Security

Security at ZillaSoft

How we protect your account, your data, and the infrastructure that runs our products.

What we do to keep you safe

These practices are in place today, not planned for the future.

HTTPS everywhere

All traffic is served exclusively over HTTPS. HTTP requests are refused. HSTS is enforced with a one-year max-age to prevent protocol downgrade attacks.

Security headers

Every response includes X-Content-Type-Options, X-Frame-Options (DENY), Referrer-Policy (strict-origin-when-cross-origin), and a strict Content Security Policy (CSP) enforced at the CDN layer. XSS protection is handled by the CSP with a script-src 'self' policy rather than the deprecated X-XSS-Protection header.

Authentication via Auth0

All user authentication is handled by Auth0 using the PKCE flow. No passwords are stored by ZillaSoft. Session tokens are held in memory and never persisted to localStorage.

Data encryption at rest

All Snipzilla snippet data is encrypted locally using AES-256-GCM. Encryption keys are stored in your device's OS keyring and never written to disk alongside your data. Your snippet files are unreadable at rest, even with direct access to the underlying storage.

Global CDN delivery

The ZillaSoft website is served from AWS CloudFront, a globally distributed CDN. Static assets are served from edge locations close to each visitor with no origin server exposed to the public internet.

Email authentication

All outbound email from zillasoft.io is protected by DKIM signing and DMARC policy enforcement. This prevents spoofing and ensures email integrity for transactional and notification messages.

Bot & spam protection

All public-facing forms use Cloudflare Turnstile to verify human submissions without invasive tracking. A secondary honeypot layer silently filters automated bots before any request reaches our backend.

API rate limiting

The Snipzilla API enforces per-endpoint rate limits to prevent abuse and brute-force attempts. Requests that exceed thresholds are rejected before they reach application logic.

Snippets stay on your device

Snippet data for Standard plan users is stored locally on your machine and never transmitted to ZillaSoft servers. Cloud sync is included in Premium and Enterprise plans and active by default. Synced data is end-to-end encrypted before it leaves your device.

Complete account deletion

Users can permanently delete their account directly from the dashboard at any time. Deletion cascades across all systems: subscription is cancelled, all stored data is purged from our database, and the identity record is removed from our auth provider. Nothing lingers.

No third-party tracking

The ZillaSoft website loads no analytics, advertising, or fingerprinting scripts. Fonts are self-hosted so no requests go to Google Fonts or similar services. The only external resource scoped to this site is Cloudflare Turnstile, used exclusively on forms for bot protection.

No keylogging, ever

Snipzilla requires a global keyboard hook to detect your configured trigger character as you type. That mechanism is the same one keyloggers use, so it is worth being direct: Snipzilla watches only for your trigger character. No keystrokes are recorded, stored, transmitted, or shared. The hook exists exclusively to detect expansion triggers and nothing else.

End-to-end encrypted sync

Cloud-synced snippet data is end-to-end encrypted using AES-256-GCM. Encryption and decryption happen entirely on your device. The server stores only ciphertext it cannot read. A recovery code is generated on first sync; save it to restore access on a new device. All data is also secured in transit by HTTPS.

Responsible disclosure

Found a security issue? We want to know. Please report vulnerabilities privately before disclosure.

A security.txt file is available at /.well-known/security.txt with our contact details in the standard format for security researchers.

How to report

Submit your report via our secure contact form (select "Security" as the subject). Reports are routed to a private channel and are never publicly visible.
We will acknowledge your report within 2 business days and aim to provide a fix or mitigation within 30 days, depending on severity.
We ask that you give us time to address the issue before public disclosure. We will credit researchers who follow responsible disclosure practices.

Prefer email? You can also reach us directly at [email protected]. Either channel routes to the same private security inbox.

What's coming

SOC 2 Type II audit

Planned for after our initial product launch. The audit period will begin once we have a stable user base that justifies the process and cost.

Third party security verifications

Independent security assessments will be scheduled as part of the enterprise readiness roadmap.

macOS support

Snipzilla currently supports Windows and Linux. macOS support is on the roadmap and will be released once code signing and platform certification requirements are in place.

Third-party accessibility audit

An independent audit against WCAG 2.1 Level AA is planned to formally verify our accessibility commitments across all ZillaSoft products and web properties.

Stashzilla clipboard manager

A privacy-first desktop clipboard manager for Windows and Linux, currently in development. Features a global search overlay, AI-powered clip tagging, and deep Snipzilla integration.

Changes to this page

We may update our security practices over time.

Change type Notice

Minor (typos, clarifications, legal-required, or similar) Update "Last updated" date, effective immediately

Material (new practices, data handling, third parties, or similar) Email at least 14 days before effective date