Security

Executive intelligence runs on trust. The attestation comes first; the underlying controls follow.

Attestation

SOC 2 Type II certified.

Audited by Sensiba LLP. Continuous controls monitoring through Drata.

The full report is available under mutual NDA. Request a copy at eli@zamski.com.

Encryption

  • At rest: AES-256-GCM across all stored data.
  • In transit: TLS 1.3 on every network hop.
  • Token storage: OAuth refresh tokens encrypted with AES-256-GCM before persistence.

Multi-tenant isolation

  • Org-scoped queries: Every database read is filtered by an org_id derived from the verified JWT, never from client input.
  • Cache isolation: All caches are org-scoped; org switches clear cached state.
  • Trust boundaries: Backend services fail closed if org context is missing or unverifiable.
  • Continuous discovery testing: CI fails any code path that bypasses org_id filtering.

Authentication and authorization

  • OAuth 2.0: Industry-standard authentication with secure token management.
  • Read-only scopes: We request the minimum OAuth scope on every integration. No write permissions on GitHub, Slack, Jira, or calendar sources.
  • Token rotation: Automatic refresh 10 minutes before expiry.
  • Multi-factor authentication: Available through Auth0.
  • Passwordless email OTP: Primary end-user authentication path; no shared password reuse risk.

Infrastructure

  • Cloud hosting: AWS with automatic backups and disaster recovery.
  • Database: ArangoDB with encryption at rest and role-based access controls.
  • Network security: Virtual Private Cloud isolation across services.
  • Rate limiting: Per-organization throttles to prevent abuse and noisy-neighbor effects.

Privacy and data minimization

  • Read-only: We never write back to your source systems.
  • Minimization: We pull only the data needed to produce the brief.
  • Deletion: 30-Day Finding data is deleted after 30 days, or sooner on request. Pilot data is deleted on pilot close.
  • No data sales: We never sell, share, or expose customer data to third parties.
  • No model training on customer data: LLM calls run as inference only; customer content is not used to fine-tune any model.
  • GDPR and CCPA compliant: DPA available day one. EU and California rights honored on request.

Incident response

If a security incident occurs:

  1. Immediate containment and investigation.
  2. Affected users notified within 72 hours.
  3. Platform providers notified within 48 hours.
  4. Detailed incident report provided.
  5. Remediation steps and prevention measures implemented and documented in Drata.

Report a security issue

If you discover a security vulnerability, report it immediately to security@zamski.com. We acknowledge all reports within 24 hours.
Cookies

How Zamski uses cookies

Zamski uses strictly necessary cookies to operate this website. We also use one optional analytics cookie (PostHog) to understand how visitors arrive and which pages they read, so we can write better. We do not use advertising or targeting cookies, and we do not sell visitor data.

You can accept analytics, decline them, or tailor your preferences. You can change this any time from the Cookie settings link in the footer. Read the Cookie Notice for the full detail.