Security

How we protect your data at every layer.

Last updated: Oct 31, 2025

Overview

Zocuments is built with a “secure-by-default” mindset. We combine role-based access control (RBAC), attribute-based access control (ABAC), encryption in transit and at rest, and comprehensive audit logging to help your organization meet internal security expectations.

Encryption

  • In transit: All traffic uses HTTPS/TLS.
  • At rest: Customer data and file objects are encrypted at rest by our cloud provider.
  • Secrets: Credentials and signing keys are stored in a secure secret manager and rotated periodically.

Access Control

  • RBAC: Fine-grained permissions like view, edit, and delete are granted via roles. Roles are hierarchical (e.g., delete implies edit and view).
  • ABAC: Optional security tags and categories restrict access to content by data labels (e.g., “HR:Confidential”). Users must share at least one security tag/category with the resource to view it.
  • Tenant isolation: All data is scoped by account/tenant IDs in the database and application layer.

Application Security

  • Strong session handling with server-side validation.
  • CSRF protections on state-changing requests (for web flows).
  • Input validation and parameterized queries at the data layer.
  • Least-privilege service accounts per component.

Audit Logging

Zocuments records key events (authentication, role changes, create/update/delete of records, tagging/categorization) with timestamps and actor identifiers. These logs are available for security reviews and internal investigations.

Availability & Backups

  • Deployed on managed, redundant cloud infrastructure.
  • Automated backups of core databases; periodic restore drills.
  • Health checks and alerting for critical services.

Incident Response

We maintain an incident runbook covering detection, triage, containment, root-cause analysis, and customer communication. If we determine that a security incident impacts your data, we will notify your designated contact without undue delay.

Vulnerability Reporting

If you believe you’ve found a security issue, please email security@zocuments.com with details. We welcome responsible disclosure and will work with you to resolve the issue promptly.

Compliance

Zocuments is designed to help customers meet their own obligations. Upon request, we can execute a standard Data Processing Addendum (DPA). If you have assessment questionnaires, contact security@zocuments.com.