SOC 2 compliance

Zapat is designed with security-first architecture. We are working toward SOC 2 Type II certification. Here is where we stand and what controls are already in place.

Current security controls

• All data encrypted in transit (TLS 1.2+) and at rest (AES-256).
• Webhook payloads verified with HMAC SHA-256 signature before processing.
• GitHub App tokens are short-lived (1 hour) and automatically rotated.
• All secrets stored in an encrypted vault — never in code, config files, or environment variables.
• Agent containers run in private network subnets with no direct internet access (egress-only).
• Full audit logging for all service invocations and agent activity.
• Service roles follow least-privilege — each component has only the permissions it needs.
• Webhook deduplication prevents replay attacks (each GitHub delivery ID is checked for uniqueness).

SOC 2 audit timeline

We are working toward SOC 2 certification. If you need security posture documentation for a vendor assessment, contact support@zapat.ai.

Data residency

Zapat's managed infrastructure is hosted in the US (AWS us-east-1). If your compliance requirements mandate data residency in a specific region, BYOC (coming soon) will allow you to run jobs in your own cloud account and region. Contact support@zapat.ai for details.

Responsible disclosure

If you discover a security vulnerability in Zapat, please report it to support@zapat.ai.