Trust & Safety

Security

How we protect your photos, your clients, and your business.

Infrastructure

Zawiya runs on Vercel's globally distributed edge network with automatic DDoS mitigation, TLS 1.3 encryption in transit, and Cloudflare fronting all traffic. All data at rest is encrypted using AES-256. We do not run our own servers — we rely on Supabase (PostgreSQL) and Supabase Storage, both of which are SOC 2 Type II certified.

Photo storage

Your photos are stored in private Supabase Storage buckets. No file is ever publicly accessible by URL alone. Every image request goes through our signed-URL proxy, which validates the requester's session, enforces download quality limits, and expires the URL after a short window. Right-click saving of originals is disabled at the application layer for galleries where the photographer has enabled protection.

Access control

Gallery access is controlled at three levels:

  • Public — anyone with the link can view (no account required).
  • Password-protected — clients must enter a photographer-set password. Passwords are hashed with bcrypt before storage; we never store them in plaintext.
  • Private — only the photographer can view; share via a signed direct link.

Download tokens are single-use, short-lived, and scoped to a specific image and quality level. They cannot be reused or shared to bypass access restrictions.

Authentication

Photographer accounts authenticate via Supabase Auth, which provides email/password login with email verification, secure session management using HTTP-only cookies, and automatic token rotation. We enforce a minimum password strength of 8 characters including at least one uppercase letter and one number.

All admin actions require a separate privilege check server-side regardless of the session cookie. Client-side role checks are purely cosmetic.

Payments

All payments — photographer subscriptions and client gallery upgrades — are processed by Paddle. Zawiya never touches raw card numbers. Payment data flows directly between your browser and Paddle's PCI-DSS Level 1 certified servers. We receive only webhook events confirming completed transactions.

Rate limiting & abuse prevention

All public gallery routes apply per-IP rate limiting for password attempts, download requests, and API calls. Repeated failed password attempts trigger a temporary lockout. Download traffic is throttled per session to prevent bulk scraping. Bot traffic is filtered at the Cloudflare edge before it reaches our application.

Data privacy

We collect only what is necessary to operate the platform. Client IP addresses are stored as one-way SHA-256 hashes — the original IP is never retained. EXIF metadata is stripped of personally identifiable fields (GPS coordinates, device serial numbers) before it is stored in our database. We do not sell, rent, or share your data or your clients' data with third parties. See our Privacy Policy for full details.

Vulnerability disclosure

If you discover a security vulnerability in Zawiya, please report it responsibly by emailing security@zawiya.studio. We aim to acknowledge all reports within 48 hours and to release a fix within 14 days for critical issues. Please do not publicly disclose the vulnerability until we have had a chance to address it.

Contact

For security concerns or questions, contact us at security@zawiya.studio.