Security Addendum
Version 1.0 · Effective: June 5, 2026
This Security Addendum describes ZonForge's technical and organizational security measures. For enterprise customers requiring signed security questionnaires, contact
security@zonforge.com.
Compliance Posture
🛡️
SOC 2 Type II
IN PROGRESS · Q3 2026
🔐
ISO 27001
ALIGNED · AUDIT 2026
Infrastructure Security
| Control | Implementation |
|---|
| Cloud provider | Amazon Web Services — US-East-1 (primary), US-West-2 (DR) |
| Network isolation | VPC with private subnets; no public internet access to application pods |
| WAF | AWS WAF v2 with OWASP Core Rule Set and custom rate limits |
| DDoS protection | AWS Shield Standard; ALB with automatic traffic scrubbing |
| Kubernetes | EKS with pod security standards, network policies, and Istio mTLS |
| Container hardening | Non-root containers; read-only rootfs; all capabilities dropped |
| Secret management | AWS Secrets Manager with automated 90-day rotation |
Data Encryption
- In transit: TLS 1.3 (minimum TLS 1.2); HSTS with 1-year max-age and includeSubDomains
- At rest: AES-256 encryption for all stored data (PostgreSQL, ClickHouse, S3)
- Field-level: AES-256-GCM encryption for credentials, MFA secrets, and API keys
- Passwords: bcrypt (12 rounds minimum) — plaintext passwords never stored
- API keys: bcrypt hash stored; key displayed only once at creation
- Key management: AWS KMS with separate keys per data classification
Authentication and Access Control
- JWT tokens delivered exclusively via httpOnly, Secure, SameSite=Strict cookies
- 15-minute access token TTL with 7-day rotating refresh tokens
- CSRF protection (double-submit cookie pattern) on all state-changing API calls
- Multi-factor authentication (TOTP) available for all accounts; enforced for Enterprise tier
- SSO (SAML 2.0, OIDC) supported for Enterprise customers
- Role-based access control with 5 permission levels
- Account lockout after 10 failed login attempts
- All administrative access requires MFA and is logged to the tamper-evident audit log
Tenant Isolation
- Every database query includes a
tenantId filter enforced at the application layer
- PostgreSQL Row Level Security (RLS) policies as a defense-in-depth layer
- Istio authorization policies enforce that services can only communicate with authorized peers
- Tenant data segregation verified by automated cross-tenant access tests in CI
Application Security
- Parameterized queries only — no raw SQL string interpolation (Drizzle ORM)
- Input validation at all API boundaries (Zod schemas)
- Output encoding to prevent XSS
- Dependency vulnerability scanning (npm audit) on every CI build
- Static code analysis (ESLint security rules) in CI
- Container image scanning with AWS ECR on every push
- Quarterly external penetration testing by an independent firm
Audit Logging
All security-relevant events are recorded in an append-only audit log with SHA-256 hash chaining to detect tampering. Logged events include: authentication (success/failure), authorization failures, data access, configuration changes, and API key operations.
Audit logs are retained for a minimum of 12 months and exported to immutable S3 storage.
Incident Response
- 24/7 alerting via PagerDuty for critical security events
- Documented incident response playbooks for credential exposure, unauthorized access, and data breach
- Customer notification within 72 hours of confirmed data breach
- Tabletop exercises conducted quarterly
Vulnerability Disclosure
ZonForge maintains a responsible disclosure program. Security researchers who discover vulnerabilities are asked to report them to security@zonforge.com before public disclosure. We target a 90-day patch window for critical issues and acknowledge reporters in our release notes.
Subprocessor Security
All subprocessors are reviewed annually for SOC 2 compliance or equivalent. Data minimization is applied — only the minimum necessary data is shared with any subprocessor.
Business Continuity
- PostgreSQL: automated daily backups with point-in-time recovery (35-day window)
- S3 data: cross-region replication to US-West-2
- RPO target: 1 hour · RTO target: 4 hours
- DR runbook tested semi-annually
Contact
Security team: security@zonforge.com
For security questionnaires, certifications, or penetration test report requests, email us with your organization name and we'll respond within 2 business days.