Impacted by Severe Weather? We're here to help.

Your web browser is out of date. Update your browser for more security, speed and the best experience on this site.

Update your browser

Security

Zippy's Security and Privacy teams establish policies and controls, monitor compliance with those controls, and prove our security and compliance to third-party auditors.

Security and Compliance at Zippy: Zippy is SOC 2 Type II compliant. View our trust center here.

Data Protection

Data at rest - all datastores with customer data are encrypted at rest.

Data in transit - Zippy uses TLS 1.2 or higher everywhere data is transmitted over potentially insecure networks. Server TLS keys and certificates are managed by AWS and deployed via Application Loan Balancers.

Secret management - Application secrets are encrypted and stored securely via AWS Secrets Manager and Parameter Store, and access to these values is strictly limited.

Product Security

Penetration testing - Zippy engages with one of the best penetration testing consulting firms in the industry at least annually. Our current penetration testing partner is Lost Rabbit Labs

Vulnerability Scanning - Zippy requires vulnerability scanning at key stages of our Secure Development Lifecycle (SDLC)

Enterprise Security 

Endpoint protection - All corporate devices are centrally managed and are equipped with mobile device management software and anti-malware protection. Endpoint security alerts are monitored with 24/7/365 coverage. We use MDM software to enforce the secure configuration of endpoints, such as disk encryption, screen lock configuration, and software updates.

Security education - Zippy provides comprehensive security training to all employees upon onboarding and annually through educational modules.

Identity and access management - Zippy uses Microsoft Azure to secure our identity and access management. Zippy employees are granted access to applications based on their role, and deprovisioned upon termination of employment. Further access must be approved according to the policies set for access requests.