Security Policy

ZephfiChat is an artificial intelligence platform operated by Fortiplace Global Limited, a company based in Nigeria. References in this Security Policy to ZephfiChat, Fortiplace, we, us or our refer to Fortiplace Global Limited and the ZephfiChat services it operates.

We are committed to protecting the confidentiality, integrity and availability of our users' information and maintaining the security of the ZephfiChat platform.

This Security Policy explains how security vulnerabilities may be reported to us; the rules that apply to authorised security research; the security practices we use to protect the platform; how we work with third-party service providers; and the responsibilities of ZephfiChat users.

This Security Policy should be read together with our Privacy Policy and Terms of Service.

We process personal data in accordance with applicable Nigerian laws and regulations, including the Nigeria Data Protection Act 2023 and guidance issued by the Nigeria Data Protection Commission.

We apply security measures that are appropriate to the nature of the information we process, the risks involved, the available technology and the size and nature of our operations.

Our security and privacy practices are guided by principles including data minimisation, purpose limitation, restricted access, confidentiality, integrity, availability, secure retention and deletion, accountability, and privacy and security by design.

We welcome responsible reports from security researchers, developers, ethical hackers and members of the technology community who identify potential security vulnerabilities affecting ZephfiChat.

Security vulnerabilities should be reported privately to support@zephfichat.com.

Please include as much detail as possible, including a clear description of the vulnerability; the affected page, endpoint, feature or system; clear steps for reproducing the issue; screenshots, logs or proof-of-concept material; the potential security or privacy impact; whether any user information may have been accessed; recommendations for resolving or reducing the issue, where available; and your contact information for follow-up.

Please do not publicly disclose a suspected vulnerability before we have had a reasonable opportunity to investigate and address it.

We aim to acknowledge legitimate vulnerability reports within three business days; investigate reports according to their severity and potential impact; maintain reasonable communication with the reporter during our investigation; take appropriate steps to contain and remediate confirmed vulnerabilities; and recognise the reporter publicly where appropriate, requested and permitted.

Response and remediation times may vary depending on the complexity, severity and scope of the reported issue.

We will not initiate legal action against a security researcher for good-faith research that complies with this Security Policy; is limited to ZephfiChat systems that we own or directly control; avoids unnecessary access to personal data; does not damage or interrupt the Services; does not exploit a vulnerability beyond what is reasonably necessary to demonstrate it; is reported to us promptly and privately; and complies with applicable law.

This safe-harbour statement does not authorise testing of third-party systems or excuse violations of applicable law.

It does not apply to systems operated by our service providers, including Paystack, Resend, hosting providers, artificial intelligence providers or other third parties. Vulnerabilities affecting a third-party service should be reported through that provider's official disclosure process.

The following activities are not authorised: accessing, modifying, downloading or deleting another user's information; attempting to obtain authentication codes, session tokens, API keys or payment credentials belonging to another person; social engineering, phishing or impersonation of users, employees, contractors or service providers; denial-of-service or distributed denial-of-service testing; intentionally degrading, interrupting or overloading the Services; sending spam or testing large volumes of email; uploading malware, ransomware, destructive software or harmful code; modifying or destroying production information; physical attacks against offices, equipment, infrastructure or personnel; testing Paystack, Resend or another third-party provider through ZephfiChat; using automated scanning that creates excessive traffic or affects availability; retaining, sharing or publicly disclosing personal data obtained during testing; or demanding payment or threatening disclosure as a condition for reporting a vulnerability.

Where a researcher unintentionally encounters personal information, the researcher must stop testing, avoid copying or sharing the information and notify us immediately.

ZephfiChat does not currently operate a guaranteed paid bug-bounty programme.

Fortiplace Global Limited may, at its sole discretion, offer recognition or a reward for an eligible vulnerability report based on factors such as severity, potential impact, quality of the report, originality, reproducibility, responsible handling of the issue and assistance provided during remediation.

Submitting a vulnerability report does not create an entitlement to payment, compensation or employment.

We use reasonable technical and organisational measures designed to protect personal data against unauthorised access, disclosure, alteration, loss, destruction or misuse.

These measures may include encrypted connections using HTTPS and TLS; secure handling of one-time login codes and session tokens; access controls based on roles and operational need; secure management of API keys, credentials and application secrets; logging and monitoring of important security events; secure database and infrastructure configurations; backups and recovery procedures; data retention and deletion controls; rate limiting and abuse prevention measures; and review of access granted to employees, administrators and contractors.

No internet-based service can guarantee absolute security. Users should avoid submitting highly sensitive, confidential or regulated information unless it is necessary and permitted under our Terms of Service.

ZephfiChat currently uses passwordless authentication through one-time login codes sent to a user's email address. We use authentication and session-management controls designed to reduce unauthorised access.

Depending on the features available, these controls may include email verification, one-time login codes, secure session tokens, session expiration, protection against common authentication attacks, rate limiting, suspicious-login monitoring and additional verification where supported.

Users are responsible for keeping their email accounts, one-time login codes, active sessions and connected authentication-provider accounts secure.

We use security practices appropriate to our platform and operational requirements, which may include dependency and software updates; security patches; separation of development and production environments; restricted administrative access; secure deployment procedures; code review; automated testing; monitoring for errors, abuse and suspicious activity; backups and recovery testing; and investigation of security alerts and incidents.

Access to production systems is restricted to authorised personnel and service providers who require access for legitimate operational purposes.

ZephfiChat uses Paystack to process subscription and other payments. Payment information submitted through Paystack is processed in accordance with Paystack's own security, privacy and compliance practices.

ZephfiChat does not intentionally collect or store complete payment-card numbers, card security codes or banking authentication credentials on its own servers.

We may receive limited payment-related information from Paystack, including transaction references; payment status; amount and currency; customer email address; payment-channel information; subscription information; and limited card information such as card type, bank and the last four digits, where provided by Paystack.

Users should never send complete card details, PINs, one-time banking passwords or banking passwords through ZephfiChat conversations, support messages or email.

ZephfiChat uses Resend to send account, authentication, transactional, support and service-related emails.

Information necessary to send and monitor these communications may be transmitted to Resend. This may include recipient email addresses; sender information; email content; delivery status; bounce information; and limited email engagement information where enabled.

We restrict access to email-service credentials and use domain-authentication controls where supported.

ZephfiChat will never ask users to provide complete card details, PINs, one-time banking passwords or ZephfiChat one-time login codes by email.

ZephfiChat may use third-party artificial intelligence, infrastructure, monitoring, storage and related technology providers to deliver the Services.

Prompts, files and other information submitted by users may be transmitted to the selected artificial intelligence provider where this is necessary to generate a response or provide a requested feature.

We assess third-party providers based on factors such as functionality, reliability, privacy, security and contractual protections. However, third-party services remain subject to their own security practices, terms and privacy policies.

Additional information about the service providers we use and how information is processed is available in our Privacy Policy.

Where we become aware of a suspected security incident, we may investigate the nature and scope of the incident; restrict affected accounts, systems or credentials; preserve relevant records and evidence; contain the incident; correct the vulnerability; restore affected services; assess the risks to users and personal data; notify relevant service providers; notify affected users where appropriate or legally required; and notify the Nigeria Data Protection Commission or another competent authority where required by applicable law.

The timing and content of any notification will depend on the nature of the incident, the information involved, the risks to affected individuals and applicable legal requirements.

Users who suspect unauthorised access to their account should contact us immediately at support@zephfichat.com.

Users help protect the security of ZephfiChat by keeping their registered email account secure; not sharing one-time login codes, authentication codes or active sessions; signing out from shared or public devices; checking website addresses before entering login information; avoiding suspicious links and attachments; keeping devices, browsers and operating systems updated; reviewing account and payment activity; and notifying us promptly of suspected unauthorised access.

Users must not attempt to bypass plan restrictions, usage limits, credit controls, security measures or access controls.

Paystack, Resend, artificial intelligence providers, hosting providers and other external services are independent organisations with their own systems, security controls and policies.

References to a third party's certifications or security practices do not mean that ZephfiChat or Fortiplace Global Limited holds the same certification.

Although we take reasonable steps when selecting and managing service providers, we cannot guarantee the availability or absolute security of systems that are not directly controlled by us.

We may update this Security Policy to reflect changes to our Services; changes to our technology or providers; improvements to our security practices; legal or regulatory developments; or changes to our vulnerability-disclosure programme.

When we make changes, we will update the Last Updated date at the top of this page.

Material changes may also be communicated through the ZephfiChat website, application or registered user email addresses.

Questions, suspected security incidents and vulnerability reports may be sent to Fortiplace Global Limited, operator of ZephfiChat.

Website: https://zephfichat.com. Support: support@zephfichat.com.

For privacy-related questions or requests, please use the contact information provided in our Privacy Policy.