SOC 2 Type II
Planned before paid launch
Last updated
ZygenTrust is built with audit-friendly controls. Our compliance program is structured around data minimization principles and standard contractual clauses for international transfer. SOC 2 Type II certification and independent penetration testing are planned before paid public launch. The badges below represent the current state of our compliance work; status updates ship in our changelog whenever a milestone moves.
SOC 2 Type II
Planned before paid launch
Data minimization
Domain + public signals only
DPA
On request
Pen-test
Planned before paid launch
Detailed architecture, encryption, and access control documentation lives on our Security page. The summary:
ZygenTrust processes only the domain name you submit and the public web data that domain resolves to. We do not collect or store the personal data of end-users of the websites we analyze.
Contact-related detection is intentionally shallow. We store boolean trust signals such as whether a site exposes email, phone, or contact-form evidence, not harvested contact lists or personal enrichment datasets.
Customer-side data (your account, your API keys, your usage logs) is governed by our Privacy Policy. Customers acting as data controllers can request our Data Processing Addendum.
Our incident process is documented internally and follows a four-stage flow: detect, contain, eradicate, communicate. Material customer-impacting incidents are disclosed in the changelog with a post-mortem within 7 calendar days.
For active service issues, see our status page. During the current pre-production stage, status communication remains controlled and should not be interpreted as a formal SLA.
The current list of subprocessors and their data-handling roles is maintained in this section and updated whenever a new subprocessor is added. Customers will receive at least 30 days' notice via the changelog before a new subprocessor begins processing their data.
Additional subprocessors are disclosed here when they move from planned to active use.
Found a vulnerability? Reach out via our contact page. We aim to acknowledge within 24 hours and triage within 3 business days. We do not currently run a paid bounty program; recognition is offered for responsibly disclosed issues.