Zeng Book
ProductIndustriesIntegrationsPricingResources
Sign inContact salesTry it free
Back to home
Security at Zeng Book

Built for the data your firm handles every day

Client contact details, signed quotations, payment records, uploaded contracts — Zeng Book holds the operational backbone of a Singapore construction firm. Here is how we protect it.

Data hosting & residency

Primary application data is stored in Supabase Singapore (ap-southeast-1). Customer files (uploaded contracts, drawings, photos) are stored in the same region.

Backups are encrypted and retained per Supabase's standard schedule. Deleted records expire from backups within 30 days.

Encryption

  • In transit: TLS 1.2+ on every request (HTTPS-only).
  • At rest: Storage-level encryption for the database and uploaded files.
  • Passwords: Hashed by Supabase Auth — never stored in plain text and never visible to Zeng Book staff.
  • API keys: Stored as SHA-256 hashes only. The raw secret is shown once at creation; lost keys are revoked and rotated, not recovered.

Authentication & access

Sign-in is handled by Supabase Auth with email + password, Google, and Microsoft OAuth. Sessions are stored as HttpOnly cookies — JavaScript on the page cannot read them.

Within a workspace, member access is role-based. Owners and admins can manage billing, integrations, and team membership; members can read and write project data.

Two-factor authentication (2FA) and single sign-on (SSO) are on the roadmap for the Business and Enterprise plans. Contact us if your tender or vendor questionnaire requires either today.

Payments

Subscription billing runs through Stripe. Card numbers never touch Zeng Book's servers — they are entered directly into Stripe-hosted forms. We retain only the Stripe customer ID and subscription status.

Stripe is PCI-DSS Level 1 certified, the highest tier in the payment-card industry.

Compliance

  • PDPA (Singapore): We operate as a data intermediary on behalf of our customer organisations. Full detail is in our Privacy Policy. We will notify both you and the Personal Data Protection Commission of any notifiable breach as required by the PDPA breach-notification regime.
  • Sub-processors: Supabase, Stripe, Resend, and (with your explicit opt-in) Google Analytics 4 / Tag Manager. The current list lives in the Privacy Policy.
  • SOC 2 Type II: Targeted for a future release once we have the customer count to justify the audit scope. We will not claim a certification we do not hold.
  • IRAS record retention: Billing records are retained for 5 years to meet IRAS requirements.

Reporting a vulnerability

If you discover a vulnerability, please email [email protected] with the subject line Security disclosure. We respond within two business days and credit reporters in our changelog unless they request otherwise.

Please do not run automated scanners against the production site — they create noise that drowns out real signals. If you need to test something interactively, contact us first and we'll set up a dedicated environment.

Roadmap

Items we are actively working towards or have queued, in descending priority:

  • Two-factor authentication for all users
  • SSO (SAML / OIDC) for Enterprise plan
  • Audit-log export for Business plan
  • SOC 2 Type II readiness
  • Customer-managed encryption keys (Enterprise)

Need one of these for a tender response? Email [email protected] and we will share the current timeline.

Zeng Book

AI bookkeeping for Singapore project teams. Capture receipts, match statements, and keep GST-ready records with source evidence attached.

Product

  • Features
  • Pricing
  • How it works
  • Integrations
  • Docs
  • Blog

Account

  • Sign in
  • Sign up
  • Reset password

Legal

  • Privacy Policy
  • Terms of Service
  • Security
© 2026 Zeng Book. All rights reserved. Prices shown include 9% GST where applicable.