Zippy's Security and Privacy teams establish policies and controls, monitor compliance with those controls, and prove our security and compliance to third-party auditors.
Security and Compliance at Zippy: Zippy is seeking SOC 2 Type II attestation.
Data Protection
Data at rest - all datastores with customer data are encrypted at rest.
Data in transit - Zippy uses TLS 1.2 or higher everywhere data is transmitted over potentially insecure networks. Server TLS keys and certificates are managed by AWS and deployed via Application Loan Balancers.
Secret management - Application secrets are encrypted and stored securely via AWS Secrets Manager and Parameter Store, and access to these values is strictly limited.
Product Security
Penetration testing - Zippy engages with one of the best penetration testing consulting firms in the industry at least annually. Our current penetration testing partner is Lost Rabbit Labs.
Vulnerability Scanning - Zippy requires vulnerability scanning at key stages of our Secure Development Lifecycle (SDLC)
Enterprise Security - Endpoint protection - All corporate devices are centrally managed and are equipped with mobile device management software and anti-malware protection. Endpoint security alerts are monitored with 24/7/365 coverage. We use MDM software to enforce the secure configuration of endpoints, such as disk encryption, screen lock configuration, and software updates.
Security education - Zippy provides comprehensive security training to all employees upon onboarding and annually through educational modules.
Identity and access management - Zippy uses Microsoft Azure to secure our identity and access management. Zippy employees are granted access to applications based on their role, and deprovisioned upon termination of employment. Further access must be approved according to the policies set for access requests.