Enterprise-grade security

Your code stays yours.

SOC 2 Type II certified. ISO 27001 compliant. We treat your intellectual property with the same rigor you do.

SOC 2 Type II

Audited annually by a third-party CPA firm. We meet the highest standards for availability, confidentiality, and processing integrity.

ISO 27001

Information Security Management System certified. Our infrastructure and processes adhere to strict international security standards.

GDPR Compliant

Full data processing agreement (DPA) included. We are fully compliant with GDPR, CCPA, and other regional data protection laws.

Data isolation model

Code never leaves your environment

Zento processes your code in a fully isolated, ephemeral container. Once the analysis is complete, the container is destroyed, and the code is discarded. We never store your source code or diffs.

  • Ephemeral processing containers
  • No code archival or replay
  • Strict data retention policies
Zento secure server architecture diagram
Encryption

Defense in depth

In Transit

All data is encrypted using TLS 1.3 with Perfect Forward Secrecy (PFS) when communicating between your CI runner, our API, and your dashboard.

At Rest

Metadata and logs are encrypted at rest using AES-256 encryption standards compliant with NIST SP 800-57.

Vulnerability management

Continuous red teaming

External Pentesting

Quarterly third-party penetration tests by accredited security firms.

Q3 2024

Internal Audits

Monthly internal security reviews of infrastructure and code.

Monthly

Dependency Scanning

Automated scanning of all dependencies for CVEs and license violations.

Real-time
Zento secure server architecture diagram
Responsible disclosure

We pay for finding bugs

We believe the best security comes from the community. If you find a vulnerability in Zento, we want to know about it.

Join our HackerOne program to earn bounties for valid reports. We offer a Responsible Disclosure Policy that guarantees a 90-day window to fix issues before public disclosure.

Read our disclosure policy →
FAQ

Security questions

  • No. We use proprietary models trained on anonymized open-source data. Your code is never sent to third-party LLM APIs.
  • Yes. Enterprise and Enterprise Plus plans include a self-hosted Docker image that runs entirely within your VPC or on-premise infrastructure.
  • SOC 2 Type II reports are available for all Enterprise customers. Please contact our sales team to request a copy.

Still have questions?

Our security team is available to discuss your specific compliance needs, architecture, or data residency requirements.

Contact Security Team Request Audit