Security by default
Our policies and procedures continuously derive from the National Institute of Standards and Technology (NIST) Cybersecurity Framework, CIS Benchmarks, OWASP, and the European Data Protection Board to provide an industry-leading approach to keeping the data of Zip customers secure.
Infrastructure Security
- Data encryption
All customer data is encrypted with TLS 1.2+ in transit and AES-256 at rest. Passwords are salted and hashed using bcrypt. Sensitive customer data are also encrypted at the application layer with per-customer encryption keys. - Data segregation
Strict controls are put in place to prevent data leakage. Development, QA, and production environments are all isolated to keep data where it belongs. - Firewalls
Cloudflare WAF and network security group rules are leveraged to control and filter malicious traffic. Application-level ingress and egress filtering are implemented to filter inbound and outgoing traffic.
Application Security
- Penetration testing
Application-level security testing is performed at least annually by an outside firm using relevant methodologies such as the OWASP Top 10. - Vulnerability scanning
Semgrep is used for static code analysis (SAST) and Tenable Nessus is used for dynamic analysis (DAST) to continuously monitor and detect vulnerabilities. - Secure software development
Secure SDLC processes, including threat modeling, design reviews, code reviews, SCA, and manual QA are implemented to keep the product free of bugs. - Cybersecurity awareness training
Annual cybersecurity awareness training is conducted as part of cultivating our cyber-aware culture. Training covers phishing, incident response, insider threats, and malware.
Product Security Features
- Enterprise access to your account
Zip offers SSO integration with any SAML-based IdP and support SCIM for customers to automatically provision and deprovision user accounts. - Role-based access permissions
Customers can granularly configure users and permissions and assign privileges by role, department, and group to maintain least privilege access. - Customer audit logs
Audit logs are maintained in the Zip dashboard for customer actions and include the date, user, action, and target of the action.
Operational Security
- Secure access to production
Employee access is role-based, least privileged, and fully logged. Access adheres to the Zero Trust Model and requires multi-factor authentication. - Background checks
Background checks are completed for all full-time employees in accordance with applicable legal requirements. We perform checks on criminal records, sex offender watchlists, and global watchlists. - Endpoint security
Mobile Device Management (MDM) is configured to enforce security profiles for all employee devices. Enterprise EDR and anti-malware is installed to quarantine and alert on potential viruses.
Zip Vulnerability Disclosure Policy
Security is a top priority for Zip, and we believe that working with skilled security researchers can identify weaknesses in any technology.
If you believe you have found a security vulnerability on Zip, please let us know right away by emailing us at security@ziphq.com. While we currently do not issue bounty rewards, we will investigate all reports and do our best to quickly fix valid issues.
In-scope Targets
- ziphq.com
- app.ziphq.com
Out-of-scope
- Denial-of-Service Vulnerabilities
- Anything requiring old browsers/old plugins/end-of-life software browsers
- Vulnerabilities which require physical access to a user's device
- Vulnerabilities related to misconfigurations, weaknesses, or bypasses in DMARC, DKIM, and SPF email authentication mechanisms
- Miss of rate limits
- Non-sensitive information available via our Content Delivery Network
- Clickjacking type Vulnerabilities
- Physical attack on the infrastructure
- Bugs in 3rd party software
- Social engineering on customers or employees of Zip
- Reports from automated tools and scans
- Missing security headers which do not lead directly to a vulnerability
Safe Harbor
When conducting vulnerability research according to this policy, we consider this research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please contact us by emailing us at security@ziphq.com before going any further.