1. Functional Definition of the Security Ecosystem
Zelencio operates a high-integrity security framework designed to protect digital assets, user identity, and transactional data from unauthorized access, systemic exploits, and social engineering. Our "Triple-Lock" security architecture ensures that no outbound movement of value can occur without three distinct layers of verification: Knowledge (PIN), Possession (2FA Device/Email), and Inherence (Biometrics/Face Verification).
2. Layer 1: The Proprietary 5-Digit App PIN
2.1. The Access Barrier:
Zelencio enforces a mandatory 5-digit numeric App PIN. This PIN is required for initial application entry (if biometrics are disabled) and for high-sensitivity internal ledger actions, such as generating a Zelencio Code or initiating a Swap.
2.2. Zero-Knowledge Storage:
To ensure the highest level of data integrity, Zelencio does not store your PIN in a human-readable format. All PINs are subject to Cryptographic Hashing on our secure servers. This means that even in the event of a server-side breach, your raw PIN remains unreadable.
2.3. Anti-Brute Force Protection:
The system automatically monitors for failed PIN attempts. Multiple incorrect entries will trigger an incremental "Cool-Down Period" (e.g., 30 seconds, 5 minutes, 1 hour) or a temporary account freeze requiring manual identity re-verification.
3. Layer 2: Multi-Factor Authentication (MFA) Protocols
Zelencio utilizes two distinct channels of secondary verification to mitigate the risk of account takeover via password theft.
3.1. Email One-Time Password (OTP):
During registration, login from a new device, or password resets, Zelencio’s backend issues a time-sensitive, 6-digit alphanumeric OTP to the user’s verified email address. This ensures that the user maintains control over their primary communication channel.
3.2. Google 2FA (The "Hard Lock"):
Zelencio integrates with the Google Authenticator protocol to provide Time-based One-Time Passwords (TOTP).
Mandatory for Outbound Funds: Users are strictly required to bind a 2FA device before they can execute On-Chain Withdrawals, P2P releases, or internal transfers.
Recovery Keys: Upon setup, the user is provided with a unique "Recovery Secret." Zelencio does not store this secret. The user is solely responsible for storing this key offline; loss of both the 2FA device and the recovery key will result in a mandatory 7-day security hold on the account.
4. Layer 3: Identity Assurance and Face Verification (Liveness)
To counter "Synthetic Identity Fraud" and "Identity Theft," Zelencio utilizes an AI-driven biometric verification engine.
4.1. Liveness Detection:
During KYC and high-risk transactions (such as third-party P2P payments), the platform requires a "Liveness Check." This involves a live video capture where the user must perform specific movements (e.g., smiling, blinking, or rotating the head) as instructed by the Zacuz Intelligent Bot (ZIB).
4.2. Biometric Data Privacy:
Face ID / Fingerprint: When using biometric login (Face ID or Fingerprint), the actual biometric data is stored and processed exclusively by the user's device (Secure Enclave on iOS or Trusted Execution Environment on Android). Zelencio receives only a "Success/Fail" token from the operating system.
Face Verification (KYC): Video data captured for KYC/Liveness is transmitted via encrypted channels to Zelencio’s secure, air-gapped identity servers for matching against the provided government ID.
5. Account Activity and Authorized Device Tracking
5.1. Hardware Fingerprinting:
Zelencio’s security engine logs the Device Name/Model, IP Address, Network Type (WiFi/Cellular), and Approximate Geolocation for every session.
5.2. Authorized Devices List:
Users can view a real-time list of "Trusted Login Sources" within the Security Settings. Users have the power to "De-authorize" any device instantly, which kills all active sessions and requires a full MFA re-login on that hardware.
5.3. Real-Time Alerting:
The platform issues immediate push notifications and emails for any "New Device Login." If a user does not recognize the login, they can hit a "Secure Account" button to lock all withdrawals and transfers instantly.
6. Asset Protection: The "Security Crypto Account"
6.1. The Isolation Chamber:
If Zelencio’s AI detects "Abnormal Behavior" (e.g., a login from a high-risk IP followed by a massive withdrawal attempt), funds are automatically moved from the primary balance to the Security Crypto Account.
6.2. Mandatory Investigation:
Funds in the Security Account are "Hard-Locked." These funds can only be released after the user passes an "Enhanced Liveness Check" and provides additional proof of transaction intent. This prevents "Drainer" attacks from emptying a user’s wallet.
7. Transaction Finality and "Negligence" Disclaimer
7.1. User Authorization:
By entering your App PIN and 2FA code and performing the "Slide to Trade" action, you provide irrevocable authorization for the transaction. Zelencio considers these credentials to be a digital signature of the account holder.
7.2. Social Engineering Risk:
Zelencio staff will NEVER ask for your App PIN, 2FA code, or Email OTP. You are strictly responsible for protecting these credentials. Zelencio is not liable for losses caused by "Phishing" or "Social Engineering" where you voluntarily provided your security codes to a third party.
7.3. Device Compromise:
Zelencio shall not be liable for assets lost due to a "Rooted" or "Jailbroken" device, as such modifications bypass the operating system's built-in security barriers.
8. Data Retention and Encryption Standards
Encryption at Rest: All user data, including transaction history and hashed credentials, is encrypted using AES-256 standards.
Encryption in Transit: All communication between the Zelencio mobile app and our servers is secured via Transport Layer Security (TLS 1.3).
Post-Deletion Retention: Even upon account closure, security logs and KYC metadata are retained for five (5) years to assist law enforcement in the event of a post-hoc fraud investigation, in accordance with global AML mandates.