Enterprise-grade protection for your content and data

Zop It is a multi-tenant platform, but your data is never co-mingled with another organization's in a way that anyone can access.

• Row-Level Security (RLS) is enforced in the database, so isolation is guaranteed by the data layer itself — not just by application code.
• Every request that touches customer data is scoped to the authenticated account on the server before any data is returned.
• We validate isolation with live intrusion testing that attempts cross-tenant access using only the credentials an outside attacker could obtain.

• All traffic is served exclusively over HTTPS/TLS, with HTTP Strict Transport Security (HSTS) enforced in production.
• Data at rest is encrypted by our database and file-storage providers using AES-256.
• Confidential media is delivered through short-lived, signed URLs that expire automatically and cannot be guessed or shared indefinitely.
• Modern security response headers (content-type protection, referrer policy, framing/clickjacking protection on sensitive pages) are applied across the platform.

• Role-based access separates platform administrators, channel owners, and viewers, with each role limited to its own scope.
• Authentication is handled by a managed identity provider; passwords are salted and hashed, never stored in plain text.
• Session and one-time-code data is locked to privileged backend access only and is never exposed to the browser.
• Sensitive account attributes (such as roles and subscription level) cannot be modified by end users — only by trusted server-side processes.

• All payment processing is handled by Stripe, a PCI-DSS Level 1 certified provider.
• We never see, handle, or store raw card numbers — sensitive cardholder data stays within Stripe's certified environment.
• Payout and billing configuration is restricted to authorized account owners and trusted backend processes.

• We perform regular security audits covering database access rules, API endpoints, file uploads, and dependencies.
• Uploaded files are served with protections that neutralize active-content attacks (for example, scripts embedded in image files).
• Third-party dependencies are monitored for known vulnerabilities and patched promptly.
• Abuse and cost-control limits protect platform availability against automated misuse.

We actively protect the integrity of the platform so your brand is never associated with impersonators or bad actors operating alongside you.

• New channels are screened against a maintained blocklist of well-known brands, organizations, and platforms to prevent impersonation at signup.
• Our matching normalizes common evasion tricks — look-alike spellings, leetspeak, and symbol substitutions — so impersonation attempts cannot slip through with minor tweaks.
• Brand-name enforcement runs server-side and cannot be bypassed by client-side manipulation; it applies to channel creation, renames, and account signup alike.
• Attempts to register a protected brand are blocked and routed to our team for review, keeping the marketplace trustworthy for legitimate publishers.

We rely on a small set of established, independently audited providers. We are happy to share our full sub-processor list during a security review.

• Vercel — application hosting and content delivery (SOC 2 Type II).
• Supabase — database and authentication (SOC 2 Type II).
• Vercel Blob — encrypted file and media storage.
• Stripe — payment processing (PCI-DSS Level 1).