Commitments / Security

Security & Transparency Statement

Published by Zen Mesh Inc. · Last updated 2026-06-19

Architecture Overview

Zen Mesh is webhook delivery infrastructure built on a zero-trust, outbound-only architecture. The platform is divided into three planes:

  • Control plane (SaaS): Configuration, policy, and observability — never in the delivery path
  • Data plane (edge): Event delivery and transformation — operates in customer regions
  • Identity plane: mTLS, SPIFFE/SPIRE workload identity — secures all internal communication

Event delivery does not depend on SaaS availability. If the SaaS control plane is unavailable, existing configured flows continue delivering.

Cryptographic Controls

ControlScopeStatus
TLS 1.2+All external-facing endpoints✅ Enforced
mTLSInternal service-to-service✅ Enforced, fail-closed
SPIFFE/SPIREWorkload identity for control-plane auth✅ Implemented
HMAC-SHA256Webhook payload verification with nonce✅ Implemented
Encryption at restData stored in GCP Cloud Storage / GKE✅ Platform-managed keys

Data Protection

  • In transit: All external connections use TLS 1.2+. Internal connections use mTLS with SPIFFE identity. No plaintext paths in production.
  • At rest: All customer data stored in GCP is encrypted at rest using platform-managed encryption keys.
  • Payload isolation: Customer webhook payloads are not sent to subprocessors.
  • Retention: Webhook payloads retained up to 30 days for redelivery. Operational logs retained up to 90 days.

Access Control

  • GCP IAM with least-privilege principles. No standing admin access to production.
  • GitHub with branch protection, required reviews, and signed commits.
  • Secrets encrypted at rest with age encryption. HMAC keys rotated via zen-lock.
  • Row-level security (RLS) scopes tenant data access.

Vulnerability Management

  • Dependency scanning for known CVEs.
  • Pre-commit secret scanning.
  • All changes require pull request review.
  • Penetration testing: not yet conducted.

Transparency Commitments

  • All security claims are backed by evidence artifacts in the source repository.
  • Non-claims are published alongside claims — see below.
  • All policy documents are versioned and linked from the Version Index.
  • The source repository is the source of truth for all claims.
  • Security posture documents are available via llms.txt.

Non-Claims

  • No SOC 2, ISO 27001, PCI DSS, HIPAA, or FedRAMP certification is claimed
  • No independent penetration test has been completed
  • No bug bounty program is in place
  • No SLA or on-call commitment is made for V1 Free/Pro trial
  • No data protection authority approval has been obtained
  • Self-service data deletion/export is not yet available (manual support path exists)
  • Zen Mesh is not an anomaly detection, API catalog, or general runtime API security platform