Overview
VulnZap maintains rigorous security and compliance standards to protect your data and meet regulatory requirements.Security Certifications
SOC 2 Type II
Annual third-party audit of security controls
GDPR Compliant
Full compliance with EU data protection regulations
ISO 27001
Information security management system (In Progress)
HIPAA Eligible
Available for Enterprise on-premises deployments
SOC 2 Type II Compliance
Trust Service Principles
VulnZap’s SOC 2 report covers all five Trust Service Criteria:Security
Security
Controls Implemented:
- Multi-factor authentication required
- Role-based access control (RBAC)
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Regular penetration testing
- Vulnerability management program
- Security incident response plan
- 24/7 security monitoring
- Automated threat detection
- Annual third-party security audit
Availability
Availability
Uptime Guarantee: 99.9% (Enterprise SLA)Infrastructure:
- Multi-region deployment
- Auto-scaling and load balancing
- Automated failover
- Database replication
- Regular backup and restore testing
- Real-time health checks
- Automated alerting
- Incident management system
Processing Integrity
Processing Integrity
Quality Controls:
- Automated testing (95% code coverage)
- Continuous integration/deployment
- Change management process
- Error logging and monitoring
- Low false positive rate (<5%)
- Regular accuracy benchmarking
- Customer feedback integration
Confidentiality
Confidentiality
Data Protection:
- Zero code storage by default
- Encryption at rest and in transit
- Secure data deletion
- Access logging and monitoring
- Need-to-know basis
- Regular access reviews
- Automated deprovisioning
Privacy
Privacy
Privacy Program:
- GDPR compliant
- Privacy by design
- Data minimization
- User rights management (access, deletion, portability)
- Privacy policy
- Cookie policy
- Terms of service
- Data processing agreements
SOC 2 Report Access
Request SOC 2 report under NDA:1
Contact Compliance Team
Email compliance@vulnzap.com
2
Sign NDA
Execute mutual non-disclosure agreement
3
Receive Report
SOC 2 Type II report delivered securely
SOC 2 reports updated annually. Current report covers period: January 1, 2024 - December 31, 2024
GDPR Compliance
Data Protection Principles
VulnZap adheres to all GDPR principles:| Principle | Implementation |
|---|---|
| Lawfulness, Fairness, Transparency | Clear privacy policy, legitimate interest basis, transparent processing |
| Purpose Limitation | Data used only for security scanning, no secondary uses |
| Data Minimization | Collect only metadata, source code not stored by default |
| Accuracy | User-controlled data, update/correction mechanisms |
| Storage Limitation | Retention periods based on plan, automated deletion |
| Integrity and Confidentiality | Encryption, access controls, security monitoring |
| Accountability | DPO appointed, audit trails, compliance documentation |
Data Subject Rights
VulnZap supports all GDPR data subject rights:Right to Access
Right to Access
Request copy of your data:Delivered within 30 days in machine-readable format (JSON).
Right to Rectification
Right to Rectification
Correct inaccurate data:Changes applied immediately.
Right to Erasure ('Right to be Forgotten')
Right to Erasure ('Right to be Forgotten')
Delete all personal data:Consequences:
- Account and all data deleted within 30 days
- Some data retained for legal compliance (billing records: 7 years)
- Irreversible action
Right to Data Portability
Right to Data Portability
Export data in structured format:Includes: projects, scans, findings, settings.
Right to Object
Right to Object
Object to processing:Email: privacy@vulnzap.comProcessing will cease within 30 days (except legal obligations).
Right to Restriction
Right to Restriction
Temporarily restrict processing:Account frozen, no new scans, data preserved.
Data Processing Agreement (DPA)
For Enterprise customers, VulnZap provides GDPR-compliant DPA:- Standard Contractual Clauses (SCCs)
- Processor obligations
- Sub-processor list
- Data transfer mechanisms
- Security measures
- Audit rights
Data Protection Officer
Contact DPO:- Email: dpo@vulnzap.com
- Mail: VulnZap Data Protection Officer, [Address]
HIPAA Compliance
Business Associate Agreement (BAA)
For healthcare organizations processing PHI: Requirements:- On-premises deployment (air-gapped)
- Signed BAA with VulnZap
- Additional security controls
- Enhanced audit logging
- Regular compliance audits
HIPAA Controls
VulnZap implements required HIPAA safeguards: Administrative Safeguards:- Security management process
- Workforce security training
- Access authorization and management
- Incident response procedures
- Facility access controls (customer-managed in on-premises)
- Workstation security
- Device and media controls
- Access controls (unique user IDs, automatic logoff)
- Audit controls (comprehensive logging)
- Integrity controls (encryption, checksums)
- Transmission security (TLS 1.3)
Data Residency
Available Regions
Choose where your data is stored and processed:- United States
- European Union
- Asia Pacific
- On-Premises
Regions:
- us-east-1 (N. Virginia)
- us-west-2 (Oregon)
- SOC 2 Type II
- FedRAMP Moderate (in progress)
Configuring Data Residency
Data Retention
Retention Periods by Plan
| Data Type | Free | Standard | Scale | Enterprise |
|---|---|---|---|---|
| Scan Results | 7 days | 30 days | 90 days | 365 days |
| Findings Metadata | 7 days | 30 days | 90 days | Custom |
| Audit Logs | N/A | 30 days | 90 days | 365 days |
| API Request Logs | N/A | 7 days | 30 days | 90 days |
| Source Code | Never* | Never* | Never* | Optional† |
- *Source code never stored by default
- †Enterprise can opt-in for code snippets in findings (encrypted)
Custom Retention
Enterprise customers can configure custom retention:Security Measures
Encryption
In Transit:- TLS 1.3 for all connections
- Perfect Forward Secrecy (PFS)
- Certificate pinning in CLI/IDE
- AES-256 encryption
- Encrypted database storage
- Encrypted backups
- Key rotation every 90 days
- AWS KMS / GCP KMS / Azure Key Vault
- Hardware Security Modules (HSM) for Enterprise
- Separate keys per customer (Enterprise)
Authentication & Authorization
Authentication Methods:- Email + Password (with 2FA required)
- SSO (SAML 2.0, OAuth 2.0) - Enterprise
- API Keys (with rotation policy)
- Role-Based Access Control (RBAC)
- Project-level permissions
- Audit trail for all access
Network Security
Protection Layers:- Web Application Firewall (WAF)
- DDoS protection
- Rate limiting
- IP whitelisting (Enterprise)
- 24/7 security monitoring
- Automated threat detection
- Security Information and Event Management (SIEM)
Vulnerability Management
Internal Security:- Quarterly penetration testing
- Annual security audit
- Bug bounty program
- Dependency scanning (daily)
- Responsible disclosure policy
- security@vulnzap.com
- 90-day disclosure timeline
Incident Response
Incident Response Plan
1
Detection
Automated monitoring detects anomaly
2
Triage
Security team assesses severity (15 min SLA)
3
Containment
Isolate affected systems
4
Investigation
Determine root cause and impact
5
Remediation
Apply fixes and security patches
6
Notification
Notify affected customers (within 72 hours if data breach)
7
Post-Mortem
Document incident and improve controls
Customer Notification
In case of security incident: Notification Channels:- Email to account owner
- Dashboard banner
- Status page update
- Public disclosure (if warranted)
- Initial notification: Within 24 hours of discovery
- Detailed report: Within 72 hours
- Post-mortem: Within 14 days
Data Breach Response
Per GDPR Article 33:- Internal Notification: DPO notified within 24 hours
- Supervisory Authority: Notified within 72 hours
- Data Subjects: Notified without undue delay if high risk
- Documentation: Breach logged in incident register
- Remediation: Measures taken to prevent recurrence
Audit and Compliance
Internal Audits
- Quarterly: Security control review
- Annually: SOC 2 Type II audit
- Continuously: Automated compliance monitoring
External Audits
Available for Enterprise:- Right to audit (with reasonable notice)
- Third-party security assessment
- Penetration testing results sharing
Compliance Documentation
Available to customers:Security Whitepaper
Security Whitepaper
Comprehensive security architecture and controls documentation.Topics:
- Architecture diagrams
- Data flow
- Encryption implementation
- Access controls
- Monitoring and logging
Compliance Matrix
Compliance Matrix
Mapping of VulnZap controls to various frameworks:
- SOC 2 TSC
- GDPR Articles
- HIPAA Safeguards
- ISO 27001 Controls
- NIST Cybersecurity Framework
Penetration Test Results
Penetration Test Results
Summary of latest penetration test findings (Enterprise only).Request: security@vulnzap.com (under NDA)
Sub-Processor List
Sub-Processor List
List of all third-party service providers with access to customer data.Download: app.vulnzap.com/sub-processors
Industry-Specific Compliance
Financial Services (PCI-DSS)
For payment processing environments: Requirements:- On-premises deployment
- Network segmentation
- Enhanced logging
- Quarterly scans
- Annual audit
Government (FedRAMP)
Status: FedRAMP Moderate authorization in progress (expected Q2 2025) Current Options:- GovCloud deployment (AWS GovCloud)
- On-premises deployment
Healthcare (HITRUST)
Status: HITRUST CSF certification in progress Current Compliance:- HIPAA-eligible (on-premises)
- Enhanced security controls
- Risk assessment framework
Privacy Shield & Data Transfers
International Data Transfers
Mechanisms:- Standard Contractual Clauses (EU-US)
- Adequacy decisions
- Binding Corporate Rules (in development)
Data Transfer Impact Assessment
Enterprise customers receive Data Transfer Impact Assessment (DTIA) documenting:- Legal basis for transfer
- Safeguards in place
- Risk mitigation measures