Security

Zero-Trust Security Architecture

Defense-in-depth security at every layer. From mTLS on all internal paths to database RLS for tenant isolation.

mTLS on All Paths
HMAC-SHA256
SPIFFE/SPIRE
Database RLS

Security Matrix

Zero-trust by default on all Zen-managed internal paths. Customer-managed paths are secure by default and configurable.

Flow Traffic Class Default TLS mTLS HMAC
SaaS → Dashboard Customer UI Zen-managed Required
BFF → Backend Internal Control Zen-managed Required Required
Backend → Database Internal Control Zen-managed Required
Backend → Redis Internal Control Zen-managed Required
Ingester → Backend Internal Data Zen-managed Required Required Optional
Agent → SaaS Internal Control Zen-managed Required Required Required
Webhook Source → Ingester Customer Ingress Mixed Supported Optional Supported
Ingester → Egress Internal Data Zen-managed Required Required
Egress → Target Service Customer Delivery Customer Default ON Optional Optional
Transport

mTLS + HMAC: Defense in Depth

Two layers of security on every internal connection.

1

mTLS (Mutual TLS)

Both client and server verify each other's certificates. Connection is only established if both parties present valid certificates signed by the trusted CA.

  • Ingester ↔ Egress: Fail-closed in production. mTLS is mandatory.
  • Agent ↔ SaaS: mTLS is required. SPIFFE/SPIRE is used in Zen Mesh where implemented today, and the fuller agent workload-identity model is part of the planned hardening path.
  • BFF ↔ Backend: Certificate-based service authentication.
2

HMAC-SHA256

Message authentication codes verify the payload hasn't been tampered with and originates from a trusted source.

  • Replay Protection: Nonce-based deduplication via Redis prevents replay attacks.
  • Per-Cluster Keys: HKDF-derived keys stored securely per tenant.
  • Header Verification: X-Zen-Signature header validation on all ingress.
Data Security

Tenant Isolation

Multiple layers of isolation ensure your data stays isolated from other tenants.

Application-Layer Isolation

Primary isolation at the application level. All queries are scoped to the current tenant via context setting.

Database RLS

Row Level Security policies enforced on all tenant tables. Policies use transaction-scoped tenant context.

Encryption at Rest

All sensitive data encrypted at rest. Zen-Mesh uses ZenLock for encrypted secret custody, distribution, and audit support. Credential rotation is owned by the relevant lifecycle — HMAC, TLS/certificates, JWKs, and future SVID flows — with ZenLock protecting and distributing the underlying secret material where applicable.

Key Management

ZenLock — Zen-Mesh Secrets Management

Zen-Mesh's secret custody and controlled distribution solution. Centralized encrypted custody and controlled distribution for secret material used by Zen Mesh components, with rotation support integrated through the owning credential lifecycle.

Encrypted Storage

All secrets encrypted at rest using industry-standard encryption. Keys are never stored in plaintext.

Rotation Support

Rotation workflows can use ZenLock to protect and distribute new secret material. Rollout, canary, and rollback behavior belongs to the owning credential or deployment workflow.

Centralized Distribution

Secrets securely distributed to all components. One update propagates everywhere.

Audit Trail

Every secret access logged with tamper-evident audit trail.

Certificates

Certificate Lifecycle Management

Automated certificate rotation with health checks and automatic rollback.

1

Canary Deployment

New certificates deployed to a subset of nodes first.

2

Health Check

System validates new certificates with automated probes.

3

Full Rollout

If healthy, certificates propagate to all nodes.

4

Auto-Rollback

If issues detected, system auto-rollbacks and notifies.

Audit

Comprehensive Audit Logging

Immutable audit trail with tamper detection for compliance and forensics.

Hash-Chain Verification

Each audit entry contains hash of previous entry, creating tamper-evident chain.

Event Tracking

All authentication, authorization, and data access events logged with full context.

Correlation IDs

Full flow correlation from webhook source through to delivery for debugging.

Retention Policies

Configurable retention with support for long-term archival.

Enterprise Grade

Meets webhooks.fyi Best Practices

Built on infrastructure security standards that exceed typical webhook providers.

HMAC-SHA256 Verification

Signature verification for all webhook sources. GitHub, GitLab, Stripe, and more supported.

mTLS + SPIFFE/SPIRE

Mutual TLS and SPIFFE/SPIRE are part of the Zen Mesh internal security model and are being validated path-by-path before production-live claims. Stronger than typical HMAC-only.

Dead Letter Queue

Failed events stored for replay. Manual and automated replay for reliability.

CloudEvents Native

Full CloudEvents (CNCF) format support. Vendor-neutral, interoperable.

Certificate Rotation

Zero-downtime canary rotation with auto-rollback. Proactive security.

Hash-Chain Audit

Tamper-evident logging with hash chaining for compliance.

Questions about security?

Our team is here to help you understand our security architecture.

Evidence and verification: Trust Lifecycle Evidence · Runtime Evidence · Validation Map · AI Evidence Manifest · Non-Claims · Security Validation Matrix · Agent→SaaS mTLS Details · ZenLock & Credential Lifecycle

Validation status and evidence links are tracked in the trust lifecycle evidence docs. Public launch commitments are validated through the prod-live gate before production access. See non-claims for what is not certified or guaranteed.

Email security team