Trust & Safety

Security

How we protect your photos, your clients, and your business.

Infrastructure

Zawiya runs on Vercel's globally distributed edge network with automatic DDoS mitigation, TLS 1.3 encryption in transit, and Cloudflare fronting all traffic. All data at rest is encrypted using AES-256. We do not run our own servers — we rely on Supabase (PostgreSQL) and Supabase Storage, both of which are SOC 2 Type II certified.

Photo storage

Your photos are stored in private Supabase Storage buckets. No file is ever publicly accessible by URL alone. Every image request goes through our signed-URL proxy, which validates the requester's session, enforces download quality limits, and expires the URL after a short window. Right-click saving of originals is disabled at the application layer for galleries where the photographer has enabled protection.

Access control

Gallery access is controlled at three levels:

  • Public — anyone with the link can view (no account required).
  • Password-protected — clients must enter a photographer-set password. Passwords are hashed with bcrypt before storage; we never store them in plaintext.
  • Private — only the photographer can view; share via a signed direct link.

Download tokens are single-use, short-lived, and scoped to a specific image and quality level. They cannot be reused or shared to bypass access restrictions.

Authentication

Photographer accounts authenticate via Supabase Auth, which provides email/password login with email verification, secure session management using HTTP-only cookies, and automatic token rotation. We enforce a minimum password strength of 8 characters including at least one uppercase letter and one number.

All admin actions require a separate privilege check server-side regardless of the session cookie. Client-side role checks are purely cosmetic.

Billing & activation

Zawiya processes no online payments. There is no checkout, no card processing, and no payment integration of any kind on the platform, so we never store or transmit card or bank data — and there is no payment attack surface to exploit. Paid plans, upgrades, and featured listings are arranged directly with our team over WhatsApp or email and activated manually on your account.

Rate limiting & abuse prevention

All public gallery routes apply per-IP rate limiting for password attempts, download requests, and API calls. Repeated failed password attempts trigger a temporary lockout. Download traffic is throttled per session to prevent bulk scraping. Bot traffic is filtered at the Cloudflare edge before it reaches our application.

Data privacy

We collect only what is necessary to operate the platform. Client IP addresses are stored as one-way SHA-256 hashes — the original IP is never retained. EXIF metadata is stripped of personally identifiable fields (GPS coordinates, device serial numbers) before it is stored in our database. We do not sell, rent, or share your data or your clients' data with third parties. See our Privacy Policy for full details.

Vulnerability disclosure

If you discover a security vulnerability in Zawiya, please report it responsibly by emailing info@zawiya.studio. We aim to acknowledge all reports within 48 hours and to release a fix within 14 days for critical issues. Please do not publicly disclose the vulnerability until we have had a chance to address it.

Contact

For security concerns or questions, contact us at info@zawiya.studio.