Security & compliance overview

Last updated: June 2026

Summary for InfoSec and procurement reviews. Authenticated customers can download the machine-readable dossier from the terminal (Enterprise → Security).

Authentication

Magic link, WebAuthn passkeys, device PIN, optional Microsoft OIDC SSO and SAML 2.0 SP. Sessions use HMAC-signed httpOnly cookies.

Authorisation

Role-based access: owner, admin, member, viewer. Portfolio and alert writes restricted by role. Per-tenant API keys (hashed at rest).

Data classification

Customer confidential: portfolio files and alert configs (Supabase Storage per account). PII: email, company (KV/Stripe). Audit: compliance validation logs.

Certification roadmap

SOC 2 TSC mapping, ISO 27001 Annex A mapping, incident response plan and vulnerability disclosure policy published in docs/security/. Penetration test planned pre-general availability.

Predictive methodology

How ZRG calculates lead time, confidence scores and alert thresholds.

Predictive alerts methodology

SOC 2 Type II and ISO 27001: readiness mappings available — formal attestation scheduled with enterprise pilots. Not a substitute for your own due diligence.