Security
Our security commitment
At Zylior, your growth runs on your data: ad campaigns, leads, content, meeting calendars, access to your tools. We're fully aware of that. Security isn't a box you tick once and for all; it's a discipline we apply to every line of code, every deployment, and every access. This page explains concretely how we protect your growth command center and the information that flows through it.
We favor a "managed-first" approach: we rely on recognized and certified infrastructure providers, we reduce the surface we operate ourselves, and we systematically apply the principle of least privilege. Less needless complexity means less risk for you.
Data encryption
In transit
All communications between your browser, our applications, and our services are encrypted via TLS 1.2 or higher. Unencrypted traffic is refused: no data travels in cleartext over the network. We apply strict HTTPS redirection (HSTS) and use modern cryptographic suites.
At rest
Data stored in our databases and volumes is encrypted at rest with the AES-256 algorithm. This applies to databases, backups, and files uploaded to the platform. Encryption keys are managed by our infrastructure provider via a dedicated service, with regular rotation, and are never exposed in the code or logs.
Secrets and third-party credentials
The access tokens and credentials you connect to Zylior (ad networks, email services, CRM, calendars) are encrypted and stored in an isolated secrets vault. They are decrypted only at the moment strictly necessary to run an automation, and never displayed in cleartext in the interface.
Hosting and data location
Zylior's entire infrastructure is hosted within the European Union, with recognized cloud infrastructure providers holding leading security certifications (notably ISO 27001 and SOC 2). Your production data and its backups remain in the EU.
When the processing of a feature involves a processor located outside the EU, we govern it with the appropriate safeguards provided for by the GDPR (standard contractual clauses) and document it in our register of processors.
Per-customer data isolation
Zylior runs a portfolio of several micro-SaaS for founders and agencies. The separation between each customer's data is a fundamental requirement of our architecture.
- Every record is tied to an account identifier (tenant), and all queries are filtered at this level by default.
- The isolation check is enforced at the lowest possible level of the data access layer, rather than left to the discretion of each screen.
- Production, test, and development environments are strictly separated. No real customer data is used for development or testing.
- AI processing runs within the scope of the account concerned: one customer's data is never used to enrich, train, or feed another's account.
Access control and least privilege
Access to Zylior's systems is strictly governed and limited to the people who genuinely need it for their role.
- Least privilege: each team member and each service has only the rights essential to their task, nothing more.
- Strong authentication: multi-factor authentication (MFA) is mandatory on all access to administration tools and infrastructure.
- Named access: access is individual and traceable. Shared accounts are prohibited.
- Regular review: access rights are reviewed periodically and revoked immediately when an employee leaves.
- On the platform side: within your workspace, you manage your team's roles and permissions to control who can see and do what.
Backups and disaster recovery
Your data is backed up automatically and regularly so that it can be restored in the event of an incident.
- Encrypted, automated database backups, retained over a rolling period.
- Backups stored in the EU, separate from the production environment.
- Restore tests carried out periodically to ensure that backups are usable, not just present.
- A documented disaster recovery plan, with defined recovery time objectives (RTO) and maximum data loss objectives (RPO).
Logging and monitoring
Our systems are continuously monitored to detect abnormal behavior as early as possible.
- Logging of access, sensitive actions, and authentication events.
- Availability and performance monitoring, with automatic alerts in the event of an anomaly.
- Centralization of logs and retention for a defined period, with protection against modification.
- Logs are designed not to contain secrets or unnecessary personal data.
Incident management
Despite every precaution, no system is infallible. So we have a clear process to react quickly and well.
- Detection and assessment: any suspicious event is analyzed and classified according to its severity.
- Containment and resolution: we isolate the cause, fix the flaw, and restore the service.
- Notification: in the event of a personal data breach, we notify the competent supervisory authority within 72 hours and inform the affected customers without undue delay, in accordance with the GDPR.
- Post-incident analysis: every significant incident is the subject of a documented retrospective to prevent it from recurring.
GDPR compliance
Zylior processes personal data in strict compliance with the General Data Protection Regulation (GDPR).
- Legal bases and purposes: we process data only for specific and legitimate purposes related to providing the service.
- Minimization: we collect only the data necessary for the platform to function.
- Processor role: for the data of your own prospects and customers, you are the controller and Zylior acts as a processor, within the framework of a data processing agreement (DPA).
- Individuals' rights: we help you respond to requests for access, rectification, erasure, and portability.
- Sub-processors: we keep our list of sub-processors up to date and govern them contractually.
- Retention: data is retained for as long as necessary to provide the service, then deleted or anonymized.
For any question regarding data protection or to exercise your rights, write to us at hello@zylior.com.
Overview of security measures
| Area | Measure applied |
|---|---|
| Encryption in transit | TLS 1.2+, strict HTTPS (HSTS) |
| Encryption at rest | AES-256 (databases, backups, files) |
| Hosting | European Union, providers certified ISO 27001 / SOC 2 |
| Isolation | Data partitioning per customer account |
| Access control | Least privilege, mandatory MFA, named access |
| Backups | Automated, encrypted, restore tested |
| Monitoring | Logging, alerts, protected retention |
| Compliance | GDPR, DPA, register of processors |
Responsible disclosure
Security is a team effort, and the security researcher community contributes to it. If you discover a potential vulnerability in Zylior, we count on you to report it to us responsibly rather than disclosing it publicly.
- Write to us at security@zylior.com with a detailed description and the steps to reproduce the issue.
- Give us a reasonable amount of time to analyze and fix the flaw before any public disclosure.
- Do not access other customers' data, degrade the service, or carry out any destructive action during your testing.
- We undertake to acknowledge receipt of your report, keep you informed of its handling, and credit your contribution if you wish.
Researchers who follow this good-faith approach will not be subject to any legal action on our part.