ZevID¶
1. Snapshot¶
| Product | ZevID |
| What it is | Centralised identity provider for the Zev product ecosystem |
| Public URL | accounts.zevop.com |
| Status | Live |
| Product owner | Daniel Arowolo |
| Parent company | ZevOP Technologies Limited |
2. Mission¶
ZevID is the identity substrate for every product ZevOP Technologies Limited operates. One account, one set of credentials, one MFA enrolment — used to sign in to ZevPay, ZevCommerce, ZevCloud, ZevWorkspace, and every future Zev product. ZevID is not a consumer product; users do not "use ZevID" the way they use the others. They sign up once at any Zev surface and ZevID is the account record sitting behind that signup.
3. Audience¶
Users of ZevID are the end-users of every Zev product. In practice today, that means Nigerian individuals and businesses signing up at one of:
- ZevPay — personal and business payment accounts.
- ZevCommerce — merchants building storefronts.
- ZevCloud — developers deploying apps.
- ZevWorkspace — organisations collaborating internally.
A single ZevID may have zero, one, or several active product enrollments. Cross-product permissions are user-granted, per product, per scope, via the ZPIP consent flow.
4. Core capabilities¶
- Single sign-on across every Zev product (email + password + MFA, OAuth-style consent for cross-product permissions).
- Multi-factor authentication — TOTP (any RFC 6238 authenticator app), SMS via Termii, recovery codes.
- Phone-number verification with normalised E.164 storage and SMS one-time codes.
- KYC verification record — canonical store of NIN / BVN / face-match outcome (the verification is run by ZevPay; the outcome is stored centrally so other products can read it without re-running KYC).
- Cross-product permissions (ZPIP) — token-exchange flow that lets a Zev product act on a user's behalf for a specific scope, gated by an explicit consent screen.
- Enrollment registry — central record of which Zev products a user has signed up for and at what tier.
5. Architecture summary¶
- Backend — a Node.js API serving every Zev product's identity calls.
- Database — a managed Postgres instance holding accounts, sessions, MFA enrolment, phone records, KYC verification records, enrollments, and consent grants.
- Cache — in-memory cache for sessions, rate limits, and OAuth state.
- Object storage — for user profile pictures.
- Transactional email + SMS — for OTPs, sign-in alerts, account-change notifications, and phone verification.
- Edge protection — every public surface sits behind a CDN with TLS termination, HSTS, and DDoS mitigation.
- Centralised exception + log monitoring — every error and important security event is forwarded to a monitoring platform the engineering team watches.
flowchart LR
User([User browser]) -->|TLS| Edge[Edge / CDN]
Edge --> API[ZevID API]
API --> DB[(Identity database)]
API --> Cache[(Cache)]
API --> Files[(Object storage)]
API --> Mail[Email]
API --> SMS[SMS]
Other[Other Zev products] -->|ZPIP| API6. Data the product handles¶
| Category | Examples |
|---|---|
| Account identity | Email, password (bcrypt), display name |
| Phone numbers | Normalised E.164, encrypted at rest |
| MFA enrolment | TOTP secrets (encrypted), SMS phone bindings, recovery code hashes |
| KYC verification record | NIN / BVN hash (never plaintext), face-match outcome, tier |
| Cross-product enrollments | Which Zev products the user has signed up for, tier metadata |
| Cross-product consent grants | Scopes a user has granted to each Zev product |
| Authentication events | Login attempts, IP, user agent, outcome — retained 90 days |
| Profile picture | Image file in Cloudflare R2 |
For the full data inventory with field-level encryption notes, see compliance docs → ZevID data inventory.
7. Security posture¶
| Area | Posture |
|---|---|
| Passwords | bcrypt cost 12 (one-way hash) |
| TOTP secrets | AES-256-GCM at rest; master key held in deploy-platform secret store, Ops-only access |
| Phone numbers | AES-256-GCM at rest; one-way peppered hash used for lookups |
| BVN / NIN | One-way hash only — plaintext BVN / NIN never reaches ZevID |
| Database-level encryption | Provider-managed at-rest encryption on the identity database |
| Encryption in transit | TLS 1.2+ everywhere; HSTS on user-facing surfaces |
| Authentication | Email + password (bcrypt) + email-OTP |
| MFA factors | Authenticator app (TOTP), SMS, recovery codes; MFA enforced when enrolled |
| Session tokens | RS256-signed JWTs, 15-minute access tokens, 7-day refresh tokens with rotation + reuse-detection |
| Hardening in production | CSRF protection on cookie-auth state-changing routes; PKCE required on every OAuth exchange; strict redirect-URI validation; internal API surface IP-locked to an allow-list |
| Key management | Master keys held in a managed secret store; Operations team only |
| Logging + monitoring | Centralised exception + log monitoring; cross-product permission issuances written to an audit log |
| Backup | Continuous point-in-time recovery on the identity database |
| Host access | Key-based authentication only; no password authentication on the application host |
| Vulnerability management | Automated dependency-advisory scanning |
For the full security record, see compliance docs → ZevID security.
8. Compliance posture¶
- Nigeria Data Protection Act (NDPA), 2023 — primary obligation. ZevID is the controller for identity data on every Zev product. RoPA, data-flow diagrams, third-party DPAs, and retention rules are maintained at
compliance.zevop.com. - NDPC General Application and Implementation Directive (GAID), 2025 — implementing rules including 72-hour breach notification, DPO designation, RoPA. DPO designated: Izunna Ikewete (
dpo@zevop.com). - Cross-border transfer posture — primary data store and application host are located in the United States. Sub-processor detail and DPA records are maintained at
compliance.zevop.com.
For the detailed compliance record (RoPA, third-party DPAs, retention table, subject-rights procedure, breach-response runbook), see compliance docs → ZevID.
9. Integrations¶
Zev products this depends on¶
ZevID is at the root of the dependency graph — no other Zev product is upstream of it.
Zev products that depend on ZevID¶
- ZevPay, ZevCommerce, ZevCloud, ZevWorkspace — all authenticate users through ZevID and read identity state via the ZPIP protocol.
10. Roadmap signals¶
- This quarter — Account-portal "Privacy" landing where users can request data export / deletion / restriction without routing through DPO email.
- This year — Self-service account deletion endpoint with DPO-routed sweep job and KYC anonymisation step.
These are the items that meaningfully change the published profile when shipped. Smaller incremental work is tracked in the engineering repo and does not need a line here.
11. Contacts¶
- Product owner: Daniel Arowolo — (email)
- Security:
security@zevop.com - DPO: Izunna Ikewete —
dpo@zevop.com
12. Change history¶
- 2026-05-18 — Initial profile published.