Security at Zyra
Honest, evidence-backed, $0-of-marketing-budget. Last updated: 2026-05-09.
This page describes what we actually do, with links to the underlying evidence in our public repository. Where a control is aspirational rather than operational, we say so.
Compliance status
- SOC 2 Type II — audit in progress (target Q4 2026). We are not certified today and we do not claim otherwise. Public roadmap: docs/compliance/.
- ISO 27001-aligned controls operational. We have not pursued formal certification yet; the operational controls (access management, change management, incident response, asset inventory) are in place and reviewed quarterly.
- GDPR-compliant data handling — Articles 5, 6, 13–22, 32–34. See privacy notice for the full disclosure stack and /dsar.html for rights requests.
- PCI-DSS SAQ A — self-attested 2026-05-09, 89% (17 of 22 PASS, 3 partial, 1 open: admin MFA enforcement). Card data is handled exclusively by Stripe; we never see PANs. PCI SAQ A 2026 attestation.
- OWASP ASVS Level 1 — self-attested 2026-05-09, 91% PASS (86 of 95 controls, excluding 3 N/A). Open items: CSRF refresh-cookie hardening, path traversal hardening on a legacy file endpoint, CORS regex tightening; all tracked in the compliance dashboard with Q3-2026 ETAs. OWASP ASVS L1 attestation.
- NIST CSF 2.0 — self-mapped 2026-05-09, overall Tier 2.7 (Repeatable trending Adaptive). Open items: formal risk register, IR tabletop exercise, restore-from-backup verification tests. NIST CSF 2.0 mapping.
- HIPAA — not in scope today. We do not accept Protected Health Information as workload input. Per ADR Decision-3.
Subprocessors
The list below mirrors section 5 of the privacy notice. Material additions trigger a 30-day notice.
| Subprocessor | Purpose | Region | Transfer mechanism |
|---|---|---|---|
| Hetzner Online GmbH | Primary hosting (Postgres, Redis, MinIO, app servers) | Falkenstein DE; Helsinki FI | Intra-EEA — no transfer; DPA |
| Stripe, Inc. + Stripe Payments Europe Ltd. | B2B payments, B2C payouts (Stripe Connect), KYC/AML, 1099-K/DAC7 | US + IE | Stripe DPA + EU SCCs (2021/914) + UK IDTA |
| Amazon Web Services — SES | Transactional email (account, billing, security, breach, opt-in marketing) | EU (eu-west-1 / eu-central-1) primary | AWS DPA + SCCs for any US sub-flow |
| Cloudflare, Inc. | Edge proxy, DDoS protection, WAF, Turnstile, DNS | Global anycast | Cloudflare DPA + SCCs + UK IDTA |
| Plausible Insights OÜ | Privacy-friendly analytics (cookieless, no cross-site identifier, marketing-effectiveness only) | EU (data residency) | Intra-EEA — no transfer; LIA on file (Art. 6(1)(f)) |
Security controls
- Transport. TLS 1.3 everywhere; HSTS preload (
max-age=31536000; includeSubDomains; preload). - Authentication. bcrypt(12) password hashing; JWT HS256 access tokens with a server-side blacklist for revocation; MFA enforced on admin accounts; SAML 2.0 SSO available for enterprise tenants.
- Authorization. RBAC v2 with a permission engine (capability-based checks at every endpoint, not just route guards).
- Workload sandbox. Tasks run in Docker containers with read-only root, all caps dropped,
no-new-privileges, network isolation, and resource limits. See architecture docs. - Encryption at rest. Fernet-encrypted credential vault for tenant secrets (
credential_vault.py); database-level encryption via the hosting provider; object storage encrypted server-side. - Web application security. Full security-header stack: CSP, HSTS, X-Frame-Options DENY, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Resource-Policy. SRI policy with a CI gate that fails the build on missing integrity hashes.
- Detection. Anomaly monitor writes to a
security_alertstable; admins are paged on high-severity events. Audit log retained 2 years. - Frontend error tracking. Self-hosted GlitchTip (Sentry-compatible) is in roll-out; client errors are captured without third-party data egress.
Reporting and disclosure
- Vulnerability disclosure. Coordinated disclosure via security@getzyra.io — see /.well-known/security.txt. No paid bounty program at this time; we acknowledge legitimate reports within 72 hours and target a fix within 90 days for verified findings.
- security.txt. Published per RFC 9116 at /.well-known/security.txt.
- Breach notification. 72-hour SLA to supervisory authority (GDPR Art. 33) and to affected data subjects when high-risk (Art. 34). Runbook: GDPR_BREACH_NOTIFICATION.md.
- Data subject requests. Public form at /dsar.html. We respond within 30 days (Art. 12) with a one-time 60-day extension for complex requests.
What we don’t do
Transparency about boundaries builds trust:
- We do not read workload contents. We act as a carrier under DSA Art. 4–6 and DMCA §512 mere-conduit / hosting safe harbours.
- We do not sell or share personal information for advertising (no “sale” or “share” under CCPA/CPRA).
- We do not enrich profiles from data brokers.
- We do not profile Device Owners. They contribute compute; that is the relationship.
- We do not use customer data to train AI models, develop new features, generate benchmarks, or run internal marketing analyses.
Continuous improvement
Compliance is a roadmap, not a snapshot. Our public posture grows in phases tied to revenue rather than marketing claims:
- Phase 0.5 — free attestations (now): PCI SAQ A, OWASP ASVS L1, NIST CSF 2.0. Index: docs/compliance/free-attestations/.
- Phase 1 — SOC 2 Type II (target Q4 2026): formal audit by a CPA firm, observation window already running.
- Phase 2 — ISO 27001 + paid penetration tests: triggered when revenue justifies the recurring cost.
Talk to us
Security questions: security@getzyra.io. Sales-side compliance review (DPA, SCC packet, security questionnaire): hello@getzyra.io.
The fastest way to evaluate Zyra is to use it on a non-sensitive workload first: Sign up for free