Zip Trust

Service Availability

Zip maintains 99.95%+ availability of our service across all service components. We are fully transparent of service status at https://status.ziphq.com/

Our Commitment to Privacy

At Zip, our mission is to simplify the procurement process for your organization, and that starts with ensuring the privacy of your data. To honor our commitment, we want to empower you to know how your data is used and protected throughout its entire lifecycle. 

Privacy by Design

Zip designs and builds our products from the ground up with privacy and security in mind. We want our customers to feel reassured that their data is safe with us, so we strive to offer transparency about our processing of personal data. For information about how Zip processes personal data as a data controller, see our privacy notice here. We also offer certain controls that enable our customers to use our products in the way that best balances their business objectives with their privacy requirements.

Security by Default

Zip has focused on implementing key data security protections from its inception. We implement technical and organizational measures aimed at assuring the security, integrity, and confidentiality of our customers’ data.

Our policies and procedures continuously derive from the National Institute of Standards and Technology (NIST) Cybersecurity Framework (a collection of security standards, guidelines, and practices designed to protect critical infrastructure) to provide an industry-leading approach to keeping the data of Zip customers secure.

For more information on specific cybersecurity protections in place, click here.

Service Organization Controls (SOC) 2 defines criteria for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality, and privacy. We are annually audited for SOC 2 Type 2 compliance.

A SOC 1 report validates internal controls of organizations that handle customer data with the potential to impact customer financial reporting and SOX compliance. Zip has been audited for SOC 1 Type 2 compliance.

Compliance

The General Data Protection Regulation (GDPR) is Europe’s data privacy law that implements protections for the personal data of EU residents. The California Consumer Privacy Act (CCPA) sets out protections for the personal data of California residents. We focused on these requirements in building our privacy program, and we have information available to help your business use our products in a way that assists with your compliance with the GDPR and the CCPA.

To better facilitate your company’s compliance, Zip offers customers the option to enter into a Data Processing Agreement with us, pursuant to which we commit to complying with GDPR and CCPA requirements.

To better facilitate your company’s compliance, Zip offers customers the option to enter into a Data Processing Agreement with us, pursuant to which we commit to complying with GDPR and CCPA requirements.

As the legal landscape evolves and regulators issue guidance on data privacy requirements, Zip will pay attention and evaluate our privacy program for any required changes.

Cybersecurity

Infrastructure Security   

• Data Encryption
  All customer data is encrypted with TLS 1.2+ in transit and AES-256 at rest. Your passwords are salted and hashed using bcrypt. 

• Data Segregation
  ‍Strict controls are put in place to prevent data leakage. Development, QA, and production environments are all isolated to keep data where it belongs. 

• Firewalls
  ‍AWS VPC, subnet, and security group rules are leveraged to control network traffic. Application-level ingress and egress filtering are implemented to control inbound and outgoing traffic. 

Application Security

• Penetration testing
  ‍Application-level security testing is performed by an outside firm using relevant methodologies such as the OWASP Top 10.

• Secure Software Development
  ‍Secure SDLC processes, including threat modeling, design reviews, code reviews, SCA, and manual QA are implemented to keep the product free of bugs. 

• Cybersecurity Awareness Training
  ‍We conduct annual cybersecurity awareness training as part of cultivating our cyber-aware culture. Training targets phishing, escalating issues, insider threats, and malware. 

Product Security Features

• Enterprise access to your account
  ‍We offer SSO integration with any SAML-based IdP and support SCIM for customers to automatically provision and deprovision user accounts.

• Role-based access permissions
  ‍Customers can granularly configure users and permissions and assign privileges by role, department, and group to allow least privilege access.

• Customer audit logs
  ‍Audit logs are maintained in the Zip dashboard for customer actions and include the date, user, action, and target of the action.

Operational Security

• Secure Access to Production
  Employee access is role-based, least privileged, and fully logged. Access adheres to the Zero Trust Model and requires multi-factor authentication.

• Background Checks
  Background checks are completed for all full-time employees in accordance with applicable legal requirements. We perform checks on criminal records, sex offender watchlists, and global watchlists.

• Endpoint Security
  ‍Mobile Device Management (MDM) is configured to enforce security profiles for all employee devices. Enterprise anti-malware is installed to quarantine and alert on potential viruses.

Vulnerability Disclosure

Vulnerability Disclosure Program:
‍

• ‍Security is a top priority for Zip, and we believe that working with skilled security researchers can identify weaknesses in any technology.

• If you believe you have found a security vulnerability on Zip, please let us know right away by emailing us at security@ziphq.com. We will investigate all reports and do our best to quickly fix valid issues. While we can not guarantee a bounty, we may issue a reward depending on your findings.