Enterprise trust
Security & compliance overview
Last updated: June 2026
Summary for InfoSec and procurement reviews. Authenticated customers can download the machine-readable dossier from the terminal (Enterprise → Security).
Authentication
Magic link, WebAuthn passkeys, device PIN, optional Microsoft OIDC SSO and SAML 2.0 SP. Sessions use HMAC-signed httpOnly cookies.
Authorisation
Role-based access: owner, admin, member, viewer. Portfolio and alert writes restricted by role. Per-tenant API keys (hashed at rest).
Data classification
Customer confidential: portfolio files and alert configs (Supabase Storage per account). PII: email, company (KV/Stripe). Audit: compliance validation logs.
Certification roadmap
SOC 2 TSC mapping, ISO 27001 Annex A mapping, incident response plan and vulnerability disclosure policy published in docs/security/. Penetration test planned pre-general availability.
Predictive methodology
How ZRG calculates lead time, confidence scores and alert thresholds.
Predictive alerts methodology →SOC 2 Type II and ISO 27001: readiness mappings available — formal attestation scheduled with enterprise pilots. Not a substitute for your own due diligence.