Security & Privacy
Security at thecore.
Security and privacy are fundamental to everything we do. Our comprehensive security program ensures your data is protected at every layer, from infrastructure to application code.
Plainly put
Private by default. Encrypted at every layer.
Workloads run in private subnets with no public IPs. Data is encrypted at rest with AWS-managed keys and in transit over TLS 1.2+, with secrets isolated in AWS Secrets Manager and KMS.
Infrastructure & Network
Defense-in-depth architecture
Our infrastructure is built on AWS with defense-in-depth principles, ensuring isolation, encrypted communication, and robust network controls.
Cloud Infrastructure
AWS Fargate on ECS with isolated environments. Tasks run in private subnets with no public IPs, ensuring complete network isolation.
Network Isolation
VPC with public and private subnets. Application Load Balancer restricted to CloudFront traffic only, enforcing strict ingress controls.
Encrypted Transport
HTTPS enforced for all client connections via CloudFront. TLS 1.2+ for all external communications.
Container Security
Amazon ECR with on-push image scanning enabled. Automated vulnerability detection for all container images.
Auto Scaling
Intelligent autoscaling policies for CPU and memory ensure optimal performance while maintaining security posture.
Logging & Monitoring
CloudWatch Logs with 365-day retention. Comprehensive audit trails and real-time monitoring of all infrastructure components.
Data Protection
Multi-layered encryption
Multi-layered encryption protects your data at rest, in transit, and in use, following industry best practices and compliance standards.
Data at Rest
All production databases encrypted at rest with AWS managed encryption. Automated backups retained for 7 days with encryption protection.
Data in Transit
TLS 1.2+ enforced across all network communications. HTTPS-only for client connections with HSTS headers for enhanced security.
Secret Management
AWS Secrets Manager for application secrets and credentials. AWS KMS for encryption keys stored in Hardware Security Modules (HSMs).
Database Security
Production PostgreSQL databases run in private subnets and are not publicly accessible. Access is restricted to authorized ECS tasks and optional bastion/VPN connections. Database credentials are managed through AWS Secrets Manager with rotation capabilities.
Application Security
Secure by design
Secure by design with authentication, authorization, and input validation built into every layer of our application stack.
Authentication & Authorization
JWT-based authentication with role-aware access control. API key validation for sensitive endpoints. Password hashing with bcrypt industry-standard algorithms.
Input Validation
Strongly typed configuration with required field validation. Environment variables validated at startup to prevent misconfiguration.
Secret Protection
Integration keys and sensitive credentials loaded from environment variables and AWS Secrets Manager. No hardcoded secrets in application code or images.
Secure Development
Environment files excluded from Docker builds. Secrets managed separately from application code. Type-safe configuration prevents common security pitfalls.
CI/CD & Supply Chain
Secure deployment pipelines
Secure deployment pipelines with automated scanning, OIDC-based authentication, and controlled access to production environments.
Automated Deployment
GitHub Actions workflows with OIDC-based AWS authentication for secure, credential-free deployments. Container images tagged with commit SHAs for traceability.
Image Scanning
ECR on-push scanning automatically detects vulnerabilities in container images. Deployment pipeline includes concurrency controls to prevent overlapping production deployments.
Monitoring & Operations
Comprehensive observability
Comprehensive monitoring, logging, and health checks ensure we can detect and respond to issues quickly.
Centralized Logging
CloudWatch Logs with 365-day retention for all application and infrastructure logs. Structured logging enables efficient analysis and alerting.
Health Monitoring
Application Load Balancer health checks ensure only healthy tasks receive traffic. Automated rollback on deployment failures.
Compliance & Governance
Defense-in-depth principles
Our security controls are designed with compliance in mind, following defense-in-depth and least privilege principles.
SOC 2 trust
Independently audited against the AICPA SOC 2 Type II framework. Review the current report and control details in our Trust Portal.
AICPA SOC for Service Organizations
Control posture
03
Least privilege, layered controls, and consistent enterprise safeguards.
01
Least Privilege
Access is limited to only those with legitimate business need and granted based on the principle of least privilege.
02
Defense in Depth
Security controls are implemented and layered according to the principle of defense-in-depth across all systems.
03
Consistent Controls
Security controls are applied consistently across all areas of the enterprise, ensuring uniform protection.
Security / Vulnerability Disclosure Program (VDP)
Responsible security research
ZOM Technologies LLC welcomes responsible security research. If you believe you have found a security vulnerability in our products or services, please report it to us so we can investigate and remediate.
Program Overview
ZOM operates a public Vulnerability Disclosure Program (VDP) with discretionary rewards, which is appropriate for our current stage and fully satisfies SOC 2 requirements for vulnerability disclosure processes.
Report a Vulnerability
Please include: affected URL or component, steps to reproduce, impact, and any screenshots/logs.
Program Rules
- Follow responsible disclosure practices
- Do not access or modify user data without explicit permission
- Do not perform denial-of-service attacks or any testing that impacts availability
- Do not publicly disclose vulnerabilities until we have confirmed a fix or agreed on a timeline
- Only test systems and assets explicitly listed in the "In Scope" section
- Report vulnerabilities promptly after discovery
In Scope
- ZOM production web application(s)
- ZOM public API endpoints
Out of Scope
- Denial-of-service (DoS/DDoS), load testing, or any activity that degrades availability
- Social engineering (phishing, vishing), employee targeting, or physical attacks
- Testing of third-party systems not owned or controlled by ZOM
- Automated scanning that materially impacts performance
- Physical security vulnerabilities
- Issues requiring access to physical devices or local network access
Safe Harbor
If you make a good-faith effort to follow this policy, avoid privacy violations, avoid service disruption, and report vulnerabilities promptly, ZOM will not pursue legal action against you for your security research.
Our Response Commitment
Public Disclosure
We request coordinated disclosure. Please do not publicly disclose vulnerabilities until we have confirmed a fix or agreed on a timeline.
Rewards & Program Structure
Program Type: Vulnerability Disclosure Program (VDP)
This is a VDP, not a formal bug bounty program. There are no predefined reward tiers, minimum payouts, or platform listings, and no guaranteed monetary compensation for reports.
Discretionary Rewards
ZOM may, at its discretion, offer non-monetary recognition or monetary rewards for high-impact vulnerability reports based on:
- Severity of the vulnerability (Critical, High, Medium, Low)
- Quality and completeness of the vulnerability report
- Exploitability and potential impact
- Compliance with program rules and responsible disclosure practices
All rewards are discretionary, not guaranteed, and determined on a case-by-case basis.
Security is our foundation
We keep improving.And stay transparent.
We continuously invest in security improvements and maintain transparency about our practices. For detailed security documentation or to report a security issue, please contact our security team.