Security

We take security seriously. Your data, your content, and your connected accounts are protected by multiple layers of security.

Encryption at Rest & In Transit

All data encrypted with AES-256-GCM at rest. TLS 1.3 for all data in transit. Social media tokens individually encrypted before database storage.

Authentication & Access Control

Passwords hashed with bcrypt via Supabase Auth. Row-Level Security (RLS) on every database table ensures complete data isolation between users.

Content Moderation

Two-layer moderation system: Layer 1 — instant keyword/pattern pre-filter. Layer 2 — AI-powered deep content analysis. Both input and output are scanned.

Infrastructure Security

Self-hosted on secure infrastructure with Node.js standalone deployment. Database on Supabase with automated backups. All secrets stored in environment variables, never in code.

Rate Limiting & DDoS Protection

Redis-backed rate limiting on all API endpoints. Cloudflare provides DDoS mitigation. QStash handles async processing to prevent abuse.

Pipeline Model — No Media Storage

Generated content is delivered inline and never stored on our servers. User-uploaded media is processed in memory only. No file storage = minimal attack surface.

Zero-Tolerance Content Policy

GenZHook maintains an absolute zero-tolerance policy for the following categories. Content matching these categories is blocked immediately and may result in permanent account termination and reporting to authorities:

Child exploitation or endangerment
Terrorism or violent extremism
Sexually explicit content
Graphic violence or gore
Illegal activity promotion
Weapons or drug trafficking
Self-harm or suicide promotion
Hate speech or discrimination
Fraud or financial crimes
Religious defamation or disrespect

Compliance & Standards

GDPR

EU General Data Protection Regulation compliance

CCPA

California Consumer Privacy Act compliance

OWASP Top 10

Protection against the top 10 web security risks

Incident Response Timeline

We run a 24×7 on-call rotation backed by a written incident-response runbook. Our commitments for confirmed security incidents:

< 15 min — detection and triage alert
< 1 hour — containment measures in place
< 72 hours — regulator notification for personal-data breaches (GDPR Art. 33)
< 72 hours — affected-user notification without undue delay
< 30 days — post-incident report published to enterprise customers on request
Backups — daily snapshots, 30-day retention, tested quarterly

Full process: /incident-response

Owner's Reservation of Rights

The security measures, controls, response timelines, and compliance posture described on this page are operational practices that may evolve. The Owner reserves the absolute, exclusive, and unfettered discretion, with or without prior notice and without liability, to add, change, restructure, or remove any security control, sub-processor, vendor, or process; to modify, restructure, or replace any feature, plan, integration, price, fee, FX rate, credit weight, quota, rate-limit, discount, coupon, reward, or facility — partially or fully; to suspend, restrict, or terminate any user or account at any time with or without cause; and to modify or replace any related policy with effect upon posting (subject only to legally-required minimum notice). The Owner's Universal Reservation of Rights — Terms of Service section 1.1, the Authorized-Use License in section 1.2, the Benefits Reservation in section 1.3, the Dynamic Pricing & FX clause in section 1.4, and the Comprehensive Owner Protections in section 18 — and the No-Refund Policy are incorporated into this page in full. No security incident, security-control change, vendor change, downtime, outage, breach, or any other event gives rise to any refund, credit-back, pro-rated reimbursement, alternative compensation, SLA payout, or service credit of any kind. You waive any claim to refund, credit-back, pro-rated rebate, alternative compensation, or specific performance arising from the exercise of these rights or from any such event, except only where applicable mandatory law preserves an unwaivable right and only to the absolute minimum the law requires.

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly to security@genzhook.com. Do not exploit vulnerabilities, access data that is not yours, or disclose issues publicly before we have had a reasonable opportunity to remediate. Good-faith researchers who follow this policy will not be pursued under anti-hacking statutes or DMCA §1201. We commit to acknowledging reports within 48 hours and publishing a coordinated disclosure timeline.

PGP key fingerprint and safe-harbor scope are published at /.well-known/security.txt.

Zero-Tolerance Content Policy

Child exploitation or endangerment

Terrorism or violent extremism

Sexually explicit content

Graphic violence or gore

Illegal activity promotion

Weapons or drug trafficking

Self-harm or suicide promotion

Hate speech or discrimination

Fraud or financial crimes

Religious defamation or disrespect

Incident Response Timeline

We run a 24×7 on-call rotation backed by a written incident-response runbook. Our commitments for confirmed security incidents:

< 15 min — detection and triage alert

< 1 hour — containment measures in place

< 72 hours — regulator notification for personal-data breaches (GDPR Art. 33)

< 72 hours — affected-user notification without undue delay

< 30 days — post-incident report published to enterprise customers on request

Backups — daily snapshots, 30-day retention, tested quarterly

Owner's Reservation of Rights

Responsible Disclosure

PGP key fingerprint and safe-harbor scope are published at /.well-known/security.txt.