Security
Strong security, said in plain English.
What we do to protect your files — without the jargon. The technical specifics are below for anyone who wants them.
Your files are encrypted
Every object is encrypted at rest. Every transfer happens over a modern, encrypted connection.
Your links can expire
Set a 24-hour, 7-day, or custom expiry on every share link. Or no expiry — your call.
Password-protect what matters
Lock a share with a password. The recipient enters it before anything is revealed.
Revoke access instantly
Change your mind? Click revoke. The link stops working that second.
We record important account activity
Every read, write, share, delete, and login is logged. You can see your audit trail.
Admins manage access for the team
Organisation admins can pool storage, set quotas, and control who joins.
For schools + businesses
Admin controls for the people responsible.
When a school, faculty, or business runs ZyCloud, admins manage the team without needing to ask for help. Pool storage across staff, set per-user quotas, see what’s shared with the outside world, audit changes, and pull the whole audit log to CSV.
- Pooled storage with per-user quota slices
- Audit log filterable by user, file, action, date
- Audit log export to CSV (Educator tier+)
- Manual educator verification workflow for staff
- Tamper-evident hash chain on the audit log (V3)
For the technically inclined
The implementation detail.
If you’re reviewing ZyCloud for school IT, government procurement, or your own peace of mind — the specifics are below.
Encryption in transit
TLS 1.3 only. HSTS preload. No fallback to TLS 1.2 or earlier.
Encryption at rest
AES-256 on every object via S3 SSE. Per-user envelope encryption with KMS-held DEKs is on the V1.5 roadmap.
Authentication
Argon2id password hashing (memory cost ~64 MiB, t=3, p=1). Rate limit on /auth/* endpoints. Lockout after 10 failed attempts in 10 minutes.
Sessions
Short-lived JWT access tokens (15 min). Rotated refresh tokens (30 days). Invalidated on password reset.
Email verification
Six-digit OTP at signup. 10-minute expiry. Maximum 5 attempts per code. 60-second resend cooldown. 3 sends per email per hour.
Sharing
32-character random tokens. Optional argon2id-hashed password. Optional max-access counter. Optional expiry. Owner can revoke instantly.
Object access
Presigned S3 URLs only. The API never proxies file bytes. URLs expire in 15 minutes.
Secrets
AWS Secrets Manager in production. systemd EnvironmentFile (mode 0600) on the host. Never in source control.
Audit log
Every read, write, share, delete, login, plan change persisted. 13-month retention; Educator tier exports to CSV.
Backups
Daily Postgres logical backups with KMS encryption. 35-day retention.
Bug bounty
Public program launches with V2. Email security@zyqual.com — we respond within 24 hours.
Reporting a vulnerability
Email security@zyqual.com. Do not file public GitHub issues for security bugs.
Procurement teams: we’ll meet you halfway.
We can share our security questionnaire, run a vendor-review call, and walk through data-residency options — particularly for schools, ministries, and regulated industries.
Talk to us about procurement →