Security at Zero

At Zero, we take the security and privacy of your data seriously. We maintain robust security practices to protect your business information. This document outlines our key security measures and commitments.

Data Storage and Protection

Encryption

• All data is encrypted in transit using TLS 1.3

• All data at rest is encrypted using AES-256 encryption

• Database backups are encrypted before being stored

Cloud Infrastructure

• We host our infrastructure on Google Cloud Platform (GCP) in European data centers

• We utilize GCP's built-in security features including VPC networks, firewall rules, and IAM roles

• Regular security patches and updates are applied to all systems

• Infrastructure is strictly segregated into staging and production environments

Access Control

Employee Access

• Single Sign-On (SSO) is required for all internal systems

• Multi-Factor Authentication (MFA) mandatory for all employee accounts

• Regular access reviews are conducted quarterly

• Employee offboarding process includes immediate access revocation

Device Security

• Mandatory device encryption for all work devices

• Automatic screen locking enforced on all devices

• Full disk encryption required for all hard drives

• Regular device security audits

Customer Data Access

• Customer data is logically separated in our databases

• Access to customer data is logged and monitored

• Employees can only access customer data when explicitly granted permission e.g. during customer onboarding or support

Security Practices

Authentication

• Google SSO integration available for customer accounts

• Automatic lockout and cooldown period after multiple failed login attempts

• Session timeouts for inactive users

Monitoring and Incident Response

• 24/7 automated system monitoring

• Security logs are retained for 90 days

• Documented incident response procedures

• Commitment to notify customers of any security incidents within 48 hours

Development Security

• Code changes are reviewed before deployment

• Strict separation between staging and production environments

• Regular security testing and vulnerability scanning

• Dependencies are automatically scanned for known vulnerabilities

Data Management

Data Retention

• Customer data is retained only as long as necessary

• Customers can request data deletion at any time

• Regular data backups with 30-day retention

Data Processing

• Clear data processing agreements with all third-party vendors

• Minimal use of third-party services to reduce exposure

• Regular vendor security assessments

Compliance and Testing

Security Assessments

• Regular internal security audits

• Annual penetration testing by third-party security consultants

• Continuous vulnerability scanning

Privacy Compliance

• GDPR-compliant data processing and storage

• Data stored exclusively in European data centers

• Privacy policy available at https://www.zero.inc/privacy

• Data Processing Agreements available upon request

Security Updates and Communication

Staying Informed

• Security advisories sent to all customers for critical updates

• Regular security newsletter for customers

• Transparent incident reporting and status updates

Contact

For security-related questions or to report a security concern, please contact:

• Email: security@zero.inc

Commitment to Improvement

While we currently maintain these security measures, we are committed to continuously improving our security posture. We regularly review and update our security practices based on:

• Emerging security threats

• Customer feedback and requirements

• Industry best practices

• Changes in the regulatory landscape

Last updated: November 2024