Security Statement


Ziflow’s commitment is to provide the best and most secure online proofing system to every customer, regardless of their size. We use Ziflow internally every day to deliver great work, faster and with more accuracy. Ensuring Ziflow remains secure is vital to protecting our own data, and protecting your work is our highest priority.

Our security strategy covers all aspects of our business, including:

  • Certifications
  • Ziflow corporate security policies
  • Physical and environmental security
  • Operational security processes
  • Scalability & reliability of our system architecture
  • Collaborating with third-party security industry experts
  • Data model access control in Ziflow
  • Systems development and maintenance
  • Service development and maintenance


Ziflow has obtained SOC 2 certification by an accredited auditing organization. SOC 2 defines criteria for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality and privacy. For security-conscious businesses, SOC 2 compliance is an absolute requirement when considering a SaaS provider.

Corporate Security Policies & Procedures

Every Ziflow employee signs a Data Access Policy that binds them to the terms of our data confidentiality policies, available at service and Access rights are based on employee’s job function and role, and are regularly reviewed for refinement.

Security in our Software Development Lifecycle

All changes to Ziflow’s code base go through a suite of automated tests, in addition to manual reviews. When code changes pass the automated testing system, the changes are first pushed to a staging server, where Ziflow engineers further test changes before an eventual release to production servers, and our customer base. We also undertake customized security reviews for particularly sensitive changes and features. Ziflow engineers also have the ability to take action on critical updates and push them immediately to production servers, in the form of a software patch.

In addition to a list where all access control changes are published, we have a suite of automated tests that check that access control rules are written properly and enforced as expected.

Code Review

All components developed at Ziflow are peer-reviewed by the product team to ensure security, performance, and adherence to the company’s principles and commitments.

OWASP Compliance

The Open Web Application Security Project (OWASP) is an online community that creates freely available articles, methodologies, documentation, tools, and technologies in the field of web application security. Started in 2001 as a nonprofit organization its foundation has contributed to a wide range of publications.

Ziflow has embraced relevant OWASP recommendations, and in order to comply with them, the Ziflow engineering team tests against these critical vulnerabilities during each release ensuring the product is secure.


Infrastructure & Data Center Security

Data Centers

Ziflow hosts with Amazon Web Services in the USA. Amazon employs a robust physical security program with multiple certifications, including SOC 1 & 2. For more information on Amazon’s physical security processes, please visit

Network Security

Our production networks are segmented to separate public services from internal services. Access to our production networks is controlled through a VPN. We monitor and remediate any potentially unsafe network configurations, such as open security groups.

Intrusion Detection

Ziflow uses the best in class intrusion detection system and vulnerability management services from Alert Logic, a leader in security monitoring and compliance:

Data Encryption

Ziflow protects data using strong encryption. We never store passwords in clear text - they are always hashed and salted securely using bcrypt. Bcrypt is a proven algorithm and is considered one of the best choices for password storage.

Both data at rest and in motion is encrypted - all network communication uses TLS with at least 128-bit AES encryption. The connection uses TLS v1.2, and it is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism. Qualys SSL Labs scored Ziflow’s TLS configuration A+ on their SSL Server test, and we regularly monitor this score.


Architecture & Scalability

Scalability/Reliability of Architecture

Ziflow has been designed from the outset with redundancy at multiple levels. Ziflow uses Amazon Web Services to deliver our application and manage user data, which also provides sophisticated redundancy, to mitigate risks arising from an individual server or disk failures.

Backup Strategy

Ziflow has defined a mature approach to ensure that its information and data is backed up securely and frequently and that its restoration occurs in the most timely and efficient manner possible.

The database instance and customer files are replicated synchronously so that we can quickly recover from a failure. As an extra precaution, we take regular snapshots of the database and securely move the snapshots and customers files to a separate data center so that we can restore them as needed, even in the event of a regional Amazon failure.


Product Security Features

Administrator Management Features

  • User Management - Administrators can see User/Guest/Member status, and de-provision users from a central administration interface.
  • Authentication - Ziflow allows named users to authenticate via a Google Accounts or set up SAML. If passwords are stored directly with Ziflow, we secure them using salted bcrypt.

User Features

  • Privacy, Visibility, & Sharing Settings - Customer administrators determine who can access different areas within the Ziflow application. Access to a Ziflow instance is based on predefined user assignments. You can limit a user’s access by inviting them as a Guest.



Privacy Policy

Ziflow’s privacy policy, which describes how we handle data input into Ziflow, can be found at



We are committed to making Ziflow consistently available to you and your teams. Our systems have built-in redundancy to withstand failures and are constantly monitored to keep your work uninterrupted.


Want to report a security concern?

Email us at