Security at Zentro
EspañolLast updated: May 6, 2026
Our approach
Zentro processes operational order data for e-commerce operators across LATAM. We treat security as part of the product, not as an afterthought. This page summarizes the technical and organizational measures we apply. For legal details on personal data processing, see our Privacy Policy.
Data protection
- Encryption at rest: AES-256 for the database, file storage, and backups.
- Encryption in transit: TLS 1.2+ on all connections; HSTS enabled.
- Secrets and integration tokens: encrypted at the application layer with AES-256-GCM before being stored.
- Database: managed PostgreSQL hosted with a SOC 2 / ISO 27001 certified provider (US region).
- Backups: automated point-in-time recovery; 7-day retention.
Authentication and access control
- Password hashing: bcrypt with per-user salt.
- Sessions:
httpOnly,SameSite, andSecurecookies in production. - Role-based access control (RBAC): ADMIN, SUPERVISOR, SELLER, and LOGISTICS, each with the minimum required permission set.
- Multi-tenant isolation: every application query filters by organization; data is never shared across merchants.
- Audit logs: sensitive actions (status changes, payment edits, administrative access) are logged and retained for 90 days.
- Engineering production access: SSO + 2FA required; granted to the minimum necessary personnel.
Infrastructure
- Hosting: serverless infrastructure with auto-scaling.
- Edge network: CDN with DDoS protection and application-layer WAF.
- Observability: error and performance monitoring with on-call alerting.
- HTTP security headers:
X-Frame-Options: DENY,X-Content-Type-Options: nosniff, strictReferrer-Policy, andPermissions-Policythat disables camera, microphone, and geolocation by default.
Sub-processors
We work with the following providers. We keep this list up to date.
| Provider | Purpose | Location |
|---|---|---|
| Vercel Inc. | Hosting and CDN | EE.UU. / Global edge |
| Neon (PostgreSQL) | Managed database | EE.UU. |
| Vercel Blob | Storage of payment proofs and images | EE.UU. |
| Sentry | Error and performance monitoring | EE.UU. |
| Browserbase | Secure browser automation (Zeus integration) | EE.UU. |
| Resend | Transactional email delivery | EE.UU. |
Compliance
- Compliant with Peru's Personal Data Protection Law (Ley N° 29733) and its regulations.
- Data handling aligned with GDPR for EU data subjects.
- Breach notification within 48 hours to the Peruvian Data Protection Authority (ANPDP) when applicable.
- Adherence to the Google API Services User Data Policy including Limited Use requirements.
- SOC 2 Type I in preparation.
Reporting a vulnerability
We welcome reports from security researchers and respond promptly. To report a finding, email privacy@zentro.one with the subject “Security — Vulnerability Report”. We ask that you:
- Provide a clear description of the finding and reproduction steps.
- Avoid disrupting the service or accessing other users' data.
- Give us a reasonable window to remediate before public disclosure.
We acknowledge receipt within 3 business days and provide an estimated remediation timeline.
Official coordinates (RFC 9116)
The security.txt file is published at /.well-known/security.txt.