Zeguro believes in security and privacy - not just for our customers, but for ourselves, as well. We approach everything - our people, business processes, customer interactions, and technology decisions with security & privacy in mind. This page provides details about our security processes, but if you have any questions please reach out to us at hello@zeguro.com.
All Zeguro employees undergo extensive background checks, which include verification of employment history, local, state and federal criminal checks and identity verification. We want to be sure we have the right people helping our customers and partners!
Zeguro employees already bring a wealth of security knowledge to the job, but we’re eager to learn more! All staff undergo monthly Security Training & Awareness across diverse topics including phishing, secure password management, social media security and lots more.
In total, our team brings over 50 years of security expertise including security engineering, application security, physical security, information systems audit, system security planning, security architecture, penetration testing, and governance, risk, & compliance (GRC) management. We’ve worked across industries as diverse as healthcare, financial services including banks all over the world, insurance, defense and government security - across four continents!
Zeguro’s security experts have implemented an ISMS designed to measure our risks, choose appropriate controls, and continuously monitor them. Our ISMS comprises information security policies covering the following areas:
Our security control program is designed to allow us to meet our compliance requirements and provide the best security possible for our customers. We utilize the Secure Controls Framework to ensure the controls we implement are compliant across our legal and regulatory obligations.
Zeguro realizes the importance of insurance - cyberattacks can happen any time, so your Cyber Safety company needs to be available 24x7. To that end, we design with resiliency in mind - rather than planning to manually recover from an incident, we make sure Zeguro’s apps and services are architected to withstand outages and interruption. Our resiliency programs are developed following the Cyber Resiliency Engineering Framework (CREF), and incorporate the following:
Zeguro takes compliance seriously - it demonstrates to our customers, business partners, and regulators that we take security & privacy seriously. We actively monitor new and evolving compliance requirements, and strive to meet them as quickly as possible. A list of existing compliance programs is detailed below, and will be updated as we achieve compliance with additional regulations or frameworks:
Zeguro collects, stores, and processes data on behalf of our customers. This may include business details, information about your security program, and details of your insurance such as coverages and claim history. We are happy to share further details of our data collection and handling under an NDA.
Zeguro’s Privacy Policy (https://www.zeguro.com/privacy-policy) details our collection, use, and storage of any customer data, as well as relevant security and confidentiality controls in place for such data.
Customers with unique requirements often ask if we’ll sign additional security documentation, so we’ve collected common answers below.
Can Zeguro sign a:
Zeguro believes your data is yours, and should only be accessible to you. To that end, we implement encryption for your data when interacting with our application (data in transit) via TLS 1.2 with strong encryption, and when your data is stored in our database (data at rest) using AES-256 in CBC Mode + HMAC-SHA-256 with initial state randomization. Zeguro Keys are stored in a highly secure way, utilizing Amazon KMS, which uses AES-256 in GCM mode. Data in our database can only be decrypted by customers using their unique keys (or Zeguro staff, if granted access by the customer), which means no other customer can read your data, and a hacker has a lot more work to do if they want to steal Zeguro customer data. See the next section for more details.
The ZERO Encrypted Restful Object-store is a security-centric database, invented in-house to support the needs of the ever-changing landscape of data regulations and privacy. ZERO ensures the safety of our client's data by using state of the art cryptography algorithms in conjunction with best practices in key management, making ZERO data resistant to statistical cryptanalysis techniques.
Zeguro utilizes Amazon’s secure data centers, which are ISO 27001-certified and undergo a yearly SOC 2 Type II audit. They implement a rigorous set of controls for physical security, environmental controls, and redundant protections including power and all utilities.
The Zeguro security team performs an annual review of Amazon’s ISO and SOC 2 security reports to identify any deficiencies, and follows up to ensure corrective measures are implemented if needed.
Zeguro’s architecture is designed to be resilient and secure, so it will always be available to you when you need it. We utilize a virtual private cloud in Amazon Web Services, with elastic load balancing to ensure your app is highly available.
Zeguro builds security into each and every product we build. As a Security First organization, SAST and RASP are built into our DevOps processes from the beginning, and manual security reviews are performed on all code. External Penetration tests are performed at a regular basis and Zeguro has a defined Responsible Disclosure Procedure for any researchers that wish to submit any vulnerabilities found.
