Makeathon ends in00:00:00:00
Trust & security

Security at Zoo

Zoo is committed to delivering high-quality and secure software and services to our customers. We maintain internal information security policies and procedures aligned with controls and best practices from the AICPA SOC 2 Trust Services Criteria. Our current SOC 2 Type II report can be reviewed in our Trust Center.

SSO & MFA

Zoo does not use passwords for authentication. Instead, we use SSO via OAuth 2.0 and OpenID Connect and email authentication flows. For enterprise customers, we offer SAML 2.0 to further protect user accounts. SAML authentication layers on top of regular authentication. Organizations can manage their users and permissions centrally. MFA is provided through SSO providers.

Access Control

Organizations can manage their users and permissions centrally. Zoo supports RBAC.

Sandboxing and Rust

We sandbox workloads in the cloud from each other. The backend is written in Rust to avoid memory corruption bugs.

SOC 2 Type II

Zoo has completed a SOC 2 Type II report. Our controls have been audited independently.

Security Audits

We perform regular source code audits as well as dynamic testing of our deployed software.

Responsible Disclosure

We encourage security researchers and the community to report vulnerabilities so we can investigate and fix them promptly. See below for our internal process.

Security by design

Written in Rust

Zoo's core backend services are written in Rust -- a memory safe language. Rust does not rely on the developer to allocate and free up memory. Using Rust prevents a whole class of security vulnerabilities.

Sandboxing

As a defense in depth, Zoo does not share GPU instances that process CAD data between customers. This secures the most sensitive data we handle -- CAD designs.

Data usage

The data of team and enterprise customers is excluded from training by default.

Compliance

ITAR Compliant

Zoo's US Regulated region is suitable for processing or storing export restricted (ITAR) information, operated out of US-based cloud providers that meet or exceed ITAR baselines.

SOC 2 Type 2 Reviewed

Independent auditors verified Zoo's security controls through our SOC 2 Type II audit. Because transparency matters, the full report is open to everyone at trust.zoo.dev - no forms, no friction.

Security features

SSO & MFA

  • Zoo does not use passwords for authentication. Instead, we use SSO via OAuth 2.0 and OpenID Connect and email authentication flows.
  • For enterprise customers, we offer SAML 2.0 to further protect user accounts. SAML authentication layers on top of regular authentication.
  • MFA is provided through SSO providers.

Access Control

  • Organizations can manage their users and permissions centrally.
  • Zoo supports RBAC.

API activity log

  • Organization administrators have access to a log of operations performed by users in their organization.
  • Allows admins to monitor for unusual activity and investigate potential security incidents.

Security operations

Zoo is audited

We perform regular source code audits as well as dynamic testing of our deployed software.

Responsible Disclosure Policy

We encourage security researchers and the community to report vulnerabilities so we can investigate and fix them promptly.

  • If you've discovered a security vulnerability in Zoo, review our security policy then report it through the process described there.
  • If your issue is not security-related, please reach out via our community support forum.

Refer to our security policy to learn how to get in contact with us for general security inquiries.

We're incredibly grateful for security researchers and users that report vulnerabilities to us. All reports are thoroughly investigated.

Security Controls

Zoo protects customer data and assets against security and availability threats through internal processes and policies. Our security controls align with AICPA SOC 2 Trust Services Criteria for security (common criteria). Our current SOC 2 Type II report is available in our Trust Center.

Network and infrastructure security

  • Requires SSO and MFA to access production environments.
  • Logs all production operations and audits for unusual activity.

Data security

  • Encrypts all data in transit using TLS 1.2 or higher (TLS 1.3 where supported).
  • Encrypts all data at rest using cloud provider infrastructure-level disk encryption.
  • Maintains regular backups and tests recovery annually.

Application security

  • Requires peer review for all source code changes.
  • Conducts regular source code audits.
  • Reviews and patches vulnerabilities regularly.
  • Reviews access permissions quarterly.

Physical Security

  • Hosts platform infrastructure on cloud environments (CockroachLabs, AWS, and GCP).
  • Inherits physical security controls from cloud provider data centers.
  • Limits office access to employees, contractors, and authorized vendors.
  • Does not host customer compute or storage in corporate offices.

Corporate Security

  • Conducts background checks on all new employees.
  • Requires regular security awareness training for all employees.
  • Requires non-disclosure agreements from new employees.
  • Reviews vendors before onboarding and annually thereafter.
  • Maintains endpoint protection, malware prevention, and vulnerability management.
  • Enforces third-party risk management and policy governance.

Incident Response Management

  • Maintains and regularly updates defined processes for incident response.
  • Identifies and manages security vulnerabilities, threats, and unauthorized access.
  • Assigns personnel immediately when a security incident is suspected.
  • Investigates, assesses impact, contains, mitigates, and recovers according to defined processes.

Business Continuity

  • Maintains a Business Continuity Plan to ensure service reliability.
  • Hosts all customer data on cloud infrastructure.
  • Designs infrastructure for high availability with data replication across multiple availability zones.
  • Tests business continuity annually.
  • Operates independently of corporate office availability -- employees work remotely.

Software Development Lifecycle (SDLC)

  • Emphasizes secure design, development, and deployment.
  • Gathers clear requirements and collaborates before development.
  • Follows secure coding practices with peer review and comprehensive testing.
  • Continuously scans source code and third-party dependencies for vulnerabilities.
  • Performs regular version updates and security patching.
  • Communicates critical updates to customers after deployment.
  • Conducts annual third-party security reviews of infrastructure, API, and software.
  • Publishes security reviews on GitHub.
  • Deploys a Web Application Firewall (WAF) to protect against common web vulnerabilities.

Customer Responsibilities

Zoo is built with shared responsibility in mind. Customers are expected to implement appropriate controls within their organization to complement the security of the service. These responsibilities include:

  • Managing user accounts, credentials (e.g. API keys), and permissions for the Zoo platform.
  • Identifying authorized points of contact to coordinate with Zoo support.
  • Notifying Zoo of any suspected security incidents in a timely manner.