Trust at Zip

At Zip, our mission is to help businesses procure with the fastest process, least risk, and at the best value, and that starts with ensuring the security and privacy of your data. To honor our commitment, we want to empower you to know how your data is used and protected throughout its entire lifecycle.

Core principles of trust

1. Ā Security by default

Zip has focused on implementing key data security protections from its inception. We implement technical and organizational measures aimed at assuring the security, integrity, and confidentiality of our customersā€™ data.
Our policies and procedures continuously derive from the National Institute of Standards and Technology (NIST) Cybersecurity Framework, CIS Benchmarks, OWASP, and the European Data Protection Board to provide an industry-leading approach to keeping the data of Zip customers secure.
  • Data Encryption
    All customer data is encrypted with TLS 1.2+ in transit and AES-256 at rest. Passwords are salted and hashed using bcrypt. Sensitive customer data are also encrypted at the application layer with per-customer encryption keys.
  • Data Segregation
    Strict controls are put in place to prevent data leakage. Development, QA, and production environments are isolated to keep data where it belongs.
  • Firewalls
    Cloudflare WAF and network security group rules are leveraged to control and filter malicious traffic. Application-level ingress and egress filtering are implemented to filter inbound and outgoing traffic.
  • Penetration Testing
    Application-level security testing is performed at least annually by an outside firm using relevant methodologies such as the OWASP Top 10.
  • Vulnerability Scanning
    Semgrep is used for static code analysis (SAST) and Tenable Nessus is used for dynamic analysis (DAST) to continuously monitor and detect vulnerabilities.
  • Secure Software Development
    Secure SDLC processes, including threat modeling, design reviews, code reviews, SCA, and manual QA are implemented to keep the product free of bugs.
  • Cybersecurity Awareness Training
    Annual cybersecurity awareness training is conducted as part of cultivating our cyber-aware culture. Training covers phishing, incident response, insider threats, and malware.
  • Enterprise Access to Your Account
    Zip offers SSO integration with any SAML-based IdP and supports SCIM for customers to automatically provision and deprovision user accounts.
  • Role-based Access Permissions
    Customers can granularly configure users and permissions and assign privileges by role, department, and group to maintain least privilege access.
  • Customer Audit Logs
    Audit logs are maintained in the Zip dashboard for customer actions and include the date, user, action, and target of the action.
  • Secure Access to Production
    Employee access is role-based, least privileged, and fully logged. Access adheres to the Zero Trust Model and requires multi-factor authentication.
  • Background Checks
    Background checks are completed for all full-time employees in accordance with applicable legal requirements. We perform checks on criminal records, sex offender watchlists, and global watchlists.
  • Endpoint Security
    Mobile Device Management (MDM) is configured to enforce security profiles for all employee devices. Enterprise anti-malware and EDR is installed to quarantine and alert on potential viruses.
  • Data Processing
    Data is sent to OpenAI, who is the exclusive subprocessor for all Zip AI functionality. Longer term, Zip plans to build an internal large language model for customers who would prefer not to have their data processed by OpenAI.
  • Training Models
    Only Zip data is used to train models. Customer data is not used for training unless Customer explicitly permits the usage of their data.
  • Opt-in/Opt-out Feature
    Customers have flexibility to opt-out of AI functionality.

Vulnerability Disclosure Program

Security is a top priority for Zip, and we believe that working with skilled security researchers can identify weaknesses in any technology. If you believe you have found a security vulnerability on Zip, please review our vulnerability disclosure program details below. While we currently do not issue bounty rewards, we will investigate all reports and do our best to quickly fix issues.

In-scope Targets

  • ziphq.com
  • app.ziphq.com

Out-of-scope

  • Denial-of-Service Vulnerabilities
  • Anything requiring old browsers/old plugins/end-of-life software browsers
  • Vulnerabilities which require physical access to a user's device
  • Vulnerabilities related to misconfigurations, weaknesses, or bypasses in DMARC, DKIM, and SPF email authentication mechanisms
  • Miss of rate limits
  • Non-sensitive information available via our Content Delivery Network
  • Clickjacking type Vulnerabilities
  • Physical attack on the infrastructure
  • Bugs in 3rd party software
  • Social engineering on customers or employees of Zip
  • Reports from automated tools and scans
  • Missing security headers which do not lead directly to a vulnerability

ā€

Safe Harbor

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws. If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please contact us below before going any further.

ā€

Report a Vulnerability
Send any issues or questions to security+vdp@ziphq.com

2. Compliance

As stewards of your data, we use compliance frameworks with supporting materials that verify our capabilities. This makes it easier for you to navigate the complex compliance landscape.
AICPA SOC logo
SOC 1 Type 2
Zip has undergone a Service Organization Controls audit (SOC 1 Type 2). Please contact your account manager or Security Resource Center to request Zip's most recent report.
AICPA SOC logo
SOC 2 Type 2
Zip has undergone a Service Organization Controls audit (SOC 2 Type 2). Please contact your account manager or Security Resource Center to request Zip's most recent report.
DPF logo
EU-US DPF
Zipā€™s privacy program is designed to comply with global privacy standards, including the EU-U.S. Data Privacy Framework (DPF). This certification demonstrates our commitment to protecting the privacy and security of personal data transferred from the EU to the United States. View certificate.
GDPR logo
GDPR
Zipā€™s privacy program is designed for compliance with global privacy laws and regulations, including Europeā€™s General Data Protection Regulation (GDPR) and the United Kingdom GDPR. You can learn more about Zipā€™s commitment to compliance with GDPR here.
ISO 27001 Certified logo
ISO27001
ISO/IEC 27001:2022 is a specification for an information security management system (ISMS), which is a framework for an organisation's information risk management processes. View certificate.

3. Privacy by design

At Zip, we design and build our products with privacy and security in mind. We want our customers to feel reassured that their data is safe with us, so we strive to offer transparency about our processing of your personal data.
ā€Privacy assurance
ā€
We understand the impact and importance of stringent data-protection and privacy compliance regimes. Since the EU General Data Protection Regulation (GDPR) came into effect in May 2018, the global privacy landscape has continued to evolve with other jurisdictions implementing their own privacy regulations, such as the California Consumer Privacy Act (CCPA). Together, GDPR and CCPA are considered to be two of the most robust global privacy laws which many consider to set the gold standard for privacy compliance.ā€Øā€Ø

As a global company originally founded in California, we are committed to uphold GDPR and CCPA standards.

Zipā€™s customers can use the Zip solution in compliance with applicable data protection laws in the following ways:

Control and transparency

The Zip solution is a B2B platform designed to simplify the B2B procurement process for your organization. As a result the Zip solution, by its nature, only requires simple user information such as names and business contact information to manage purchasing decisions. Beyond that, customers are in control of the data that they choose to submit to the Zip solution as part of their workflows, approval requests and purchasing decisions. Customers can update, amend and delete data from the solution at any time - you are in control.

Subprocessors

Zip performs thorough due diligence on all service providers that support the delivery of our products and services. When we engage a subprocessor we ensure our contract with the subprocessor contains, in substance, at least the same level of data protection and information security protections as provided to you by Zip, so your data is always protected. You can find a list of our subprocessors here.

International data transfers

ZipHQ, Inc. (ā€œZipā€) takes data privacy seriously and respects your privacy rights. Zip participates in the EU-U.S, Swiss-U.S. Data Privacy Frameworks, and the UK Extension to the EU-U.S. Data Privacy Framework (collectively, the ā€œDPFā€) issued by the U.S. Department of Commerce. ZipHQ, Inc. is now able to rely on the adequacy decision to receive EU personal data. Zipā€™s transfer to the United States falls under adequacy status under the European data protection law. In the event such adequacy status no longer applies, Zip shall continue to rely on the Standard Contractual Clauses (SCCs) as a transfer mechanism, see contractual measures below for more details.
ā€
Where a customerā€™s use of the Zip solution requires the transfer of personal information outside the European Economic Area or the United Kingdom to a third country, Zip uses the Standard Contractual Clauses (also commonly referred to as EU Model Clauses) and UK International Data Transfer Addendum as legally recognized data transfer mechanisms.

Government requests for data

If Zip receives a request from a government or law enforcement entity to disclose customer data, we will respond in accordance with our Government Data Request Policy. Ā We will also publish transparency reports for any such government or law enforcement requests we receive.
Latest Transparency Report: To date, Zip has not received a request from a governmental entity.

Privacy FAQ/Transfer Impact Assessment

Link to Zipā€™s Privacy documentation.

Data processing policy and information security policy

As standard the Zip MSA includes our Data Processing Agreement and comprehensive Information Security Policy designed to keep your data secure and comply with data protection laws.

Service availability

We are fully transparent about our service availability status at https://status.ziphq.com/

Join the hundreds of companies from startups to the Fortune 500 that trust Zip with their data

Reddit logoSephora logoSnowflake logoSprouts logoCanva logoNorthwestern Mutual logoLyft logoInstacart logoDiscover logoCoinbase logo
Reddit logoSephora logoSnowflake logoSprouts logoCanva logoNorthwestern Mutual logoLyft logoInstacart logoDiscover logoCoinbase logo
Reddit logoSephora logoSnowflake logoSprouts logoCanva logoNorthwestern Mutual logoLyft logoInstacart logoDiscover logoCoinbase logo
Reddit logoSephora logoSnowflake logoSprouts logoCanva logoNorthwestern Mutual logoLyft logoInstacart logoDiscover logoCoinbase logo
Reddit logoSephora logoSnowflake logoSprouts logoCanva logoNorthwestern Mutual logoLyft logoInstacart logoDiscover logoCoinbase logo
Reddit logoSephora logoSnowflake logoSprouts logoCanva logoNorthwestern Mutual logoLyft logoInstacart logoDiscover logoCoinbase logo
Toast logoInvesco logoPinterest logoAcosta logoDollar Tree logoDuolingo logoInsight logofigma logodynatrace logo
Toast logoInvesco logoPinterest logoAcosta logoDollar Tree logoDuolingo logoInsight logofigma logodynatrace logo
Toast logoInvesco logoPinterest logoAcosta logoDollar Tree logoDuolingo logoInsight logofigma logodynatrace logo
Toast logoInvesco logoPinterest logoAcosta logoDollar Tree logoDuolingo logoInsight logofigma logodynatrace logo
Toast logoInvesco logoPinterest logoAcosta logoDollar Tree logoDuolingo logoInsight logofigma logodynatrace logo
Toast logoInvesco logoPinterest logoAcosta logoDollar Tree logoDuolingo logoInsight logofigma logodynatrace logo