Skip to content
ZygenTrust
Signals · checking
Trust

Trust Center

Last updated

Compliance posture

ZygenTrust is built to be audited. Our compliance program is structured around SOC 2 Type II, GDPR-aligned data handling, and standard contractual clauses for international transfer. The badges below represent the live state of our compliance work; status updates ship in our changelog whenever a milestone moves.

SOC 2 Type II

Audit underway

In progress

GDPR aligned

EU data handling

Active

DPA

On request

Available

Annual pen-test

Independent review

Active

Security architecture

Detailed architecture, encryption, and access control documentation lives on our Security page. The summary:

  • All traffic over HTTPS with HSTS preload
  • Secrets stored in platform-managed vaults; never in source
  • API keys hashed with SHA-256; raw keys are never persisted
  • Service role credentials are scoped to the API runtime only
  • Strict CORS allowlist for browser-origin calls
  • Bot defense at the edge for waitlist endpoints

Data handling

ZygenTrust processes only the domain name you submit and the public web data that domain resolves to. We do not collect or store the personal data of end-users of the websites we analyze.

Customer-side data (your account, your API keys, your usage logs) is governed by our Privacy Policy. Customers acting as data controllers can request our Data Processing Addendum.

Incident response

Our incident process is documented internally and follows a four-stage flow: detect, contain, eradicate, communicate. Material customer-impacting incidents are disclosed in the changelog with a post-mortem within 7 calendar days.

For active service issues, see our status page.

Subprocessors

The current list of subprocessors and their data-handling roles is maintained in this section and updated whenever a new subprocessor is added. Customers will receive at least 30 days' notice via the changelog before a new subprocessor begins processing their data.

The subprocessor list will be published with provider names once the compliance review is complete. Customers under DPA may request the current list at any time.

Policy index

Vulnerability disclosure

Found a vulnerability? Email us at security@zygentrust.com. We aim to acknowledge within 24 hours and triage within 3 business days. We do not currently run a paid bounty program; recognition is offered for responsibly disclosed issues.