Security and Privacy Framework
Zingtree highly values the security and privacy of Customer information and, therefore, is most committed to proactively ensuring its confidentiality, integrity, and availability, as well fulfilling individuals' privacy rights. Consequently, Zingtree has designed security and privacy upfront into its products and services rather than just as an afterthought. Zingtree's security and privacy program is designed to not just satisfy compliance standards, but to go beyond to embrace the concept of industry's "best practices."
Security and Privacy Compliance Program
Zingtree has been awarded its SOC 2/Type II and HIPAA third-party compliance attestation. To supplement its security compliance program, Zingtree has adopted the National Institute of Technology and Standards' (NIST) risk management framework (RMF) and the associated security policies and controls, as presented in its SP 800-53, r5.
Zingtree is self-certified under the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield. In addition, we are receptive to signing Data Processing Agreements and EU Model Clauses, also known as Standard Contractual Clauses, to meet adequacy and security requirements for our customers for whom GDPR is applicable. In addition to GDPR, Zingtree has also developed the requisite policies and processes to be compliant with an array of international and domestic privacy regulations, e.g., CCPA/CPRA, etc.
Zingtree's adoption of these frameworks has led to its enactment of a comprehensive set of executive management approved security and privacy policies, as well as the implementation of associated safeguards, which have been developed around governance, security/privacy compliance, industry "best practices" and culture. Furthermore, Zingtree plays a proactive role in keeping current on the latest security and privacy challenges and the industry's response to minimize potential exposure.
Infrastructure Security
Zingtree’s application is hosted on Amazon Web Services in multiple geographical regions, including the US and Ireland to support data residency requirements. We have architected our application to span multiple Availability Zones within these regions to ensure scalability, resilience, and high availability.
In addition, we use the AWS Relational Database Service to store customer data, and we regularly back up this data to meet our Recovery Time and Recovery Point Objectives.
Furthermore, we employ a range of security-related services to protect customer data and maintain the availability and reliability of our platform. These services include, but are not limited to: CloudTrail for access monitoring and alerting, Guard Duty for threat detection, Key Management Service for encryption key management, and Security Hub for security monitoring. We also use CloudFlare for Web Application Firewall and DNS, Logz.io for application logging, and Snyk for code and dependency scanning.
Application Security
Zingtree's application is developed with a security mindset incorporating a plethora of technical, operational and administrative security features. Zingtree's secure application is enabled to process, store, and transmit data containing Restricted Data, e.g., HIPAA Protected Health Information (PHI), Personally Identifiable Information (PII), GDPR & CCPA/CPRA Personal Data/Information; Confidential Data, e.g., Customer proprietary information, etc., and other such sensitive/critical information.
Examples of the enabled security features include, but are not limited to:
- All data in transit is encrypted using TLS v1.2.
- All data a rest is encrypted using industry standard AES-256 encryption algorithm ● Adoption of OWASP top 10 standards.
- Robust access controls are implemented to ensure that only authorized individuals can access sensitive data.
- Regular monitoring and auditing is performed to detect and prevent unauthorized access to sensitive data.
- Employees receive regular training on data privacy and security best practices, and are required to comply with strict policies.
- Penetration testing and vulnerability assessments are conducted on a regular basis to identify and address potential weaknesses in our systems.
- Clear data retention and disposal policies are in place to ensure that we only retain the minimum amount of data necessary for business purposes, and that all data is disposed of securely when it is no longer needed.
- A detailed incident response plan is in place to quickly and effectively address any data privacy incidents that may arise.
Contact Information
Please feel free to contact the security team at Zingtree with any questions, suggestions or concerns about any of the points outlined above at security@zingtree.com