Security

Last updated: July 1, 2026

Trust is earned with specifics, not badges. Here is exactly how we protect the service — and how to tell us when we got something wrong.

The short version

Minimal data, no passwords to steal, modern cryptography, and an open codebase anyone can audit. Security through simplicity.

Authentication

There are no passwords in Zerosoft. Accounts sign in with Google OAuth 2.0, and sessions use signed, httpOnly, SameSite cookies. Stealing a database of our password hashes is impossible, because it does not exist.

API keys

Programmatic access uses personal API keys (prefix zs_). Keys are generated with a cryptographically secure random source, stored only as hashes, shown to you exactly once, and revocable instantly from the dashboard.

Rate limiting — 100 requests per minute per key — contains abuse and accidents alike.

Link passwords

Password-protected short links hash their passwords with scrypt and per-link salts. We never store them in plain text and we cannot recover them — if you lose one, you simply set a new one.

Transport and encryption

All traffic runs over HTTPS with modern TLS. HSTS is enabled, insecure requests are redirected, and data at rest is encrypted by the infrastructure provider.

Data minimization

Our analytics are cookie-less and fingerprint-less by design: referrer, country and device are parsed from request headers, and the IP is discarded after geo-resolution. The best way to protect data is to never have it.

Open source as an audit

Every line of the products is public. You do not have to trust this page — you can read the code, run it yourself, and verify the claims. Reports from people who did exactly that are our favorite kind of email.

Infrastructure

The hosted cloud runs on providers with SOC 2-type certifications, in isolated environments with least-privilege access. Deploys are automated, reproducible and logged. Backups are encrypted and tested.

Reporting a vulnerability

Found something? Email security@zerosoft.ai. If you can, encrypt with our PGP key — fingerprint 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 (full key published at zerosoft.ai/pgp.txt; being rotated at launch, and the address always works).

We acknowledge reports within 48 hours and aim to triage within 5 business days.

Responsible disclosure

Give us a reasonable window to fix before publishing; do not access, modify or delete other people's data; do not degrade the service while testing.

In return: we will not pursue legal action against good-faith research, we will credit you (if you want) when the fix ships, and we will say thank you like we mean it.