Security & Trust

What We Store & What We Don’t

Encryption

In transit

TLS 1.2 or higher on all customer-facing HTTPS connections, with certificates issued by Let’s Encrypt and an automated renewal process.

Sensitive credentials at rest

Zendesk OAuth access tokens, OAuth refresh tokens, and Zendesk API tokens are encrypted at rest using AES-256-GCM with a 256-bit key, a 12-byte initialisation vector, and a 16-byte authentication tag. GitHub OAuth tokens are protected the same way.

Database storage

Configuration metadata, snapshots, dependency data, and other application data are stored in PostgreSQL on isolated infrastructure. The database is not exposed to the public internet; application servers connect over the local loopback interface only. Database connections are encrypted in transit using TLS. The application enforces sslmode=require on every connection to PostgreSQL, for both the primary Configly database and supporting stores.

Encryption key management

Encryption keys are stored as environment variables on production infrastructure with restricted filesystem access. A key management service (KMS) integration with rotation support is on our roadmap.

Infrastructure & Hosting

• Provider — DigitalOcean, London (LON1) region
• Data residency — UK-hosted by default; no international data transfers
• Reverse proxy — Nginx with security headers (HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy)
• Process management — PM2
• Application monitoring — Sentry (EU region, GDPR-compliant, Data Processing Agreement signed)

Authentication & Access

Connecting your Zendesk instance

Configly uses Zendesk OAuth 2.0. We never see or store your Zendesk admin or agent passwords.

OAuth scopes requested from Zendesk

When you connect a Zendesk instance, Configly asks you to choose one of two access modes:

• Read-Only -- Configly requests only the Zendesk read OAuth scope. This permits read access to Zendesk Support API resources (configuration objects such as triggers, automations, macros, views, fields, SLAs, and similar; users, organisations, and groups). Configly cannot modify anything in your Zendesk in this mode.
• Read/Write -- Configly requests the read write OAuth scope. This grants the same read access plus the ability to create, update, and delete configuration objects. Required for Apply Changes and GitHub Sync push-back.

Read-Only is the recommended default for new connections. Customers who plan to use Configly for visibility, diffing, and audit only can operate entirely in Read-Only Mode. Customers who need to apply changes back to Zendesk can choose Read/Write at connection time, or upgrade a Read-Only connection to Read/Write from the Configly Connections page. Downgrading back to Read-Only is also available in one click.

Neither mode grants access to ticket content, attachments, Help Centre content, or conversation data. Configly works with configuration metadata only.

We continue to evaluate Zendesk’s granular scope system for even narrower permissions in future.

Connecting your GitHub repository

GitHub Sync uses GitHub OAuth 2.0. The repo scope is requested, which permits read and write access to repositories the user authorises — required to commit your Zendesk configuration as YAML on each sync. Configly never accesses repositories the user does not authorise.

Configly account authentication

• Social or email login — sign in with Google or Microsoft via OAuth, or with an email address and password
• Password hashing — email/password accounts use bcrypt at cost factor 12
• Password policy — minimum password length 8 characters
• No plaintext — passwords are never logged or transmitted in plaintext to any third party
• Multi-factor authentication (on our roadmap)

Session management

Sessions are managed by NextAuth using JWT-based session tokens with default cookie protections (HttpOnly, Secure, SameSite=Lax). JWT expiry is configurable and defaults to 7 days.

Account access controls

Configly currently operates as a single-user application. Multi-user team accounts with role-based access control are on our roadmap.

Auditability & Transparency

Configly’s writes to your Zendesk

Writes to your Zendesk only happen when you explicitly initiate them via Apply Changes. There are no background processes that write configuration changes to your Zendesk on your behalf. OAuth token revocation occurs automatically in two places: when you disconnect a Zendesk instance from Configly, and when you delete your Configly account. In both cases, the OAuth token Configly held is explicitly revoked at Zendesk as part of the operation. You can also revoke Configly’s authorisation at any time from the Zendesk Admin Center.

Apply Changes safety

Every Apply Changes operation includes a mandatory change reason, an automatic pre-push snapshot of affected items, drift detection against the live state, and the ability to roll back through Configly’s snapshot history.

Data Retention & Deletion

• Snapshot retention — configuration snapshots are retained for the lifetime of your account and remain available for diff and rollback. We are evaluating customer preferences for an automatic retention policy and will publish details before introducing one.
• AI analysis results — cached to avoid unnecessary cost. Cached results are deleted when you delete your Configly account.
• User-controlled deletion — you can disconnect any Zendesk instance from Configly at any time. Disconnection removes your stored OAuth credentials and all associated configuration snapshots, dependency data, virtual changes, and AI analysis results for that instance.
• Account deletion — initiated through cancellation of your subscription. When your subscription cancellation period ends, the following happens automatically: your Zendesk OAuth tokens are revoked at Zendesk, AI analysis data is removed, all configuration snapshots and dependency data are removed, your authentication accounts (Google, Microsoft, email) are removed, and your user record is anonymised. A billing audit record is retained for accounting purposes.

Tenant Isolation

Configly is a multi-tenant SaaS application with logical isolation enforced at the application layer. Each customer’s data is associated with their user account and every database query is scoped by user. Authorisation checks on each controller verify that requested resources belong to the requesting user before any operation is permitted.

Database-level row-security and per-tenant database separation are not currently in use. We monitor query coverage and authorisation patterns through code review and automated testing. Tenant separation hardening (including database-level controls) is on our roadmap as we grow.

Logging & Sensitive Data Handling

Application logs

We log request method, path, response status, and timing for diagnostics. Request bodies and query parameters are not logged. We do not log passwords, OAuth tokens, API keys, or session cookies.

Error monitoring

Application errors are sent to Sentry (EU region) for diagnostic purposes. Authorisation, cookie, and API key headers are stripped from error events before transmission. Your Configly user ID is attached to error events so we can correlate events to a specific account when investigating issues you report. Email addresses are not attached -- they are scrubbed from error metadata as described below. Error events forwarded to our observability tooling are scrubbed before transmission. Session cookies are redacted from HTTP request context, and user email addresses are redacted from error metadata (any field matching an email pattern is replaced with [email]). Stack traces, exception messages, and request paths are preserved for diagnostic purposes.

Web server logs

Standard nginx access logs include source IP, request line, response code, referrer, and user-agent. These logs are retained for 14 days and used for operational monitoring and abuse detection.

Backups & Disaster Recovery

Database backups are taken daily and retained on the production host. Off-site backup replication and a documented recovery procedure are on our roadmap as part of forthcoming infrastructure improvements.

Subprocessors

Configly uses the following third-party services to deliver the product. Each service receives only the data necessary for its function:

• Zendesk — your Zendesk instance, where Configly reads configuration and (via Apply Changes) writes configuration
• GitHub — if you enable GitHub Sync, Configly commits your Zendesk configuration as YAML to a repository you nominate
• Anthropic (Claude) — powers AI analysis features and the in-product support assistant. For AI analysis: receives configuration object names, conditions, and actions for the items you submit for analysis. For the support assistant: receives the messages you send to the assistant and your account identity (name, email, plan tier) so the assistant can answer in context.
• Sentry — error monitoring. Receives error events with limited context as described above
• Stripe — billing. Receives your billing email address and account identifier; payment cards are entered directly into Stripe and never traverse Configly
• Brevo — transactional email delivery (welcome emails, password resets, billing notifications)
• Google and Microsoft — if you sign in with these providers, they handle authentication and return your name and email to Configly
• Google Workspace — hosts the [email protected] mailbox. Inbound support emails are received by Google Workspace before being forwarded to our Zendesk instance. Google Workspace therefore processes the content of any email you send to [email protected].
• DigitalOcean — infrastructure provider (UK region)
• Google Analytics — we use Google Analytics on our marketing site (configly.app) to understand visitor patterns. Google Analytics is not loaded inside the Configly application itself.

A current detailed subprocessor list is available on request to [email protected].

HTTP Security

Standard security headers are set on all responses, including Strict-Transport-Security (HSTS), X-Content-Type-Options (nosniff), X-Frame-Options, and Referrer-Policy. The application uses helmet middleware for header management.

CORS policies restrict cross-origin API access to authorised application origins. Public API endpoints (currently in development) require API key authentication.

Compliance & Certifications

Incident Response

We acknowledge security reports within 24 hours and notify affected customers of confirmed security incidents within 72 hours of confirmation, in line with UK GDPR breach notification requirements.

Responsible Disclosure

If you discover a security vulnerability in Configly, please report it to [email protected]. We will acknowledge receipt within 24 hours and work with you in good faith to investigate and resolve the issue. We do not currently offer paid bug bounties but will publicly credit researchers who report valid issues responsibly.

Contact