Built secure by default.

Regulatory alignment

Zafroi is built around two regulatory baselines: India's Digital Personal Data Protection Act (DPDP Act 2023) and the EU General Data Protection Regulation (GDPR). Both require explicit consent capture, breach notification, right to access, right to erasure, and a defensible audit trail. Zafroi covers each of these as platform primitives, not optional features.

• Tenant onboarding requires acceptance of Terms, Privacy and a Data Processing Agreement (DPA), with versioned acceptance timestamps.
• User accounts capture per-document consent at first sign-in.
• Marketing consent is opt-in and revocable, never inferred.

Data subject rights (DSAR)

GDPR Article 15 (access), 17 (erasure) and 20 (portability) — and DPDP Act equivalents — are operationalised as one-click endpoints in the admin console.

• Export: generate a portable JSON dump of every record a tenant or user owns. Signed download URL with limited TTL.
• Soft erasure: PII fields zeroed, rows preserved for audit referential integrity. Default behaviour.
• Hard erasure: cascade delete; only the audit log row survives, with redacted references for legal trail.
• Both require typing the entity's code to confirm — no accidental deletes.

PII handling

Sensitive fields (email, phone, address) are masked by default in operator-facing tables and detail panes. Each click-to-reveal is logged to the audit trail (GDPR Article 30 "records of processing activities"), giving you a complete picture of who saw what.

Audit trail

Every mutation, every PII reveal, every login is recorded. Filterable by tenant, actor, action and date range. Retention follows industry norms (7 years for security events, 13 months for PII access).

• Actor identity (user or API client) on every event
• Diff snapshots (before/after) on updates
• IP, user agent, and request id captured for forensics
• Read access surfaced in the admin UI for compliance reviews

Authentication & access

• Email + password with argon2 hashing, account lockout after 5 failed attempts, configurable password policy
• TOTP MFA (RFC 6238) with single-use recovery codes
• JWT sessions — short-lived access tokens (15 min) + rotating refresh tokens (7 days)
• Active session management — see signed-in devices, revoke any session
• Role-based access within a tenant: admin / manager / operator / viewer
• Tier-based access across tenants: PLATFORM_ADMIN / TENANT_ADMIN / INTEGRATION / PORTAL

Multi-tenant isolation

Tenant data is isolated at the database row level and enforced at every query boundary. A TENANT_ADMIN cannot read another tenant's data even by guessing IDs — the API returns 403 Forbidden and writes a security audit event.

For cross-tenant ZAFROI ops actions, the API echoes actingAsTenant on every response. The admin UI surfaces a persistent indicator so an operator can never accidentally mutate the wrong tenant's data.

API integrations

• Tenant-scoped API keys per integration purpose (inventory sync, order sync, dispatch, etc.)
• Plaintext shown once at issuance — never on subsequent reads. Always argon2-hashed at rest.
• Rotation + revocation with full audit
• PORTAL tier for end-customer-facing endpoints (storefronts, tracking pages) — read-only by design

Subscription gating

Tenants in past_due, expired or cancelled subscription states return a clean 403 from operational endpoints with code SubscriptionExpired. The UI routes to a friendly suspended landing page; platform admin endpoints stay accessible so renewal is one-click.

Operational security

• All traffic over TLS 1.2+
• Rate limiting per API key + per IP
• Idempotent mutations where the operation is naturally retry-safe
• Backups: daily snapshots with documented restore SLOs
• Secrets stored in a managed KMS, never in environment files

Coming next

Roadmap items — not yet shipped, but on the boards:

• SSO (SAML/OIDC) for enterprise tenants
• SOC 2 Type II audit (target Q4)
• Hardware-key (WebAuthn) MFA
• Per-tenant data residency for EU customers