Compliance posture
Fanzava’s compliance posture is built on a Cloudflare-native technical architecture, a commitment to recognised compliance frameworks, and a strict sub-processor and supplier policy. This page is a high-level reference — see the linked pages for full technical depth.
Infrastructure and hosting
Section titled “Infrastructure and hosting”Fanzava runs on Cloudflare’s global edge network with Neon PostgreSQL as the primary transactional database. All providers maintain extensive certifications, including SOC 2 Type II, ISO 27001, and PCI DSS where relevant.
| Component | Provider | Certifications |
|---|---|---|
| Compute (API, edge middleware, background jobs) | Cloudflare Workers | SOC 2, ISO 27001, PCI DSS |
| Transactional database | Neon PostgreSQL (via Cloudflare Hyperdrive) | SOC 2, ISO 27001 |
| Object storage and archival | Cloudflare R2 | SOC 2, ISO 27001 |
| Edge cache, CDN, edge state | Cloudflare KV, Durable Objects, Queues | SOC 2, ISO 27001 |
| Analytics and reporting | Cloudflare Analytics Engine | SOC 2 |
| Email delivery | Resend | SOC 2 |
| Authentication (default) | Better Auth | — |
| Authentication (Enterprise SSO) | WorkOS | SOC 2, ISO 27001, GDPR |
A full and current list of sub-processors is published at fanzava.com/legal/sub-processors and updated with 30 days notice of any change.
Encryption
Section titled “Encryption”- In transit: TLS 1.3 enforced across all connections. TLS 1.0 and 1.1 are not accepted.
- At rest: AES-256 encryption for all data at rest, managed by the provider’s key management service.
- Passwords: Hashed with Argon2id. Passwords are never stored, transmitted, or logged in plaintext, and the hashes are not reversible. Magic link and Enterprise SSO are also supported as authentication methods — see Authentication methods.
Application security
Section titled “Application security”- All API input is validated with Zod schemas at the API boundary
- Content Security Policy with per-request nonces enforced on all web interfaces
- Cloudflare WAF rules for common attack patterns (SQL injection, XSS, request smuggling)
- Standard security headers: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
- Rate limiting on authentication, password reset, and write endpoints
- Dependency vulnerability scanning on every deploy
- Code review required on every change
For full technical detail, see Application & edge security.
Tenant isolation
Section titled “Tenant isolation”Every API request carries a hub_id context, validated by the Worker middleware on every request. Database queries filter by hub_id at the ORM layer, and the Worker middleware validates the filter is present and correct before the query reaches Hyperdrive. It is architecturally impossible for a query in one hub to return data belonging to another. For the full architecture, see Tenant isolation.
Access controls
Section titled “Access controls”- Fanzava staff access to customer data is logged, time-bound, and subject to internal review
- Staff cannot access participant content (tips, profiles, messages) without an active support ticket or incident reference
- All staff access is recorded in the audit trail and reviewed monthly
- Production database and admin tooling are gated through Cloudflare Access (zero-trust)
- Multi-factor authentication is mandatory for Fanzava staff with any production access
- Least-privilege role-based access control enforced across all infrastructure
Accessibility
Section titled “Accessibility”Fanzava targets WCAG 2.1 AA conformance across all customer-facing interfaces.
SOC 2 Type II
Section titled “SOC 2 Type II”Fanzava operates with SOC 2 Type II controls already in place — including formal access reviews, change management, encryption standards, and audit logging. Formal Type II certification is on our compliance roadmap. Contact your account manager for the latest status.
ISO 27001
Section titled “ISO 27001”ISO 27001 certification is on our compliance roadmap. The information security management practices that underpin certification are already in place across the platform.
Australian Privacy Act
Section titled “Australian Privacy Act”Fanzava complies with the Australian Privacy Act 1988 and the Australian Privacy Principles, including the Notifiable Data Breaches scheme. See DPA & GDPR for detail.
Vulnerability disclosure
Section titled “Vulnerability disclosure”Report security issues to security@fanzava.com. Fanzava acknowledges reports within 24 hours and provides status updates every 48 hours until resolution.