Set your security baseline

Where to find it

Open Settings → Security → Baseline policy from the left sidebar. The page shows three preset cards and a fourth "Custom" option.

Pick the right baseline

Use this decision tree:

1. Are you in a regulated industry (healthcare, finance, government) or do you handle customer PII? → choose Strict.
2. Do you have a compliance program (SOC 2, ISO 27001) but evaluating Zyra in a sandbox? → start with Standard, switch to Strict before production.
3. None of the above and you want sensible defaults? → Standard is fine. You can tighten any time.
4. Need to mix and match (for example, strict session timeouts but optional 2FA during a 30-day pilot)? → Custom.

Standard baseline (recommended default)

The "good defaults" choice. Suitable for most teams evaluating Zyra and for production workloads that don't touch regulated data.

Strict baseline (regulated workloads)

The choice for SOC 2, ISO 27001, PCI, or internal policy that requires hardened controls.

Custom baseline

If neither preset fits, click Custom and pick each control individually. The page shows every control with a short description and a dropdown of allowed values. There is no "advanced" tier hidden behind Enterprise — every control is available to every customer.

What each control actually means

• Single sign-on (SSO). When required, members sign in via your identity provider (Okta, Azure AD, Google Workspace, etc.) instead of a Zyra password. Setup is in Stage 4, chapter 5 of this guide.
• Two-factor authentication (2FA). A second proof of identity at sign-in, in addition to password or SSO. Zyra supports time-based one-time codes (TOTP) from apps like 1Password, Authy, or Google Authenticator.
• Session timeout. How long Zyra keeps you signed in before asking again. Shorter timeouts reduce risk from forgotten laptops; longer timeouts reduce friction. Tune to your team's tolerance.
• Audit log retention. How far back you can search administrative actions: invitations, role changes, device enrollments, billing changes, security setting changes. Longer retention costs nothing extra.
• IP allow-list. Restricts sign-in to a list of IP ranges (your office, your VPN exit, your CI runners). Adds a strong second perimeter; only enable once you're confident your team always connects from listed ranges.

Cost note

Every control listed is free on every plan. Strict baseline is not an Enterprise upsell. The split is by need, not by price.

How Zyra itself is secured

For evidence of Zyra's own posture — SOC 2, PCI SAQ A 89%, ASVS Level 1 91%, NIST CSF 2.7 self-score, ongoing SOC 2 audit — see getzyra.io/security. Your security team will want this as part of their vendor review.

Step — Save and confirm

Pick a baseline (or finish your custom picks), then click Apply baseline. Zyra shows a confirmation dialog summarizing what will change for current users — for example, "All members will be required to enroll 2FA at next sign-in." Confirm to apply.

Changes take effect immediately for new sign-ins. Members already signed in will be prompted to comply at the next session refresh.

What just happened

You have a security posture that matches your risk tolerance and a clear audit trail of who set what, when. Stage 1 is complete. Your organization is ready to receive its first Compute Node.

Troubleshooting

• A teammate is locked out after switching to Strict. They probably haven't enrolled 2FA. Any Organization Admin can issue a one-time bypass from Settings → Security → Member overrides so they can sign in and complete enrollment.
• SSO setup deferred. Standard baseline allows mixed auth; flip to Strict only after every member has linked their SSO account.
• Audit-log export needed for an external auditor. Settings → Security → Audit log → Export produces a signed JSON or CSV dump for any date range within your retention window.