Zenrows
Talk to sales Start building free

Security

Built for the procurement review you're about to send.

Built for the security review your team will face.

Zenrows is the web data layer behind production AI agents at companies that don't take security shortcuts. Here's how we hold up.

  • SOC 2 Type II Active · audit annually
  • GDPR + DPA Standard DPA on request
  • ISO 27001 In progress · Q4 target

Compliance

Certifications, attestations, and the people who signed them.

Each one open to scrutiny. Each one on a renewal cadence. Pack-ready PDFs available under NDA.

01

SOC 2 Type II

Security · Availability · Confidentiality. Auditor: independent CPA firm. Re-audited annually.

Active

02

GDPR + Standard DPA

EU data processor posture. Standard DPA pre-signed on request. SCCs included for non-EEA transfers.

Active

03

CCPA / CPRA

California processor posture. Subject access requests routed to a dedicated mailbox with SLA.

Active

04

ISO 27001

Information security management system. Gap assessment closed; certification audit scheduled.

In progress · Q4 target

05

HIPAA-ready

BAA available on Enterprise commits with PHI-scoped deployments. Subject to security review.

Available on commit

06

Vendor + penetration tests

Third-party pen tests yearly. Vulnerability disclosure program. Bug bounty for Enterprise scope.

Active

Encryption

Every byte. Every step.

Customer data is encrypted by default at every stage of the lifecycle. Keys rotate. Deletion is verified.

  1. 01

    At rest.

    AES-256-GCM everywhere customer payloads land. Database, object storage, ephemeral disk. Customer-managed keys on Enterprise.

  2. 02

    In transit.

    TLS 1.3 with modern cipher suites enforced at every edge. HSTS preloaded. Strict certificate pinning between internal services.

  3. 03

    In memory.

    Worker processes are short-lived and stateless. Payloads aren't logged. Sensitive headers redacted from observability before they leave the worker.

  4. 04

    After deletion.

    Object stores honour deletion immediately; cold backups roll off within the contracted retention. Verified destruction on request.

Access + Infrastructure

Who can do what, and where it all lives.

Access & identity

  1. 01

    SSO + SAML + OIDC

    Workspace-level SSO on Team and up. SAML 2.0 + OIDC providers supported, with SCIM for user provisioning on Enterprise.

  2. 02

    Role-based access

    Workspace, project, and resource-level roles. Least-privilege defaults. Per-key scopes for service identities.

  3. 03

    Audit logs

    Every console + API action logged with actor, timestamp, IP, and result. 30 days baseline; 90 days on Team; 1 year on Enterprise; export to your SIEM.

  4. 04

    Key rotation + MFA

    API keys rotate without downtime via grace periods. Console accounts enforce TOTP/WebAuthn MFA. Hardware key support on Enterprise.

Infrastructure posture

  1. 01

    Region isolation

    EU + US data residency. Choose where your jobs run and where your logs land. No silent cross-region replication.

  2. 02

    Network isolation

    Private networking between internal services. Customer ingress over public TLS only; egress paths are explicit and auditable.

  3. 03

    Vulnerability management

    SAST + dependency scanning on every PR. Continuous infrastructure scanning. Critical CVEs triaged within hours; patches deployed weekly.

  4. 04

    DR + backups

    Daily encrypted backups with verified restore drills. Multi-AZ failover. Tested RPO + RTO documented in the security pack.

Ready for the next question

Two questions deep into the security review, we still have answers.

Send us the security questionnaire you'd normally save for the end of procurement. We'll come back with the answers, the artefacts, and the DPA.

Talk to security

Procurement-ready · NDA available on request

Download security pack