Trust · Security · Compliance

We treat your data, your account, and your content like our own.

This page summarises everything GenZHook does to protect your privacy, your business, and your money — and what you can do if something looks wrong. It is updated whenever our security posture changes.

Encryption & data at rest

✓TLS 1.2+ in transit, HSTS preload, perfect-forward-secrecy ciphers only.

✓Database encrypted at rest by Supabase (AES-256).

✓Daily automated database backups to a private Supabase Storage bucket; admin-signed download URLs only.

✓OAuth tokens for connected social platforms stored encrypted (per-row column-level encryption).

✓2FA secrets stored encrypted; recovery codes issued one-time.

Account security

✓Password hashing handled by Supabase Auth (bcrypt).

✓Two-factor authentication via TOTP (Authenticator apps).

✓Recovery codes for 2FA (one-time, hashed at rest).

✓Brute-force defence: 5 sign-in attempts per IP per 15 minutes; 60 API calls/min generally; AI generation rate-limited per user.

✓Honeypot anti-bot fields on signup and login.

✓Sessions auto-rotate; admin role requires 2FA enrolment before any admin page is reachable.

Row-level security & access control

✓Every public table has Postgres RLS enabled. Service-role-only tables (sequence/log) are explicitly documented.

✓Every foreign-key column has a covering index (auto-audit).

✓Monthly automated DB audit + auto-fix engine; results visible in /admin/supabase-audit.

✓Admin actions are written to an immutable audit log (forensic trail).

File-upload defence (anti-malware)

✓Magic-byte signature verification on every uploaded file — never trust the browser-supplied MIME.

✓Hard rejection of executables (PE, ELF, Mach-O), Java class files, Flash, RTF, OLE, archives, scripts.

✓SVG and HTML uploads quarantined — they can host scripts.

✓Polyglot detection (file pretending to be one thing while also being another).

✓Decompression-bomb caps on image dimensions (4096-pixel long-edge ceiling).

✓Re-encoded server-side via Sharp/libvips, stripping EXIF metadata before storage.

✓Every reject logged to the malware-scan log for forensic review.

Outbound URL safety (anti-SSRF)

✓User-supplied URLs validated against a private-IP / loopback / link-local blocklist before fetch.

✓Response-size cap and content-type allowlist on every outbound URL fetch.

✓Strict redirect cap, per-request timeout, no infinite loops.

Anti-cloning & IP protection

✓Production source maps disabled — minified, unmapped JS only.

✓llms.txt + ai-manifest.json carry an attribution-required licence.

✓robots.txt explicitly addresses 22 AI bots and 8 search engines.

✓X-Content-Owner header on every machine-readable surface.

✓Optional per-plan watermark on AI-generated images.

✓DMCA contact in /.well-known/security.txt and on /dmca.

Legal & policy

✓50 owner-protection clauses in the Terms of Service.

✓Privacy Policy, Cookie Policy, DPA, Sub-processors.

✓Absolute no-refund policy stated up-front; cancel any time, access continues to period-end.

✓AI training disclosure, DMCA, Acceptable Use, Incident Response.

Privacy & GDPR rights

✓Right to portability — request a JSON export of all your data from /settings.

✓Right to erasure — delete your account from /settings; cascades through every owned table.

✓Cookie consent toast (non-blocking) on first visit; non-essential cookies only after explicit accept.

✓Server-side PII redaction in logs (emails, phones, JWTs, payment tokens, API keys).

✓IP addresses hashed before storage in audit and abuse-report tables.

Financial data protection

✓Card data never touches our servers — Stripe and Razorpay tokenise before anything reaches us.

✓Webhook signature verification on every Stripe, Razorpay, and QStash callback.

✓Webhook idempotency tables (stripe_webhook_events, razorpay_webhook_events) prevent double-processing.

✓GST-compliant tax invoices for Indian customers (HSN 997331 / 998319, sequential numbering per FY).

✓Affiliate payouts use RazorpayX with HMAC-signed instructions.

Secret management

✓All third-party API keys live in the encrypted `app_secrets` table; rotated from /admin/api-keys without redeploying.

✓Service-role keys never sent to the browser; only accessible to server-side code.

✓CRON routes protected with timing-safe bearer-token compare.

Anti-abuse & misconduct

✓14-day free-trial tombstone — same email, mobile, or device fingerprint cannot re-claim a trial.

✓Account-suspension capability for confirmed misconduct (sign-in blocked, content frozen, no data deleted).

✓Content moderation on AI inputs and outputs.

✓Anyone (signed in or anonymous) can file an abuse report at abuse@genzhook.com.

✓CSAM, terror content, fraud, copyright violations forwarded to authorities per policy.

Transparency & disclosure

✓security.txt with disclosure contact and PGP fingerprint.

✓Public incident response page with notification commitments.

✓Daily automated SEO/AEO/AI-SEO health audit; 67-locale hreflang.

✓Manual audit runs available to admins; full run history persisted.

Data retention

✓Daily DB backups: 7 most recent + 1st-of-month for 12 months. Older auto-pruned.

✓Translation cache: 30 days (Upstash). Cleaned automatically.

✓GDPR exports: 7-day signed URLs, then file deleted.

✓Audit logs retained for forensic + legal requirements.

Contact us about a security or privacy issue

Vulnerability disclosure: security@genzhook.com (we acknowledge within 24 hours).

Abuse, scams, impersonation: abuse@genzhook.com.

Privacy / GDPR / data deletion: privacy@genzhook.com.

Last updated automatically when our security posture changes. The product owner reviews this page every quarter as part of the live compliance audit.

Trust · Security · Compliance

We treat your data, your account, and your content like our own.

Encryption & data at rest

✓TLS 1.2+ in transit, HSTS preload, perfect-forward-secrecy ciphers only.

✓Database encrypted at rest by Supabase (AES-256).

✓Daily automated database backups to a private Supabase Storage bucket; admin-signed download URLs only.

✓OAuth tokens for connected social platforms stored encrypted (per-row column-level encryption).

✓2FA secrets stored encrypted; recovery codes issued one-time.

Account security

✓Password hashing handled by Supabase Auth (bcrypt).

✓Two-factor authentication via TOTP (Authenticator apps).

✓Recovery codes for 2FA (one-time, hashed at rest).

✓Brute-force defence: 5 sign-in attempts per IP per 15 minutes; 60 API calls/min generally; AI generation rate-limited per user.

✓Honeypot anti-bot fields on signup and login.

✓Sessions auto-rotate; admin role requires 2FA enrolment before any admin page is reachable.

Row-level security & access control

✓Every public table has Postgres RLS enabled. Service-role-only tables (sequence/log) are explicitly documented.

✓Every foreign-key column has a covering index (auto-audit).

✓Monthly automated DB audit + auto-fix engine; results visible in /admin/supabase-audit.

✓Admin actions are written to an immutable audit log (forensic trail).

File-upload defence (anti-malware)

✓Magic-byte signature verification on every uploaded file — never trust the browser-supplied MIME.

✓Hard rejection of executables (PE, ELF, Mach-O), Java class files, Flash, RTF, OLE, archives, scripts.

✓SVG and HTML uploads quarantined — they can host scripts.

✓Polyglot detection (file pretending to be one thing while also being another).

✓Decompression-bomb caps on image dimensions (4096-pixel long-edge ceiling).

✓Re-encoded server-side via Sharp/libvips, stripping EXIF metadata before storage.

✓Every reject logged to the malware-scan log for forensic review.

Outbound URL safety (anti-SSRF)

✓User-supplied URLs validated against a private-IP / loopback / link-local blocklist before fetch.

✓Response-size cap and content-type allowlist on every outbound URL fetch.

✓Strict redirect cap, per-request timeout, no infinite loops.

Anti-cloning & IP protection

✓Production source maps disabled — minified, unmapped JS only.

✓llms.txt + ai-manifest.json carry an attribution-required licence.

✓robots.txt explicitly addresses 22 AI bots and 8 search engines.

✓X-Content-Owner header on every machine-readable surface.

✓Optional per-plan watermark on AI-generated images.

✓DMCA contact in /.well-known/security.txt and on /dmca.

Legal & policy

✓50 owner-protection clauses in the Terms of Service.

✓Privacy Policy, Cookie Policy, DPA, Sub-processors.

✓Absolute no-refund policy stated up-front; cancel any time, access continues to period-end.

✓AI training disclosure, DMCA, Acceptable Use, Incident Response.

Privacy & GDPR rights

✓Right to portability — request a JSON export of all your data from /settings.

✓Right to erasure — delete your account from /settings; cascades through every owned table.

✓Cookie consent toast (non-blocking) on first visit; non-essential cookies only after explicit accept.

✓Server-side PII redaction in logs (emails, phones, JWTs, payment tokens, API keys).

✓IP addresses hashed before storage in audit and abuse-report tables.

Financial data protection

✓Card data never touches our servers — Stripe and Razorpay tokenise before anything reaches us.

✓Webhook signature verification on every Stripe, Razorpay, and QStash callback.

✓Webhook idempotency tables (stripe_webhook_events, razorpay_webhook_events) prevent double-processing.

✓GST-compliant tax invoices for Indian customers (HSN 997331 / 998319, sequential numbering per FY).

✓Affiliate payouts use RazorpayX with HMAC-signed instructions.

Secret management

✓All third-party API keys live in the encrypted `app_secrets` table; rotated from /admin/api-keys without redeploying.

✓Service-role keys never sent to the browser; only accessible to server-side code.

✓CRON routes protected with timing-safe bearer-token compare.

Anti-abuse & misconduct

✓14-day free-trial tombstone — same email, mobile, or device fingerprint cannot re-claim a trial.

✓Account-suspension capability for confirmed misconduct (sign-in blocked, content frozen, no data deleted).

✓Content moderation on AI inputs and outputs.

✓Anyone (signed in or anonymous) can file an abuse report at abuse@genzhook.com.

✓CSAM, terror content, fraud, copyright violations forwarded to authorities per policy.

Transparency & disclosure

✓security.txt with disclosure contact and PGP fingerprint.

✓Public incident response page with notification commitments.

✓Daily automated SEO/AEO/AI-SEO health audit; 67-locale hreflang.

✓Manual audit runs available to admins; full run history persisted.

Data retention

✓Daily DB backups: 7 most recent + 1st-of-month for 12 months. Older auto-pruned.

✓Translation cache: 30 days (Upstash). Cleaned automatically.

✓GDPR exports: 7-day signed URLs, then file deleted.

✓Audit logs retained for forensic + legal requirements.

Contact us about a security or privacy issue

Vulnerability disclosure: security@genzhook.com (we acknowledge within 24 hours).

Abuse, scams, impersonation: abuse@genzhook.com.

Privacy / GDPR / data deletion: privacy@genzhook.com.

Last updated automatically when our security posture changes. The product owner reviews this page every quarter as part of the live compliance audit.

Encryption & data at rest

Account security

Row-level security & access control

File-upload defence (anti-malware)

Outbound URL safety (anti-SSRF)

Anti-cloning & IP protection

Legal & policy

Privacy & GDPR rights

Financial data protection

Secret management

Anti-abuse & misconduct

Transparency & disclosure

Data retention

Contact us about a security or privacy issue

Encryption & data at rest

Account security

Row-level security & access control

File-upload defence (anti-malware)

Outbound URL safety (anti-SSRF)

Anti-cloning & IP protection

Legal & policy

Privacy & GDPR rights

Financial data protection

Secret management

Anti-abuse & misconduct

Transparency & disclosure

Data retention

Contact us about a security or privacy issue

Product

Company

Legal

Trust