes.
- Process documented, operational runbook maintained and tested.
Reference documents
Our complete security architecture is publicly documented:
- SECURITY.md — full architecture, threat model, sub-processors
- Privacy Policy — GDPR, retention, your rights
- Terms of Service — usage, IP, liability limits
- DPA available on request: legal@zephios.com
Report a vulnerability
Responsible security researchers are thanked. Email: security@zephios.com. PGP key on request. Response within 24 business hours. No formal bug bounty for now — direct coordination.