OnloZap handles internal workspace users, client portal users, shared signing links, billing flows, and AI-assisted actions as distinct security contexts.
Workspace data is scoped by organization context, user access, and permission checks before sensitive records are read or changed.
Portal users should only see eligible client records such as quotes, invoices, projects, files, messages, and signing tasks.
Authentication relies on server-side session verification, secure cookie handling, and host-aware public route behavior.
OnloSign, secure files, signature evidence, and document links are treated as sensitive workflow surfaces.
Subscription checkout and payment details are handled through Stripe. OnloZap stores only the references needed to reconcile billing state.
If you believe you found a security issue, send a concise report with impact, reproduction steps, and affected routes.
AI trust
AI features are designed to assist workspace users through summaries, drafts, and recommendations without bypassing sensitive permissions or review steps.
Generated content and recommended actions should be reviewed by a human before they affect client-facing records.
Zapling belongs to internal workspace workflows and should not become an uncontrolled client-portal tool.
AI requests can be checked for policy, usage, and feature eligibility before work is performed.
Tool-backed AI actions should preserve enough detail to understand what was proposed and what was approved.
Next step
Send the affected route, expected access, actual access, reproduction steps, and any non-sensitive screenshots.