ZeroContact
Back to Blog
#security#privacy#data-protection#compliance

Is ZeroContact Secure? How We Handle Your Webhook Data

Security details on how ZeroContact protects your form data. Learn about our encryption, data isolation, and privacy-first architecture.

You're sending customer data through our system. Names, emails, phone numbers, messages.

You should know exactly how we handle it.

This article covers:

  • How data flows through ZeroContact
  • What we store (and don't store)
  • How we protect it
  • Your security controls

Data Flow Overview

Here's what happens when someone submits a form:

1. Form submitted on your website

  • Webhook POST sent to ZeroContact
    • 

  • We validate and process the payload
    • 

  • Notification sent to your channels
    • 

  • Data stored in your secure dashboard
    •

Let's break down each step.

Step 1: Webhook Transmission

Your form builder sends data to our webhook endpoint via HTTPS.

What We Require

  • TLS 1.2+: All connections are encrypted
  • HTTPS only: We reject HTTP connections
  • Valid payload: JSON format with required fields

What This Means

Data in transit is encrypted. Even if intercepted, it's unreadable.

Step 2: Processing Layer

Our edge functions receive and process webhooks.

Infrastructure

  • Supabase Edge Functions: Deployed on Deno
  • Regional distribution: Low latency globally
  • Stateless processing: No data retained in processing layer

Processing Time

Sub-100ms. We receive, validate, and forward immediately.

Step 3: Data Storage

Form submission data is stored in your dashboard.

Database

  • Supabase (PostgreSQL): Enterprise-grade database
  • AWS infrastructure: Same infrastructure as Netflix, Airbnb
  • Encrypted at rest: AES-256 encryption

Row Level Security (RLS)

This is the important part.

Supabase RLS means: you can only access your own data.

-- Simplified RLS policy

CREATE POLICY "Users can only see their own forms"


ON forms


FOR SELECT


USING (auth.uid() = user_id);

Even if our application had a bug, the database itself enforces access control. Your data is isolated at the database level.

What This Means for Agencies

If you're an agency with multiple clients:

  • You see: Form counts, notification logs
  • You don't see: Actual submission content

The client connects their phone via QR code and sees submissions.

You manage the infrastructure. Client sees the data. Perfect separation.

Step 4: Notification Delivery

We send notifications to 5 channels.

Channel Security

Push Notifications (iOS/Android)
  • APNs/FCM encrypted delivery
  • Device-to-server encryption
  • Token-based authentication
LINE/Slack/Discord
  • HTTPS API calls
  • OAuth/Webhook authentication
  • No credentials stored (you configure your own webhooks)
Email
  • TLS-encrypted SMTP
  • Used as backup channel

What We Store

We Store:

  • Form configuration (name, webhook URL)
  • Submission content (encrypted at rest)
  • Notification logs (delivery timestamps)
  • User account data (email, hashed password)

We Don't Store:

  • Credit card numbers (handled by Stripe)
  • Raw passwords (only hashes)
  • IP addresses of form submitters (optional)
  • Cookies or tracking data

Data Retention

Default retention: 90 days for submission data.

You can:

  • Download your data anytime
  • Delete submissions manually
  • Request full account deletion

We don't sell data. We don't share data. We don't use data for advertising.

Access Controls

For Agency Accounts

  • Email + password authentication
  • Optional 2FA (coming soon)
  • Session tokens with 24-hour expiry

For Client Apps (QR Code)

  • Unique token per form
  • Token scoped to specific form only
  • Revocable from agency dashboard

If a client loses their phone:

  • Revoke the QR token from dashboard
  • Generate new QR code
  • Client scans with new device

Old device can no longer receive notifications.

Compliance

GDPR Ready

  • Data minimization: we only collect what's needed
  • Right to access: export your data anytime
  • Right to erasure: delete your account and all data
  • Data portability: download in standard formats

Japanese Privacy Law

  • Compliant with Act on Protection of Personal Information
  • Data stored on AWS with optional region selection

Security Practices

Our Side

  • Regular dependency updates
  • Automated security scanning
  • Infrastructure managed by Supabase (SOC 2 compliant)
  • No access logs expose customer data

Your Side (Recommended)

  • Use strong passwords
  • Enable 2FA when available
  • Rotate QR tokens periodically
  • Review notification logs regularly

Incident Response

If we detect a security issue:

  • Immediate containment
  • Customer notification within 24 hours
  • Full incident report within 7 days
  • Implementation of preventive measures

We've had zero data breaches since launch.

Questions?

If you have specific security questions, we'll answer them:

  • SOC 2 report? Available on request for Enterprise plans
  • Custom data retention? Enterprise feature
  • On-premises deployment? Not currently, but on roadmap
  • Penetration testing? Conducted annually

Email security@zerocontact.dev for detailed inquiries.

The Bottom Line

Your form data is:

  • ✅ Encrypted in transit (TLS 1.2+)
  • ✅ Encrypted at rest (AES-256)
  • ✅ Isolated by RLS (database-level)
  • ✅ Not sold or shared
  • ✅ Deletable on demand

We're a notification service. We get your data, send it to you, and protect it while we have it.

That's the job. We take it seriously.

---

Have specific security questions? Contact us → Ready to try ZeroContact securely? Get started →

Experience 2-Second Notifications

Solve your form notification delays with ZeroContact

Get Started Free