How is access to customer data restricted?

Zero-X implements multiple layers of access control to ensure your data remains secure and accessible only to authorized personnel

Edit Content
  • You retain full ownership of all your data
  • Zero-X acts as a data processor, not a data owner
  • You can export your data at any time
  • You can request complete data deletion at any time
Edit Content

Super Admin

1. Full system-wide access (platform administrators only)

2. Access to all organizations and system settings

Admin

1. Full access to their organization’s resources
2. Can manage users, data sources, scans, and settings
3. Can view and manage all security findings and compliance data
4. Can create, update, and delete resources within their organization

Member

1. Read access to most resources
2. Can create scans, reports, and remediation tasks
3. Cannot modify organization settings or manage users
4. Cannot access cost data or billing information

Read-Only

1. View-only access to security findings, compliance data, and reports
2. Cannot create scans, modify data, or access sensitive settings
3. Ideal for auditors, compliance officers, and stakeholders
Edit Content
  • JWT-Based Authentication: All API requests require a valid JWT session token
  • Session Management: Session tokens are securely stored and validated on every request
  • Multi-Factor Authentication (MFA): Optional MFA support via TOTP or email verification
  • Password Security: Passwords are hashed using industry-standard algorithms
Edit Content
  • Request Validation: Every API endpoint validates user identity and organization membership
  • Resource Ownership: All operations verify that resources belong to the user’s organization
  • Permission Verification: Each action checks if the user’s role has the required permissions
  • Audit Logging: All access attempts and data operations are logged for security auditing
Edit Content
  • Endpoint Protection: All API endpoints require authentication
  • Organization Validation: Every request validates the user’s organization context
  • Input Validation: All user inputs are sanitized and validated
  • Rate Limiting: API endpoints are protected against abuse and denial-of-service attacks
Edit Content
  • Credential Encryption: All cloud provider credentials are encrypted at rest
  • Least Privilege: Zero-X requests only the minimum permissions needed for security scanning
  • Credential Isolation: Credentials are never shared between organizations
  • Access Revocation: You can revoke access at any time by disconnecting data sources

Best Practices:

  • Regularly review user access and remove unnecessary permissions
  • Use Read-Only roles for users who only need to view data
  • Enable MFA for all administrative accounts
  • Monitor audit logs for suspicious access patterns