Security

Security is built into every checkout.

At Zelly, protecting merchants, customers, and transactions is one of our highest priorities. We continuously improve our platform through secure engineering, infrastructure monitoring, responsible vulnerability disclosure, and industry best practices.

Last updated: July 2026 Report a vulnerability
01

Security first

Security is integrated into every layer of Zelly — from authentication and checkout to shipping and merchant dashboards.

02

Responsible disclosure

We encourage security researchers to responsibly disclose vulnerabilities so they can be investigated and resolved quickly.

03

Customer trust

Our goal is to provide a secure platform that helps merchants protect customer information and maintain business continuity.

At Zelly, security is a core part of everything we build. Our platform powers ecommerce checkout experiences, merchant operations, shipping workflows, and business infrastructure. Protecting merchant data, customer information, and transaction integrity is fundamental to maintaining trust.

1. Our Security Commitment

We design and operate Zelly with security in mind from the beginning of the development process. Our engineering teams regularly review architecture, application security, infrastructure, authentication mechanisms, and operational processes to improve the overall security posture of the platform.

Our objective is to provide a reliable, resilient, and secure commerce infrastructure for every merchant using Zelly.

2. Responsible Vulnerability Disclosure

If you believe you have discovered a security vulnerability affecting Zelly, we encourage you to report it responsibly. We appreciate responsible security research and will investigate all legitimate reports submitted in good faith.

Please include the following details in your report:

  • 1. Clear description of the issue
  • 2. Steps to reproduce the vulnerability
  • 3. Proof of concept, if available
  • 4. Affected URLs, endpoints, or accounts
  • 5. Potential impact of the issue
  • 6. Screenshots or supporting evidence

3. Scope of Security Reports

Examples of issues we encourage reporting include:

  • 1. Authentication or authorization bypass
  • 2. Account takeover vulnerabilities
  • 3. Remote code execution
  • 4. Cross-Site Scripting (XSS)
  • 5. Cross-Site Request Forgery (CSRF)
  • 6. Insecure Direct Object References (IDOR)
  • 7. Sensitive data exposure
  • 8. API security weaknesses
  • 9. Business logic vulnerabilities
  • 10. Privilege escalation
  • 11. Session management issues
  • 12. Server-side vulnerabilities

4. Out of Scope

The following generally do not qualify as security vulnerabilities unless they present a significant security impact:

  • 1. Missing security headers without direct exploitability
  • 2. Clickjacking without a practical security impact
  • 3. Self-XSS
  • 4. Brute-force reports without proof of impact
  • 5. Social engineering attempts
  • 6. Spam or phishing reports unrelated to Zelly infrastructure
  • 7. Physical security issues
  • 8. Denial of Service testing
  • 9. Rate limit suggestions without demonstrated impact
  • 10. Issues affecting third-party services outside Zelly's control

5. Guidelines for Researchers

When conducting security research, we request that you:

  • 1. Act responsibly and ethically
  • 2. Do not access data belonging to other users
  • 3. Do not modify, delete, or export customer information
  • 4. Do not interrupt platform availability
  • 5. Avoid automated attacks that may impact service stability
  • 6. Give Zelly reasonable time to investigate before public disclosure

Following these guidelines helps us protect merchants while resolving security issues efficiently.

6. Our Security Practices

Zelly uses multiple technical and organizational measures designed to improve platform security, including:

  • 1. Encryption of data in transit
  • 2. Secure authentication mechanisms
  • 3. Role-based access control
  • 4. Infrastructure monitoring
  • 5. Audit logging
  • 6. Vulnerability assessments
  • 7. Secure software development practices
  • 8. Regular dependency updates
  • 9. Continuous platform monitoring

Security controls evolve continuously as new threats emerge and as the Zelly platform grows.

7. Incident Response

If a security incident is identified, our team follows a structured response process that may include investigation, risk assessment, containment, remediation, recovery, and internal review.

Where appropriate, affected users may be notified in accordance with applicable legal, contractual, and operational requirements.

8. Bug Bounty

Zelly currently reviews responsible vulnerability reports on a case-by-case basis. While we may recognize exceptional security research, submission of a report does not guarantee financial compensation.

Eligibility depends on factors including:

  • 1. Severity of the issue
  • 2. Originality of the report
  • 3. Real-world impact
  • 4. Quality of explanation
  • 5. Reproducibility of the vulnerability

9. Data Protection

Security works together with our Privacy Policy to safeguard merchant and customer information. For information regarding data collection, storage, usage, and processing, please refer to our Privacy Policy.

10. Report a Vulnerability

For security-related questions or responsible disclosure reports, please contact us at abhishek [at ]zelly.in.

Please avoid using this email address for general customer support requests.