ZyqualZyCloud

Security

Strong security, said in plain English.

What we do to protect your files — without the jargon. The technical specifics are below for anyone who wants them.

Your files are encrypted

Every object is encrypted at rest. Every transfer happens over a modern, encrypted connection.

Your links can expire

Set a 24-hour, 7-day, or custom expiry on every share link. Or no expiry — your call.

Password-protect what matters

Lock a share with a password. The recipient enters it before anything is revealed.

Revoke access instantly

Change your mind? Click revoke. The link stops working that second.

We record important account activity

Every read, write, share, delete, and login is logged. You can see your audit trail.

Admins manage access for the team

Organisation admins can pool storage, set quotas, and control who joins.

For schools + businesses

Admin controls for the people responsible.

When a school, faculty, or business runs ZyCloud, admins manage the team without needing to ask for help. Pool storage across staff, set per-user quotas, see what’s shared with the outside world, audit changes, and pull the whole audit log to CSV.

  • Pooled storage with per-user quota slices
  • Audit log filterable by user, file, action, date
  • Audit log export to CSV (Educator tier+)
  • Manual educator verification workflow for staff
  • Tamper-evident hash chain on the audit log (V3)

For the technically inclined

The implementation detail.

If you’re reviewing ZyCloud for school IT, government procurement, or your own peace of mind — the specifics are below.

Encryption in transit

TLS 1.3 only. HSTS preload. No fallback to TLS 1.2 or earlier.

Encryption at rest

AES-256 on every object via S3 SSE. Per-user envelope encryption with KMS-held DEKs is on the V1.5 roadmap.

Authentication

Argon2id password hashing (memory cost ~64 MiB, t=3, p=1). Rate limit on /auth/* endpoints. Lockout after 10 failed attempts in 10 minutes.

Sessions

Short-lived JWT access tokens (15 min). Rotated refresh tokens (30 days). Invalidated on password reset.

Email verification

Six-digit OTP at signup. 10-minute expiry. Maximum 5 attempts per code. 60-second resend cooldown. 3 sends per email per hour.

Sharing

32-character random tokens. Optional argon2id-hashed password. Optional max-access counter. Optional expiry. Owner can revoke instantly.

Object access

Presigned S3 URLs only. The API never proxies file bytes. URLs expire in 15 minutes.

Secrets

AWS Secrets Manager in production. systemd EnvironmentFile (mode 0600) on the host. Never in source control.

Audit log

Every read, write, share, delete, login, plan change persisted. 13-month retention; Educator tier exports to CSV.

Backups

Daily Postgres logical backups with KMS encryption. 35-day retention.

Bug bounty

Public program launches with V2. Email security@zyqual.com — we respond within 24 hours.

Reporting a vulnerability

Email security@zyqual.com. Do not file public GitHub issues for security bugs.

Procurement teams: we’ll meet you halfway.

We can share our security questionnaire, run a vendor-review call, and walk through data-residency options — particularly for schools, ministries, and regulated industries.

Talk to us about procurement →