SOC 2 Type II
Security · Availability · Confidentiality. Auditor: independent CPA firm. Re-audited annually.
Active
Security
Zenrows is the web data layer behind production AI agents at companies that don't take security shortcuts. Here's how we hold up.
Zenrows is the web data layer behind serious teams that can't afford security shortcuts. Here's how it holds up under review.
Compliance
Each one open to scrutiny. Each one on a renewal cadence. Pack-ready PDFs available under NDA.
Security · Availability · Confidentiality. Auditor: independent CPA firm. Re-audited annually.
Active
EU data processor posture. Standard DPA pre-signed on request. SCCs included for non-EEA transfers.
Active
California processor posture. Subject access requests routed to a dedicated mailbox with SLA.
Active
Information security management system. Gap assessment closed; certification audit scheduled.
In progress · Q4 target
BAA available on Enterprise commits with PHI-scoped deployments. Subject to security review.
Available on commit
Third-party pen tests yearly. Vulnerability disclosure program. Bug bounty for Enterprise scope.
Active
Encryption
Customer data is encrypted by default at every stage of the lifecycle. Keys rotate. Deletion is verified.
AES-256-GCM everywhere customer payloads land. Database, object storage, ephemeral disk. Customer-managed keys on Enterprise.
Industry-standard AES-256 encryption everywhere your team's data lands. Customer-managed keys on Enterprise.
TLS 1.3 with modern cipher suites enforced at every edge. HSTS preloaded. Strict certificate pinning between internal services.
Modern TLS encryption is enforced everywhere data moves, both at the perimeter and between internal services.
Worker processes are short-lived and stateless. Payloads aren't logged. Sensitive headers redacted from observability before they leave the worker.
Workloads run in short-lived, stateless processes. Sensitive content is never logged, and request metadata is redacted before it leaves the platform.
Object stores honour deletion immediately; cold backups roll off within the contracted retention. Verified destruction on request.
Storage honours deletion immediately. Older backups roll off within the contracted retention window. Verified destruction on request.
Access + Infrastructure
Workspace-level SSO on Team and up. SAML 2.0 + OIDC providers supported, with SCIM for user provisioning on Enterprise.
Workspace single sign-on on Team and up. Standard identity providers supported, with automatic user provisioning on Enterprise.
Workspace, project, and resource-level roles. Least-privilege defaults. Per-key scopes for service identities.
Workspace, project, and resource-level roles. Least-privilege defaults. Scoped credentials for automated systems.
Every console + API action logged with actor, timestamp, IP, and result. 30 days baseline; 90 days on Team; 1 year on Enterprise; export to your SIEM.
Every action your team takes is logged with who, when, where, and outcome. 30 days baseline; 90 days on Team; 1 year on Enterprise; exportable to your security platform.
API keys rotate without downtime via grace periods. Console accounts enforce TOTP/WebAuthn MFA. Hardware key support on Enterprise.
Access credentials rotate without downtime. User accounts enforce two-factor sign-in. Hardware-key support on Enterprise.
EU + US data residency. Choose where your jobs run and where your logs land. No silent cross-region replication.
Private networking between internal services. Customer ingress over public TLS only; egress paths are explicit and auditable.
SAST + dependency scanning on every PR. Continuous infrastructure scanning. Critical CVEs triaged within hours; patches deployed weekly.
Automated scanning runs on every code change and across the live platform. Critical issues are triaged within hours; patches deployed weekly.
Daily encrypted backups with verified restore drills. Multi-AZ failover. Tested RPO + RTO documented in the security pack.
Daily encrypted backups with regular restore drills. Multi-zone failover. Recovery targets and timings are documented in the security pack.
Ready for the next question
Send us the security questionnaire you'd normally save for the end of procurement. We'll come back with the answers, the artefacts, and the DPA.
Send the questionnaire your security team would normally save for the end. We come back with the answers, the artefacts, and the DPA, ready for sign-off.
Procurement-ready · NDA available on request