01
Honest about coverage
Every customer sees what the engine enforces and what still routes through workflow. We do not ship monitoring and call it enforcement.
Trust & Security
We run our company on ZeroTB.
The platform we sell is the platform that enforces our own controls. Here is the receipt.
Current state
Posture, certifications, and the controls behind them.
SOC 2 Type 1
In progress
Type 2 observation begins post-attestation.
ISO 27001
Roadmap
Q4 2026.
HIPAA
Available under BAA
Scope reviewed for relevant deployments.
Encryption
AES-256 at rest
TLS 1.3 in transit. Customer-managed keys on request.
Workforce identity
SSO with mandatory MFA
Hardware keys for production access.
Endpoint
FDE enforced
Patch SLA: 7 days for critical, 30 days for high.
Backups
Cross-account isolation
Object Lock immutability. Quarterly restore tests.
Logging
Action-level audit trail
Tamper-evident, retained per policy.
Principles
The lines we will not blur.
02
Independence intact
ZeroTB prepares your program. Auditors audit. We do not blur the line between control owner and control assessor.
03
Run on our own product
The platform we sell is the platform that enforces our controls. The Blueprint is real. The evidence is real.
Request artifacts
The documents your security team needs.
Available on request. Most artifacts ship under NDA. Email security@zerotb.ai to start.
Security questionnaire (SIG Lite)
On request
Penetration test report
Annual, under NDA
SOC 2 report
Under NDA, post-attestation
DPA template
On request
Architecture overview
On request