Security & Compliance

Security infrastructure built to pass Fortune 500 procurement.

Enterprise procurement requires more than a checkbox. SAML/Okta SSO, IP allowlisting, concurrent session limits, full audit logging, GDPR compliance infrastructure, and SOC 2 aligned controls — all in place before your security team asks.

Our founder has personally implemented GDPR compliance programs, SAML/SSO integrations, and SOC 2 aligned infrastructure across enterprise environments. Security is not a feature we added — it is how we built.

SAML 2.0
SSO Support
Okta, Azure AD, any SAML IdP
AES-256
Encryption at rest
All customer data
TLS 1.2+
Encryption in transit
All API and browser traffic
H1 2026
SOC 2 Type II target
Controls in place now
Security Controls

Full control inventory. No asterisks.

IDENTITY & ACCESS
SAML 2.0 / Okta SSO✓ Enterprise
Two-factor authentication (2FA)✓ All plans
Role-based access control (RBAC)✓ All plans
Custom role definitions✓ Enterprise
IP allowlisting✓ Enterprise
Concurrent session limits✓ Enterprise
Session timeout policies✓ Enterprise
DATA SECURITY
Encryption in transit (TLS 1.2+)✓ All plans
Encryption at rest (AES-256)✓ All plans
Data residency controls✓ Enterprise+
Full audit logging✓ Enterprise
Recycle bin with recovery✓ All plans
Configurable data retention✓ Enterprise
COMPLIANCE
GDPR compliance infrastructure✓ All plans
Data Processing Agreement (DPA)✓ On request
SOC 2 aligned infrastructure✓ In progress
Cookie consent management✓ All plans
Right to erasure workflows✓ All plans
Data portability exports✓ Enterprise
INFRASTRUCTURE
AWS hosted infrastructure✓ All plans
99.9% uptime SLA (Enterprise)✓ Enterprise
99.99% uptime SLA (Enterprise+)✓ Enterprise+
Automated backups (daily)✓ All plans
Penetration testing (annual)✓ Scheduled
Vulnerability disclosure program✓ Active
Security FAQ

Questions your security team will ask.

SOC 2 Type II certification is in progress, with a target completion date of H1 2026. Our infrastructure is designed and operated to SOC 2 standards — controls, monitoring, access management, and audit logging are all in place. We can provide our security posture documentation and evidence of controls to enterprise customers under NDA.

By default, data is stored in AWS infrastructure in the EU (Frankfurt). Enterprise+ customers can specify a data residency region at contract time. We do not store customer data in regions outside the agreed residency without explicit written consent.

Yes. A DPA is available to all Enterprise and Enterprise+ customers. Contact security@zsavvy.com to request a DPA. We can also review and sign customer-provided DPAs for Enterprise+ engagements.

Enterprise plan customers receive native SAML 2.0 integration. Your IT team configures ZSavvy as a service provider in Okta, Azure AD, or your existing IdP. SCIM provisioning and deprovisioning is supported. ZSavvy never stores your users passwords — authentication routes through your identity infrastructure.

We have a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review. Affected customers are notified within 72 hours of confirmed breach discovery, in compliance with GDPR Article 33. Full incident reports are provided to affected Enterprise and Enterprise+ customers.

Email security@zsavvy.com with details of the vulnerability. We acknowledge all reports within 24 hours and provide a timeline for investigation and remediation. We do not pursue legal action against good-faith security researchers. We appreciate responsible disclosure.

SECURITY CONTACTS
GENERAL SECURITY INQUIRIES
security@zsavvy.com
VULNERABILITY DISCLOSURE
security@zsavvy.com
DATA PROCESSING AGREEMENTS
security@zsavvy.com
PRIVACY REQUESTS
privacy@zsavvy.com