Trust Center
Your Trust, Our Priority
At Zeropath, every decision we make puts our customers first. Security, data privacy, compliance, and reliability matter to you so they're non-negotiable for us.
Compliance
SOC2 Type II certified, demonstrating our commitment to security, availability, and confidentiality.
Pentesting
Annual external pentests and active vulnerability disclosure program ensure continuous security improvement.
Contact [email protected] for pentest reports
Privacy & GDPR
Fully GDPR compliant with transparent data handling. We don't retain data beyond what's necessary.
View privacy policy →Availability
Industry-leading uptime with real-time monitoring and transparent reporting of service status.
Check status page →Security Architecture & Data Protection
How We Handle Your Code
Scanning Process
- •Each repository scan runs in an isolated Docker container
- •Each scan gets its own dedicated container environment
- •Code is retained for 30 days to enable patch generation, Q&A interactions, and quick re-scanning
- •After 30 days, source code is automatically deleted from our systems
Data Retention
| Data Type | Retention Period | Purpose |
|---|---|---|
| Source code | 30 days | Patch generation, Q&A, re-scanning |
| Vulnerability findings | Until deletion requested | Historical tracking and reporting |
| Generated patches | Until deletion requested | Pull request creation |
| Scan metadata | Until deletion requested | Dashboard and analytics |
All data is permanently deleted when:
- • You request deletion through our support team
- • You delete your account
- • Your account is inactive for 24 months
Infrastructure Security
AWS Infrastructure
- •Hosted in AWS US-West-2 region
- •Encrypted at rest using AWS default encryption (AES-256)
- •All data transfers encrypted using Cloudflare's encryption suite (TLS 1.3)
- •Regular vulnerability scanning of our infrastructure
- •Each scan runs in its own isolated Docker container
Access Controls
- •Repository access tokens are securely stored using AWS default encryption
- •API authentication uses private and secret key pairs
- •Multi-party verification required for any employee access to customer data
- •All employee accounts require multi-factor authentication through Google Workspace
AI and Model Security
ZeroPath maintains enterprise agreements with our AI model providers (including OpenAI and Anthropic) that explicitly prohibit:
- ✕Training on customer data
- ✕Retaining customer inputs beyond processing
- ✕Using customer code for model improvement
Your proprietary code is never used to train or improve AI models.
Security Practices
Continuous Security Monitoring
- •Automated vulnerability scanning of our infrastructure
- •Security awareness training for all employees (managed through our SOC 2 provider)
- •Annual penetration testing by independent third parties
- •Active vulnerability disclosure program
Compliance Training
All ZeroPath employees complete mandatory security training covering:
- •Data handling procedures
- •Customer data privacy
- •Incident response protocols
- •GDPR requirements
On-Premises Deployment
For organizations requiring complete control over their data, ZeroPath offers deployment within your own cloud infrastructure:
- •Deploy to your AWS, Azure, or GCP account
- •Your code never leaves your environment
- •Full control over data retention policies
- •Managed through Pulumi infrastructure-as-code
Contact our team at [email protected] to discuss on-premises deployment options.
Third-Party Subprocessors
ZeroPath uses industry-standard third-party services including:
- •Cloud infrastructure providers (AWS)
- •AI model providers (OpenAI, Anthropic)
- •Payment processing (Stripe)
- •Analytics and monitoring services
- •Content delivery and security services (Cloudflare)
For a complete list of subprocessors, please contact [email protected].
Operational Security
Secure Development
- •All code changes undergo mandatory code review
- •We scan our own codebase with ZeroPath (dogfooding)
- •Security vulnerabilities are prioritized and patched within SLA
Incident Response
- •Documented incident response plan with defined escalation procedures
- •Customer notification within 72 hours of confirmed security incidents
- •Post-incident reports available upon request
Audit Logging
- •Comprehensive audit logs track all sensitive actions
- •Available through your dashboard
- •Includes authentication events, configuration changes, and data access
- •Logs retained for 12 months
Support Commitments
24-hour response time
for support requests
Priority support
available for enterprise customers
Immediate attention
for security issues
Data Management
Data Isolation
- •Logical separation of customer data at the database level
- •Row-level security policies enforce access controls
- •Each customer's data is tagged with unique identifiers
Data Export
- •Full data export available upon request
- •Contact [email protected] for data export
- •Exports provided in JSON format within 5 business days
API Security
- •Configurable rate limits available for enterprise customers
- •API tokens use secure key pairs (public and private keys)
- •All API calls are authenticated and encrypted
Legal and Compliance
Data Processing Agreement (DPA)
- •Standard DPA available for all customers
- •Covers GDPR requirements and data protection obligations
- •Available at [email protected]
Right to Audit
- •SOC 2 Type II report available under NDA
- •Additional security questionnaires supported
- •Virtual audits can be arranged for enterprise customers
Data Privacy FAQs
Security Inquiries
For security inquiries or to report vulnerabilities, please contact:
General security questions:
[email protected]Vulnerability disclosure:
https://zeropath.com/disclosure