Zeguro Security Statement


Zeguro believes in security and privacy - not just for our customers, but for ourselves, as well. We approach everything - our people, business processes, customer interactions, and technology decisions with security & privacy in mind. This page provides details about our security processes, but if you have any questions please reach out to us at hello@zeguro.com.

People

Background Checks

All Zeguro employees undergo extensive background checks, which include verification of employment history, local, state and federal criminal checks and identity verification. We want to be sure we have the right people helping our customers and partners!

Training

Zeguro employees already bring a wealth of security knowledge to the job, but we’re eager to learn more! All staff undergo monthly Security Training & Awareness across diverse topics including phishing, secure password management, social media security and lots more.

Security Expertise

In total, our team brings over 50 years of security expertise including security engineering, application security, physical security, information systems audit, system security planning, security architecture, penetration testing, and governance, risk, & compliance (GRC) management. We’ve worked across industries as diverse as healthcare, financial services including banks all over the world, insurance, defense and government security - across four continents!

Process

Information Security Management System

Zeguro’s security experts have implemented an ISMS designed to measure our risks, choose appropriate controls, and continuously monitor them. Our ISMS comprises information security policies covering the following areas:

  • Acceptable Use
  • Zeguro Backup & Retention Policy
  • Zeguro Data Security Policy
  • Zeguro Incident Response Policy
  • Zeguro Network Security Policy
  • Zeguro Risk Assessment & Management Policy
  • Zeguro SDLC and QA Policy
  • Zeguro Third Party Security Policy

Our security control program is designed to allow us to meet our compliance requirements and provide the best security possible for our customers. We utilize the Secure Controls Framework to ensure the controls we implement are compliant across our legal and regulatory obligations.

Cyber Resiliency, Business Continuity, and Disaster Recovery

Zeguro realizes the importance of insurance - cyberattacks can happen any time, so your Cyber Safety company needs to be available 24x7. To that end, we design with resiliency in mind - rather than planning to manually recover from an incident, we make sure Zeguro’s apps and services are architected to withstand outages and interruption. Our resiliency programs are developed following the Cyber Resiliency Engineering Framework (CREF), and incorporate the following:

  • Resiliency - we build our services on AWS infrastructure that delivers at least 99.9% (three nines) of uptime, configured to make use of multiple availability options. We incorporate Monitoring and Assurance into all architecture to ensure we have visibility into issues, and can fix them before they turn into problems.
  • Business Continuity (BC) - Our business processes rely on SaaS platforms that offer at least 99% uptime, and our team is spread across geographic locations to ensure resilience in the face of threats like natural disasters and pandemics. in the event of a disaster, our teams can relocate and continue operations from one of our three offices (US West, US East, and UK) using defined procedures, and cloud-based applications with high availability ensure that business can continue no matter where we work.
  • Disaster Recovery - Should an incident completely knock out Zeguro’s application, we do have manual recovery plans in place. The Recovery Time Objective (RTO) is 24 hours, and Recovery Point Objective (RPO) is the last saved record (any open, unsaved data will be lost).

Compliance Program

Zeguro takes compliance seriously - it demonstrates to our customers, business partners, and regulators that we take security & privacy seriously. We actively monitor new and evolving compliance requirements, and strive to meet them as quickly as possible. A list of existing compliance programs is detailed below, and will be updated as we achieve compliance with additional regulations or frameworks:

  • NY DFS 23 NYCRR 500 - Cybersecurity Requirements for Financial Services Companies
  • AICPA SOC 2 Type II audit - Report on Controls at a Service Organization Relevant to Security, Confidentiality, and Privacy Trust Services Criteria (Audit anticipated in 3Q19)
  • Customer Contractual Requirements - Customer contractual requirements are treated like any other compliance objective, and our ISMS treats them with appropriate control activities.

Customer Data, Contracts, and Agreements

Zeguro collects, stores, and processes data on behalf of our customers, which may include:

  • Names & business email addresses of employees
  • Estimated revenue and number of employees (provided by customers or acquired from publicly-available data)
  • Status of training completion & employee grades
  • Status and content of information security policies
  • Web application vulnerabilities and their status
  • Details of insurance (coverages, claim history, etc.)
  • Other business proprietary/confidential information such as office locations, contact information, business titles, etc.

Zeguro’s Privacy Policy (https://www.zeguro.com/privacy-policy) details our collection, use, and storage of any customer data, as well as relevant security and confidentiality controls in place for such data.

Customers with unique requirements often ask if we’ll sign additional security documentation, so we’ve collected common answers below.

Can Zeguro sign a:

  • Business Associate Agreement (BAA)? No. The Zeguro platform does not collect, store, or process any Protected Health Information (PHI). Therefore, we rely on our standard confidentiality controls to protect data.
  • Non-disclosure Agreement (NDA)? Yes! Our security-first approach means we also care about confidentiality, so we’re happy to sign NDAs, subject to review by our legal team.
  • EU GDPR Model Contract Clauses? Possibly, subject to review by our legal team. In general we are not collecting Personally Identifiable Information (PII) on individuals. Our Privacy Policy (https://www.zeguro.com/privacy-policy) details our purpose and legal basis for data collection; should your business require additional controls, we’re happy to review and work with you.
  • Data Handling Agreement? Possibly, subject to review by our legal and operations teams. We must review to ensure the data handling requirements do not impair our ability to deliver our services or meet our compliance requirements.

Technology

Encryption

Zeguro believes your data is yours, and should only be accessible to you. To that end, we implement encryption for your data when interacting with our application (data in transit) via TLS 1.2 with strong encryption, and when your data is stored in our database (data at rest) using AES-256 in CBC Mode + HMAC-SHA-256 with initial state randomization. Zeguro Keys are stored in a highly secure way, utilizing Amazon KMS, which uses AES-256 in GCM mode. Data in our database can only be decrypted by customers using their unique keys (or Zeguro staff, if granted access by the customer), which means no other customer can read your data, and a hacker has a lot more work to do if they want to steal Zeguro customer data. See the next section for more details.

Zero Secure Database

The ZERO Encrypted Restful Object-store is a security-centric database, invented in-house to support the needs of the ever-changing landscape of data regulations and privacy. ZERO ensures the safety of our client's data by using state of the art cryptography algorithms in conjunction with best practices in key management, making  ZERO data resistant to statistical cryptanalysis techniques.

Data Center

Zeguro utilizes Amazon’s secure data centers, which are ISO 27001-certified and undergo a yearly SOC 2 Type II audit. They implement a rigorous set of controls for physical security, environmental controls, and redundant protections including power and all utilities.

The Zeguro security team performs an annual review of Amazon’s ISO and SOC 2 security reports to identify any deficiencies, and follows up to ensure corrective measures are implemented if needed.

Application Architecture

Zeguro’s architecture is designed to be resilient and secure, so it will always be available to you when you need it. We utilize a virtual private cloud in Amazon Web Services, with elastic load balancing to ensure your app is highly available.

  • Access control and Identity and Access Management provided by AWS Cognito, to ensure only authorized users are able to access the application
  • All user passwords are hashed & salted for security
  • Users must choose a complex password of at least 12 characters with numbers, upper case and symbols or (recommended) a 4 phrase password with distinct words.

Security DevOps

Zeguro builds security into each and every product we build. As a Security First organization, SAST and RASP are built into our DevOps processes from the beginning, and manual security reviews are performed on all code. External Penetration tests are performed at a regular basis and Zeguro has a defined Responsible Disclosure Procedure for any researchers that wish to submit any vulnerabilities found.