ZAP Cloud Security

ZAP is dedicated to safeguarding your data

To protect the privacy of its customers and the safety of their information, ZAP maintains high standards of data security. ZAP relies upon state-of-the-art secure technology, data centers; enforces strict internal product controls, and regularly audits its policies and procedures. ZAP addresses security at three independent layers:

• Physical
• Operational
• Application

Here we set out the policies and benefits accrued at each layer in order to ensure the ZAP Cloud platform provides enterprise-level security.

Physical

• All customer data is hosted in SOC 2 and ISO/IEC 27001:2013 compliant data centres. ZAP leverages the Microsoft Azure platform.
• All customer data is stored in the customer’s region of origin except where contractually agreed otherwise. Please refer to ZAP Cloud—Service level Commitments.
• All customer data is geo-redundant for disaster recovery purposes and is stored in the same region as the Customer data.
• Note: Azure Active Directory, used for authentication (see below), may store Active Directory data globally. This does not apply to in the United States (where Active Directory data is stored solely in the United States) and in Europe (where Active Directory data is stored in Europe or the United States).
• Further information on Azure data centers can be found at the Azure Trust Center website.

Operational

ZAP provides both single-tenanted and multi-tenanted hosting plans to suit a range of customer needs:
Single-tenanted:

• Each customer is hosted on its own servers.
• Each customer’s infrastructure exists within its own isolating Network Security Group. A breach of any one customer environment does not directly jeopardize other customer environments.
• Each customer’s data exists in either a separate virtual machine or a separate Azure SQL database.

Multi-tenanted:

• A small subset of customers are hosted on shared servers.
• Each subset of customers in the multi-tenanted environment exists within its own isolating Network Security Group. A breach to this specific environment does not directly jeopardize other environments.
• Each customer’s data exists in either a separate database instance (sourced customer data) or a separate Azure SQL database (app metadata).
• All system patching and virus-scan signature updates are maintained and automated by the Azure platform.
• All systems are protected by firewalls including threat detection and are provided by the Azure platform. Each ZAP customer instance is monitored and protected by Azure Security Center service.
• Intrusion detection, distributed denial-of-service (DDoS) attack prevention and anomaly detection on the network is managed by the Azure platform.
• Customer keys are maintained in an Azure Key Vault and are managed by ZAP.
• Customer data, including backups, is stored on disks that encrypt data at-rest, using 256-bit AES encryption.
• Customers can nominate to restrict incoming IP addresses to a given region or subnet range.
• ZAP staff have minimal access rights to the core Azure infrastructure, with best-practise password complexity and cycling policies applied.
• ZAP undertakes regular internal reviews of security policies and procedures.
• The retention policy of Customer data in the event of a service termination is governed by the ZAP Cloud Subscription Agreement.

Application

• ZAP codes and tests to security best-practises including processes and tools from the Microsoft Security Development Lifecycle (SDL) process. Importantly every line of code is covered by mandatory reviews.
• ZAP relies on both automated in-house and periodic third-party penetration tests.
• ZAP monitors vulnerabilities in its third party tools and includes these tools in the automated and manual tests previously highlighted.
• ZAP identifies key personnel responsible for security. These personnel maintain relevant and up-to-date certifications.
• The application of secure authentication with industry-leading Azure Active Directory, including support for ADFS and multi-factor authentication.
• Where the customer brings-their-own Azure Active Directory, Open Id Connect and SAML are supported.
• SQL Server and Azure Active Directory password policies are enforced for all users. Additional polices include:
  • Retry-limiting lockouts
  • Passwords can only be reset and never recovered
• The application provides role-based security for access to application resources.
• The application also provides role-based data security for access to rows or cells from the analytic reporting database.
• All in-transit data is protected with HTTPS. This applies to both web traffic and extracted client-data traffic (through the ZAP Data Gateway). The signature algorithm used by the SSL Certificate is SHA256 with RSA Encryption and a size of 2048 bits.
• In-product auditing analytics are available to review and monitor analytics usage and access for authorized/authenticated users.
• Anonymous access to the web-application is only possible on request; and is controlled using security policies at the resource level.

Notes:

• The application reports aggregated metrics and logs to a central server for performance and diagnostic purposes.
• Model designers naturally have elevated rights to preview customer data in scenarios where the source system itself is not secured. Role-based security is used to restrict design rights.

Reporting a vulnerability

ZAP recognizes that even with best intentions and best-practice policies and procedures in place, vulnerabilities can still occur. In the event that your team discovers a vulnerability please contact ZAP HelpDesk; our support team may then provide a secure channel on which to discuss the details.

Notifications

Security-related announcements including bug fixes and known vulnerabilities can be found on the ZAP HelpDesk website.
Please note: this bulletin provides general bug fix and vulnerability information. Where a breach is known to have occurred ZAP will seek to contact the affected customers directly. Please ensure contacts details are up to date.

Definitions

Definitions for terms of this document can be found in EXHIBIT A of the ZAP Cloud Subscription Agreement; or for Azure-related terms may be found on the Azure Trust Centre website.

Other resources

• For information on ZAP’s Cloud Agreement, please see the ZAP Cloud Subscription Agreement.
• For information on ZAP’s data privacy please see the ZAP Privacy Policy.
• For information on the backup policies, disaster recovery and SLAs please see the ZAP Cloud—Service level Commitments.
• For information on support and support-SLAs please see the ZAP Support Agreement.