Security

Last Updated on
2026 June 12

Where your data lives

Your data is stored and processed in the European Union, under GDPR jurisdiction. We do not ship customer data to third countries for processing.

All traffic between you and ZenWorkflow is encrypted in transit using TLS 1.2 or higher, with HSTS preload so browsers refuse to talk to us over plain HTTP. Both the database and file storage are encrypted at rest with industry-standard algorithms.

Tenant isolation

Every record in ZenWorkflow belongs to exactly one firm. Tenant scoping is enforced at the data model layer — not just hidden in the user interface — so a query can never accidentally cross firms. This is the single most important guarantee we make.

Authentication and access

We stack several controls so a single compromised credential is never enough to reach your data:

  • Two-factor authentication. Standard authenticator apps are supported. Firm administrators can require 2FA for every user in the firm.
  • IP allowlisting. You can restrict access to specific office or VPN IP ranges. This is enforced before any request can reach your data.
  • Strong password requirements. Passwords are checked against known breach lists and stored using industry-standard hashing algorithms. We never store passwords in plain text.
  • Brute-force protection. Authentication endpoints are rate-limited, and repeated failures trigger throttling.
  • Granular role-based permissions. Fine-grained access controls cover clients, workflows, AML data, invoicing and settings. You assign exactly what each role inside your firm should see.
  • Passwordless client portal. When you share invoices, estimates or workflows with a client, the client accesses them through a magic link verified by a one-time code sent to their email. Your clients never need to create an account, choose a password or get locked out.

How files and records are handled

Every file uploaded to ZenWorkflow is automatically scanned for malware before it can be opened or downloaded. We verify the actual contents of every uploaded file — not just the filename extension — to block the disguised-executable trick.

Files are never served from public URLs. Every download goes through an authenticated path that re-checks the requester's firm and permissions before sending a single byte. All rich-text content is sanitised on render with a strict allowlist that blocks cross-site scripting, and a Content Security Policy narrows the surface for injection attacks further.

Database backups run automatically and are encrypted at rest. We test our restore procedures, because a backup that can't be restored isn't a backup.

Infrastructure and operations

  • Hardened hosting. Our application runs on tier-1 cloud infrastructure in the EU, with private networking between the application and the database.
  • Error monitoring. Production errors are captured with personal data scrubbed before transmission.
  • Patching. Dependencies are continuously audited and security patches are deployed on a regular cadence.
  • Cookie consent. GDPR-compliant cookie management with granular consent categories and an auditable log of choices.

Compliance and privacy

We're built for firms whose own work is regulated. That changes how we treat your data — not as a marketing asset, but as records you may one day need to defend in front of an auditor.

  • Right to access. You can export every client, contact, workflow and invoice in CSV or XLSX format, on demand, from inside the application.
  • AML and KYC screening. We integrate with a leading global screening provider for sanctions, PEP and adverse-media checks. The audit trail of every decision stays inside your firm.

Related documents: Privacy Policy, Terms of Service, Cookie Policy.

Sub-processors

Where we use third parties to process customer data on our behalf — for hosting, file storage, transactional email, screening, payments and error monitoring — each one is bound by a Data Processing Agreement with us and selected against EU data protection requirements.

A current list of sub-processors is available to customers on request through the Data Processing Agreement.

Reporting a security issue

We take responsible disclosure seriously. If you believe you've found a security vulnerability in ZenWorkflow, please email security@zenworkflow.io with a description, steps to reproduce and your contact details. We will acknowledge your report within two business days.

Please do not file public bug reports for security issues, and please give us a reasonable window to investigate and fix before any public disclosure.