TRUST CENTER
Security & Compliance
ZenBusiness Inc. is annually certified compliant to Level 1 PCI DSS 4.0 and SOC2 Type II. We deploy best-in-class practices and tools to maintain security at all levels: infrastructure, product/services, and within our company environment. Our clients, partners, and integrated vendors all trust ZenBusiness Inc.
Regulatory Compliance
PCI-DSS
ZenBusiness Inc. is certified to Level 1 PCI DSS 4.0. The Payment Card Industry Data Security Standard (PCI DSS) stands as the globally recognized benchmark for protecting sensitive payment card data. Attaining and upholding Level 1 compliance signifies the utmost dedication in the payments industry, ensuring full alignment with the most rigorous industry standards.
SOC 2 Type II
Expanding on the groundwork laid by PCI-DSS certification, ZenBusiness Inc. has aligned its policies and procedures to achieve SOC 2 Type II compliance across all five trust criteria: security, availability, process integrity, confidentiality, and privacy. Our systems, processes, compliance frameworks, and controls undergo annual audits to maintain the highest standards of security and trust.
Data Protection
ZenBusiness Inc. follows privacy best practices and complies with all applicable privacy lGCP including the CCPA/CPRA, GDPR, and various state lGCP and regulations. For more information, please review our Privacy Policy.
Policies and Governance
ZenBusiness Inc. policies and procedures are aligned with best practices for securing data, infrastructure, and operations. The policies include Information Security, Third-Party Risk Management, Business Continuity/Disaster Recovery, Incident Response, and End-User Data and Privacy. Policies are reviewed regularly and approved annually by management.
Risk Assessments
ZenBusiness Inc. conducts regular risk assessments to gain an accurate and thorough understanding of the potential risks to security, availability, and privacy in our products and services.
Third-Party Risk Management
ZenBusiness Inc. implements management-governed policies and utilizes a third-party management tool to review and assess all our critical vendors. This process assists in establishing standards for information security and service delivery from vendors.
Background Checks
ZenBusiness Inc. conducts background checks on all applicants selected for full-time and contract employment in compliance with local regulations.
Training
All employees at ZenBusiness Inc. are required to complete annual security training based on their roles. Additionally, the Information Security team engages with employees periodically through internal email campaigns and developers complete an added developer secure code training track annually.
Infrastructure Security
Cloud Infrastructure
ZenBusiness Inc. applications and solutions are fully built in the GCP cloud environment. We prioritize security and compliance with regulatory requirements by utilizing a combination of native GCP and third-party tools. These tools continuously monitor and evaluate our systems to maintain a secure environment and uphold best security practices.
Data Encryption
ZenBusiness Inc. uses strong encryption across all data, both at rest and in transit. We use Advanced Encryption Standard (AES) 256-GCM, the most advanced and secure method available, to encrypt all sensitive data at rest. We use Transport Layer Security (TLS) 1.2 or higher for all data in transit, which is the industry standard.
Segmentation
ZenBusiness Inc.’s GCP environments are thoroughly segmented into different accounts and Virtual Private Clouds (VPCs). We utilize GCP Security Groups to filter inbound traffic. We ensure that specific workloads are allocated to dedicated resources to meet the specific needs of our different tenants. We use namespace isolation for each service to isolate resources like pods, services, and secrets. We have implemented a robust SDLC pipeline, which includes code reviews, automated end-to-end (e2e), security testing, and branch protection rules.
Cloud Events and Detection
ZenBusiness Inc. collects cloud events and detections from various sources such as GCP Cloud logs. It also integrates with GCP’s native threat detection capabilities to provide correlation and context with Google Cloud Armor and 3rd party security platforms for near real-time ingestion of threat detection findings.
Access Control
ZenBusiness Inc. has implemented strict password policies to ensure the safety and security of all critical services. Access to these services is granted only through Single Sign-On (SSO) or multi-factor authentication, wherever available. Role-Based Access Control (RBAC) is maintained across all internal and external systems, ensuring that access is provided only on a need-to-know basis. Furthermore, the security and compliance team conducts periodic User Access Reviews (UAR) to review access authorization and permissions of internal and external stakeholders. This ensures that access control is continually monitored and improved to prevent unauthorized access to sensitive information.
Endpoint Protection and Remote Access
Our remote access is secured through Identity Aware Proxy (IAP) and Privileged Access Manager (PAM). Additionally, our endpoints are protected by a leading endpoint protection platform, and internal investigation of any security alerts.
Product Security
Multi-Factor Authentication (Client)
The ZenBusiness Inc. dashboard supports multi-factor authentication when enabled for sensitive operations or transactions.
Cardholder Data Bypass
Credit/debit cardholder data does not pass through ZenBusiness Inc.’s environments and are transmitted/vaulted by PCI-certified 3rd party vendors during payment workflows or payment information updates.
Sensitive Data Restriction and PCI Compliance
Sensitive data, such as full card numbers, are not available to be displayed in the Dashboard after entry; only the last 4 digits are available to view. Clients calling customer care to update a credit/debit card will enter that sensitive data into a system that masks the DTMF tones and does not allow the customer care agent to handle or know what that data is.
Audit Logs and Monitoring
ZenBusiness Inc. collects audit trails for read/write operations to ensure high-level transparency and security standards. Our detailed audit logs help identify abnormalities, intrusions, or suspicious activity by providing oversight teams with a clear and comprehensive record of all activities. The designated audit log offers a searchable database of actions, each containing structured fields such as the time of action, performing user, associated bank or organization, action type, and changes made. Audit logs are stored in a centralized repository for external audit compliance. This ensures that we can provide the required data either through self-service solutions or ad-hoc requests.
Logs and events are also monitored 24/7 by a Security Operations Center (SOC) to ensure that we do not lose visibility of any potential security events if they occur.
Availability
Redundancy
ZenBusiness Inc. ensures intra-regional zone redundancy, improving recovery times and improved customer experiences.
Backups
We backup all production data and all backups are regionally diversified within the same judicial data boundary.
Monitoring
We continuously monitor the platform and post real-time updates to our public status page.
Business Continuity
We have documented and implemented a business continuity plan that we activate and follow in the event of disruptions. We test our business continuity plan at least once annually, using different real-world scenarios.
Report a Security Bug
ZenBusiness Inc. encourages everyone to follow responsible disclosure procedures when reporting security issues that surround our products, services, websites, or infrastructure. We are committed to engaging with anyone reporting security vulnerabilities in a positive, professional, mutually beneficial manner that protects our clients. To report a security bug, please contact us at security@zenbusiness.com.
Want to learn more?
If you’d like to learn more about our security measures or obtain a copy of our security policies, reports, or documents, please contact our team at security@zenbusiness.com.
