Skip to content
Zero In Sec
Run a pilot

Security

Built for security teams.
Deployed your way.

Two deployment modes, one product. Hosted SaaS for teams that want zero infra, or self-hosted on-premise for regulated and air-gapped environments. The codebase is the same — only where it runs changes.

Deployment options

Hosted or self-hosted. Same product.

Most teams · hosted

SaaS

  • Multi-tenant by design — dedicated PostgreSQL schema per organization, no shared rows.
  • Hosted on the edge, origin reachable only via outbound-only tunnel.
  • Regional hosting available (US, EU). Zero ops burden on your side.
Regulated · air-gapped · sovereign

On-premise

  • Single-tenant install — runs entirely in your VPC, datacenter, or air-gapped environment.
  • Docker Compose or Kubernetes. Data never leaves your network.
  • Same product, same release cadence, licensed via signed RS256 JWT.

Toggled at deploy via DEPLOYMENT_MODE. Migrations, schemas, and runtime are identical across modes — same release train, same security review, same audit log shape.

Isolation

Schema-per-tenant. No shared rows.

On SaaS, every organization gets a dedicated PostgreSQL schema. A FastAPI middleware resolves the tenant from the subdomain and binds the search path before any query runs. Cross-tenant joins are not expressible. On-prem installs are single-tenant by definition.

Encryption

TLS 1.3 in transit. AES-256 at rest on database and object store.

Retention

Findings: customer-controlled. Audit log: 7y. Raw scan payloads: 0 — discarded after normalization.

Deletion

Customer-triggered. Schema dropped within 30d of termination.

Compliance

Current posture.

We name the quarter for items on the roadmap. Auditor letters and pen-test reports available under standard NDA.

  • SOC 2 Type II In progress
  • ISO 27001 Roadmap
  • GDPR · DPA Available
  • Annual pen test Active

Security review?

Send your questionnaire. We respond with answers and supporting evidence — not pre-filled marketing.

Contact security