Security & data protection

All connections to Zrelic — including your dashboard, portal links shared with clients, and API calls between services — are encrypted with TLS 1.2 or higher (HTTPS). Plain-HTTP requests are automatically redirected to HTTPS. Certificates are managed and renewed automatically by Vercel.

Passwords are hashed with bcrypt before storage using a sufficient work factor. We never store, log, or transmit your password in plain text. Clients do not have passwords — they access portals exclusively via scoped magic-link tokens (see below).

Client portal links are generated as cryptographically random, unguessable tokens scoped to a single portal. A client who holds the link for Portal A cannot access Portal B. If you believe a link has been compromised, you can regenerate it from your dashboard — the old token is immediately invalidated.

Freelancer sessions are managed by NextAuth using secure, HttpOnly, SameSite cookies. Sessions expire after a fixed idle period and are invalidated on sign-out.

Application code uses parameterised queries exclusively; user input is never interpolated directly into SQL statements, preventing SQL-injection attacks. The database (Neon Postgres) is not directly accessible from the public internet — connections are authenticated and restricted by network policy.

Files you upload are stored on Vercel Blob. Access is controlled: files are served via short-lived, signed URLs or through your authenticated dashboard — they are not publicly browsable by URL pattern.

Zrelicuses Stripe for payments. Card numbers and sensitive payment details are entered directly into Stripe’s PCI-DSS-compliant hosted fields and never pass through our servers. We store only Stripe customer and subscription IDs.

Internally we apply least-privilege access: team members and automated systems are granted only the permissions they need to perform their function. Production database credentials are held in environment variables, not in source code.

Zrelic is built on:

• Vercel — application hosting and file storage. Vercel maintains SOC 2 Type II certification.
• Neon — managed Postgres database. Neon is SOC 2 Type II certified and encrypts data at rest.
• Stripe — payments. Stripe is PCI-DSS Level 1 certified.
• Resend — transactional email delivery.

Zrelic itself has not independently obtained ISO 27001, SOC 2, or similar certifications. We rely on the security programmes of our infrastructure providers and apply the engineering controls described above.

If we become aware of a security vulnerability we will assess the impact and apply fixes as quickly as practicable. In the event of a personal data breach we will notify affected users and — where required — the Information Commissioner’s Office, without undue delay.

If you discover a potential security issue, please report it responsibly to security@zrelic.com. We ask that you give us reasonable time to investigate before public disclosure. We do not currently operate a formal bug-bounty programme, but we will acknowledge good-faith reports promptly.

For general security or data-protection questions, email hello@zrelic.com. See also our Privacy policy.