Protecting your Zenovay account is crucial for safeguarding your analytics data and maintaining trust with your users. Follow these best practices to keep your account secure.
Essential Security Checklist
Complete these steps to secure your account:
- Use a strong, unique password
- Enable multi-factor authentication
- Save backup codes securely
- Verify your email address
- Review active sessions regularly
- Review your login activity periodically
- Keep recovery options updated
Password Security
Creating Strong Passwords
| Practice | Why It Matters |
|---|---|
| At least 12 characters | Longer = harder to crack |
| Mix of character types | More combinations to guess |
| No personal information | Can't be researched |
| Unique to Zenovay | Breach elsewhere won't affect you |
| Use a password manager | Remembers complex passwords |
Password Don'ts
- Don't reuse passwords across sites
- Don't share your password with anyone
- Don't store passwords in plain text
- Don't use common words or patterns
- Don't include personal information
Password Managers
Use a reputable password manager like 1Password, Bitwarden, or Dashlane to generate and store strong, unique passwords.
Multi-Factor Authentication
MFA Priority
Enable MFA methods in this order of preference:
- Security keys (WebAuthn) - Most secure, phishing-resistant
- Authenticator apps (TOTP) - Very secure, widely supported
MFA Best Practices
- Enable at least one MFA method
- Consider multiple methods for redundancy
- Keep backup codes in a secure location
- Test your MFA setup regularly
- Never share MFA codes with anyone
Zenovay will never ask for your MFA codes via email, phone, or chat. Such requests are always phishing attempts.
Backup Code Management
Storing Backup Codes
Recommended:
- Password manager (encrypted)
- Encrypted file on secure storage
- Physical safe or safety deposit box
Not recommended:
- Plain text files on your computer
- Emails to yourself
- Unencrypted cloud storage
- Sticky notes
Backup Code Maintenance
- Keep at least 5 unused codes
- Regenerate when running low
- Update storage after regenerating
- Test codes periodically
Session Security
Automatic Inactivity Timeout
Your session will automatically time out after 30 minutes of inactivity to protect your account if you step away from your computer. Here's how it works:
| Detail | Description |
|---|---|
| Timeout period | 30 minutes of no activity |
| Warning | A notification appears 5 minutes before timeout |
| Activity that resets timer | Clicking, scrolling, typing, or mouse movement |
| After timeout | You're redirected to the login page |
What Happens When Your Session Expires
Warning Notification
A notification appears letting you know your session will expire in 5 minutes. Click anywhere on the page to stay logged in.
Redirect to Login
If no activity is detected, you're automatically redirected to the login page.
Log In Again
Enter your credentials (and MFA if enabled) to start a new session.
Return to Your Page
After logging in, you're taken back to the page you were on before the timeout.
Stay Logged In
To prevent your session from expiring, simply click anywhere on the page, scroll, type, or move your mouse. Any of these actions resets the 30-minute timer.
Signing Out
When you sign out of Zenovay, the sign-out process runs across all Zenovay services (app, auth, docs, help, etc.) to ensure you're fully logged out everywhere. Always use the Sign Out button rather than just closing your browser.
Active Session Management
- Review sessions weekly
- Sign out sessions you don't recognize
- Sign out from all sessions periodically
- Never stay logged in on shared computers
Login Security
- Only log in on trusted networks
- Use private browsing on public computers
- Always sign out from shared devices
- Review your login activity periodically
Account Lockout Protection
Zenovay automatically protects your account against unauthorized login attempts. If someone tries to guess your password, the system will temporarily lock your account.
How Lockout Works
After 10 consecutive failed login attempts, your account is temporarily locked. You'll see a warning once you have 3 or fewer attempts remaining so you can double-check your credentials.
Progressive Lockout Durations
Repeated lockouts result in progressively longer wait times:
| Lockout | Duration |
|---|---|
| 1st lockout | 5 minutes |
| 2nd lockout | 15 minutes |
| 3rd lockout | 30 minutes |
| 4th and beyond | 60 minutes |
Account lockout is enforced on the server side. Clearing your browser cookies or switching browsers will not bypass the lockout. This ensures your account stays protected even against automated attacks.
Network-Level Rate Limiting
In addition to account lockout, Zenovay uses network-level rate limiting to block automated attacks. Rapid login attempts from the same network are slowed down or blocked before they can reach your account.
Unlocking Your Account
If your account is locked, you have three options:
- Wait for the lockout period to expire, then try again
- Reset your password using the "Forgot password" link, which unlocks your account immediately
- Contact support at [email protected] if you're unable to regain access
Avoid Lockouts
If you're having trouble remembering your password, use the password reset option before you run out of attempts. Consider using a password manager to avoid this situation in the future.
Recognizing Threats
Phishing Attacks
Red flags to watch for:
- Emails asking for password or MFA codes
- Urgent messages creating panic
- Links to fake login pages
- Requests from "Zenovay support" via unusual channels
Verifying Legitimacy
- Check email sender addresses carefully
- Hover over links before clicking
- Go directly to app.zenovay.com (don't click links)
- Contact support through official channels if unsure
What Zenovay Will Never Do
- Ask for your password
- Request MFA codes via email/phone
- Threaten immediate account deletion
- Ask you to install remote access software
Team Security
For Team Owners
- Audit team members regularly
- Remove inactive members promptly
- Use role-based access control
- Encourage every team member to enable MFA on their own account
- Monitor team activity logs
For Team Members
- Use your own account (don't share)
- Report suspicious activity to your admin
- Follow your organization's security policies
- Keep your credentials confidential
API Security
API Key Best Practices
- Don't embed API keys in client-side code
- Rotate API keys periodically
- Use separate keys for different integrations
- Revoke unused keys immediately
- Monitor API usage for anomalies
Secure API Usage
- Always use HTTPS
- Never log API keys
- Store keys in environment variables
- Use key management services when possible
Device Security
Securing Your Devices
- Keep operating systems updated
- Use antivirus/antimalware software
- Enable device encryption
- Use screen locks (PIN, biometrics)
- Enable "Find My Device" features
Browser Security
- Keep browsers updated
- Use reputable browsers
- Be cautious with extensions
- Clear cookies on shared computers
- Use private browsing when appropriate
Network Security
Safe Browsing
- Avoid public WiFi for sensitive access
- Use VPN on untrusted networks
- Ensure HTTPS (look for lock icon)
- Don't ignore browser security warnings
Corporate Networks
- Follow your IT department's policies
- Use company-approved VPN
- Report security incidents promptly
Monitoring Your Account
Regular Security Checks
| Check | Frequency |
|---|---|
| Active sessions | Weekly |
| Login history | Weekly |
| MFA settings | Monthly |
| Backup codes count | Monthly |
| Team members (if owner) | Monthly |
| API keys | Quarterly |
Watch for Suspicious Activity
Review your login activity and active sessions regularly, and act on anything you don't recognize:
- Logins from a new device or location
- Unexpected failed login attempts
- Password or MFA changes you didn't make
If something looks wrong, change your password and sign out other sessions immediately. See Login Security & Failed Login Protection for how Zenovay protects your account.
Responding to Security Incidents
If You Suspect Compromise
Change Password
Reset your password immediately.
Sign Out All Sessions
Terminate all active sessions.
Reset MFA
Disable and re-enable MFA with fresh setup.
Regenerate Backup Codes
Create new backup codes.
Review Account Activity
Check for unauthorized changes.
Revoke API Keys
Regenerate all API keys.
Contact Support
Report the incident for investigation.
Enterprise & Scale Security Features
Enterprise PlanAdditional security capabilities on higher plans:
- SSO/SAML integration: Centralized single sign-on for your team (Scale and Enterprise)
- Audit logging: A detailed activity log of changes made in your workspace (advanced audit log on Scale and Enterprise)
Infrastructure certifications
Zenovay is not itself SOC 2 or ISO 27001 certified. We build on infrastructure providers that are: Cloudflare (SOC 2 Type II, ISO 27001, ISO 27018) and Supabase (SOC 2 Type II). Payments are handled by Stripe (PCI DSS Level 1), so Zenovay never touches raw card data.
Reporting Security Issues
Found a security vulnerability? Contact us:
- Email: [email protected]
- Subject: "Security Report - [Brief Description]"
- We respond to reports within 48 hours
- Responsible disclosure appreciated
Summary
| Category | Key Actions |
|---|---|
| Password | Unique, strong, use manager |
| MFA | Enable, prefer security keys/TOTP |
| Backup | Store codes securely |
| Sessions | 30-min inactivity timeout, review weekly, sign out unused |
| Lockout | 10 failed attempts triggers lock, progressive durations |
| Activity | Review login history and active sessions regularly |
| Vigilance | Know phishing signs, verify requests |
Next Steps
- Set up MFA if not already enabled
- Review your sessions
- Review your login security
- Secure your backup codes