Gravia by ZEOUR LTDGravia Cloud · Security
Back to platform

Security & Compliance

Explore controls, architecture, and obligations.

Version: 1.2.0

Last updated: 1 Jan 2026

This reference explains how ZEOUR LTD secures the Gravia Cloud digital signage system and fulfils privacy commitments across the public site, proxy API, and backend services.

Scope & Architecture

  • Public site (Next.js static, backed by Gravia Cloud infrastructure) serves content and routes API calls through first-party rewrites, keeping cookies scoped to zeour.co.uk.
  • Proxy layer (Node.js/Express) exposes `/api/*`, manages the `proxy_digest` session cookie, validates requests, and relays payments to Stripe plus optional AI chat prompts to OpenAI.
  • Core backend (Laravel/PHP) persists Gravia by ZEOUR LTD tenant data, enforces RBAC, and delivers transactional email.
  • Caching/state: Redis stores short-lived tokens and workflow state only; we never persist long-term personal data there.

Data We Process & Purpose

  • Account & registration: organization name, admin name, email, phone—used to provision Gravia Cloud tenants and manage subscriptions.
  • Billing: plan metadata, billing contact, totals, Stripe session IDs; card PAN/CVV never touches Gravia systems.
  • Contact requests: intake form content and reply details so our success team can respond.
  • Operational logs: minimal metadata retained briefly to maintain reliability and prevent abuse.
  • Optional AI chat: prompts and context sent to OpenAI solely to fulfil the request; OpenAI’s API does not train on this data by default.

GDPR Legal Bases

  • Contractual necessity: creating accounts, delivering signage services, and processing payments.
  • Legitimate interests: securing Gravia Cloud, preventing fraud, maintaining quality, and running aggregated analytics that do not identify individuals.
  • Consent: marketing communications where applicable and optional AI chat in regions where consent is required.

Your Rights (EU/UK GDPR)

  • Access, rectification, erasure, and restriction of processing.
  • Objection to processing and the right to data portability.
  • Withdrawal of consent when processing relies on consent.
  • Right to lodge complaints with your supervisory authority. Contact info@zeour.co.uk with requests—we may verify identity first.

Cookies & Local Storage

  • `proxy_digest` (httpOnly, first-party) secures selected API routes.
  • `selectedLanguage` keeps locale preferences synced to localStorage.
  • Stripe may set cookies during hosted checkout for fraud prevention; refer to Stripe’s policy.
  • We display a consent banner so you can accept all or reject non-essential cookies; necessary cookies remain active.

Sub-processors

  • Stripe: payment processing; card data bypasses Gravia infrastructure.
  • OpenAI: optional AI relay for chat prompts; API data is not used to train models by default.
  • Email/SMTP provider: transactional email (orders, support).
  • Hosting & CDN: delivers our frontend, proxy, and backend stacks.
  • ipapi.co (GeoIP, optional) for localization.
  • open.er-api.com (exchange rates, optional) for currency display.

International Transfers

  • When moving data outside the UK/EU we rely on SCCs or equivalent safeguards, plus encryption in transit and at rest. Vendors undergo security and privacy due diligence.

Security Controls

  • TLS everywhere; encrypted databases, backups, and secrets.
  • Least-privilege access, MFA on privileged accounts, credential rotation.
  • Server-side validation, signed requests, and token checks on sensitive endpoints.
  • Regular patching, dependency monitoring, vulnerability management.
  • Backups with restore drills and integrity checks.
  • Centralized logging, alerting, and rate limiting for anomalous flows.

Data Minimization & Retention

  • We collect only what’s needed for account creation, billing, and support, storing hashed identifiers alongside contact records for fraud prevention.
  • Contact enquiries: typically retained up to 24 months.
  • Operational logs: typically 30–90 days unless required longer for security/legal reasons.
  • Billing/order records: retained per tax and accounting requirements.

Data Processing Agreement (DPA)

  • A Gravia Cloud DPA is available upon request. Email info@zeour.co.uk to execute one for your organization.

Incident Response & Notifications

  • Runbooks exist to detect, triage, and remediate incidents. If a breach risks your rights or freedoms, we will notify affected customers and regulators per law.

Your Controls

  • Request export or deletion of personal data (subject to legal obligations).
  • Configure RBAC and adhere to least-privilege for your users.
  • Discuss data residency options or DPAs via info@zeour.co.uk.

Responsible Disclosure

  • Report potential security issues responsibly to info@zeour.co.uk with reproduction details. We investigate all reports and appreciate the community’s help protecting Gravia users.

See also our Cloud Terms of Service and info@zeour.co.uk for tailored compliance requests.