Login
Login

Frequently Asked Questions

Edit Content

What kinds of customer data does Zero-X access, process, or store?

Zero-X accesses and processes the following types of customer data to provide cloud security services:

  • AWS: Access keys, secret keys, account IDs, and region configurations
  • GCP: Service account credentials, project IDs, and region settings
  • Azure: Tenant IDs, subscription IDs, client IDs, client secrets, and resource group configurations
  • Purpose: To securely connect to your cloud environments and perform security assessments
  • Resource Inventory: Information about your cloud resources (compute instances, storage buckets, databases, networking components, etc.)
  • Resource Metadata: Resource names, IDs, tags, configurations, and status information
  • Purpose: To maintain an accurate inventory of your cloud assets for security monitoring and compliance tracking
  • Vulnerability Findings: Security vulnerabilities detected in your cloud resources
  • Compliance Assessment Results: Results from compliance framework scans (SOC 2, ISO 27001, GDPR, PCI DSS, HIPAA, CIS benchmarks, etc.)
  • Security Events: Security events and incidents from your SIEM/XDR integrations (Wazuh, CloudTrail, etc.)
  • CIEM Data: Cloud Infrastructure Entitlement Management data including IAM identities, roles, and permissions
  • Purpose: To provide security insights, compliance monitoring, and risk assessment
  • Cost Explorer Data: Cloud cost and usage information from AWS Cost Explorer, Azure Cost Management, and GCP Billing
  • Purpose: To help you understand and optimize your cloud spending
  • User Account Information: Names, email addresses, roles, and authentication credentials
  • Organization Information: Organization names, subscription details, and configuration settings
  • Purpose: To manage user access, provide multi-tenant isolation, and deliver personalized services
  • GitHub/GitLab/Bitbucket: Repository access tokens and webhook configurations (when integrated)
  • Docker Hub/ECR: Registry credentials and image metadata
  • BigQuery: Project IDs, dataset IDs, and table configurations
  • Purpose: To extend security monitoring to your development and container infrastructure

Important Notes:

  • All sensitive credentials (access keys, secrets, tokens, passwords) are encrypted at rest using AES-256-GCM encryption
  • Zero-X only accesses data necessary to provide security services
  • You maintain full control over which data sources are connected and can disconnect them at any time
  • Zero-X does not access or store your application data, customer data, or business content stored in your cloud resources
Edit Content

How does customer data flow through the Zero-X system?

The data flow in Zero-X follows a secure, multi-stage process

Stage 1: Data Source Connection

1. Initial Setup: You provide cloud provider credentials through the Zero-X dashboard
2. Encryption: Credentials are immediately encrypted using AES-256-GCM before storage
3. Validation: Zero-X validates the connection and verifies access permissions
4. Storage: Encrypted credentials are stored in our secure database, isolated by organization

Stage 3: Data Processing

1. Analysis: Collected data is analyzed for security vulnerabilities, compliance violations, and misconfigurations
2. Enrichment: Data is enriched with threat intelligence, compliance mappings, and risk scoring
3. Correlation: Security events are correlated to identify incidents and patterns
4. Storage: Processed data is stored in our multi-tenant database with strict organization isolation

Stage 2: Data Collection

1. Scheduled Syncs: Zero-X performs periodic synchronization with your cloud providers (configurable frequency)
2. API Calls: Secure API calls are made to cloud provider APIs using your encrypted credentials
3. Data Retrieval: Resource inventory, security configurations, compliance status, and cost data are retrieved
4. Real-time Events: Security events are collected in real-time from SIEM/XDR integrations (Wazuh, CloudTrail, etc.)

Stage 4: Data Presentation

1. Dashboard: Security findings, compliance status, and insights are displayed in your organization’s dashboard
2. Reports: Customizable reports are generated for compliance audits and security reviews
3. Alerts: Security alerts and notifications are sent based on your configured thresholds
4. APIs: Data is accessible through secure APIs for integration with your existing tools

Stage 5: Data Retention and Deletion

1. Retention: Data is retained according to your subscription plan’s data retention policy (typically 30-90 days, configurable)
2. Deletion on Request: You can request immediate deletion of your data at any time
3. Automatic Cleanup: When you disconnect a data source, associated data is marked for deletion
4. Secure Deletion: Deleted data is securely purged from our systems following industry best practices

Key Security Features:

  • All data is isolated by organization ID at the database level
  • Data never flows between different customer organizations
  • All API communications use TLS 1.2 or higher encryption
  • Access to data requires proper authentication and authorization
Edit Content

How is access to customer data restricted?

Zero-X implements multiple layers of access control to ensure your data remains secure and accessible only to authorized personnel

Edit Content
  • You retain full ownership of all your data
  • Zero-X acts as a data processor, not a data owner
  • You can export your data at any time
  • You can request complete data deletion at any time
Edit Content

Super Admin

1. Full system-wide access (platform administrators only)

2. Access to all organizations and system settings

Admin

1. Full access to their organization’s resources
2. Can manage users, data sources, scans, and settings
3. Can view and manage all security findings and compliance data
4. Can create, update, and delete resources within their organization

Member

1. Read access to most resources
2. Can create scans, reports, and remediation tasks
3. Cannot modify organization settings or manage users
4. Cannot access cost data or billing information

Read-Only

1. View-only access to security findings, compliance data, and reports
2. Cannot create scans, modify data, or access sensitive settings
3. Ideal for auditors, compliance officers, and stakeholders
Edit Content
  • JWT-Based Authentication: All API requests require a valid JWT session token
  • Session Management: Session tokens are securely stored and validated on every request
  • Multi-Factor Authentication (MFA): Optional MFA support via TOTP or email verification
  • Password Security: Passwords are hashed using industry-standard algorithms
Edit Content
  • Request Validation: Every API endpoint validates user identity and organization membership
  • Resource Ownership: All operations verify that resources belong to the user’s organization
  • Permission Verification: Each action checks if the user’s role has the required permissions
  • Audit Logging: All access attempts and data operations are logged for security auditing
Edit Content
  • Endpoint Protection: All API endpoints require authentication
  • Organization Validation: Every request validates the user’s organization context
  • Input Validation: All user inputs are sanitized and validated
  • Rate Limiting: API endpoints are protected against abuse and denial-of-service attacks
Edit Content
  • Credential Encryption: All cloud provider credentials are encrypted at rest
  • Least Privilege: Zero-X requests only the minimum permissions needed for security scanning
  • Credential Isolation: Credentials are never shared between organizations
  • Access Revocation: You can revoke access at any time by disconnecting data sources

Best Practices:

  • Regularly review user access and remove unnecessary permissions
  • Use Read-Only roles for users who only need to view data
  • Enable MFA for all administrative accounts
  • Monitor audit logs for suspicious access patterns
Edit Content

What security controls and compliance practices does Zero-X implement?

Zero-X maintains a comprehensive security posture aligned with industry best practices and compliance standards

Edit Content
  • Data at Rest: All sensitive data (credentials, tokens, secrets) is encrypted using AES-256-GCM encryption
  • Data in Transit: All communications use TLS 1.2 or higher encryption
  • Encryption Keys: Encryption keys are managed securely and stored separately from encrypted data
  • Key Management: Production environments require secure, hex-encoded 32-byte encryption keys
Edit Content
  • Input Validation: All user inputs are sanitized and validated
  • SQL Injection Prevention: Parameterized queries prevent SQL injection attacks
  • Cross-Site Scripting (XSS) Protection: Output encoding prevents XSS vulnerabilities
  • Error Handling: Secure error handling prevents information leakage
  • Session Security: Secure session management with token validation
Edit Content
  • TLS Encryption: All network communications use TLS 1.2 or higher
  • API Security: RESTful APIs with proper authentication and authorization
  • Rate Limiting: Protection against abuse and denial-of-service attacks
  • Firewall Rules: Network-level access controls
Edit Content

Zero-X helps you achieve compliance with multiple industry standards:

  • SOC 2 Type II: Service Organization Control 2 Type II compliance
  • ISO 27001: Information Security Management System (ISMS) standard
  • GDPR: General Data Protection Regulation compliance
  • PCI DSS 4.0: Payment Card Industry Data Security Standard
  • HIPAA: Health Insurance Portability and Accountability Act compliance
  • CIS Benchmarks: CIS AWS, GCP, and Azure Foundations Benchmarks (versions 2.0, 4.0, 5.0)
  • NIST 800-171: Cybersecurity framework for federal contractors
  • AWS Well-Architected Framework: Security pillar best practices
  • CISA: Cybersecurity and Infrastructure Security Agency guidelines
Edit Content
  • Audit Logging: Comprehensive logging of all access attempts and data operations
  • Security Event Monitoring: Real-time monitoring of security events and incidents
  • Anomaly Detection: Detection of unusual access patterns or behaviors
  • Incident Response: Automated incident detection and response capabilities
Edit Content
  • Regular Security Updates: Platform components are regularly updated with security patches
  • Dependency Scanning: Third-party dependencies are monitored for vulnerabilities
  • Security Testing: Regular security assessments and penetration testing
Edit Content
  • Role-Based Access Control: Granular permissions based on user roles
  • Multi-Factor Authentication: Optional MFA support for enhanced security
  • Session Management: Secure session handling with automatic timeout
  • Password Policies: Strong password requirements and secure password storage
Edit Content
  • Security Incident Detection: Automated detection of security incidents
  • Incident Classification: Severity-based classification of security events
  • Remediation Workflows: Automated remediation capabilities for common security issues
  • Notification System: Alert notifications for critical security events
Edit Content

Zero-X is designed to support your compliance efforts by providing:

  • Compliance framework mappings
  • Automated compliance scanning
  • Compliance reporting and evidence collection
  • Control implementation guidance
  • Compliance readiness assessments
Edit Content

How is our data secured and encrypted in Zero-X?

Zero-X employs multiple layers of encryption and security measures to protect your data

Edit Content

Encryption Process

1. Key Generation: Encryption keys are derived from secure environment variables using SHA-256 hashing
2. Initialization Vector (IV): Each encryption operation uses a unique, randomly generated 16-byte IV
3. Authentication Tag: GCM mode provides built-in authentication to detect tampering
4. Storage Format: Encrypted data is stored in the format: IV:encryptedData:authTag

Key Management

1. Production Requirements: Production environments require a secure, hex-encoded 32-byte encryption key
2. Key Storage: Encryption keys are stored separately from encrypted data in secure environment variables
3. Key Rotation: Encryption keys can be rotated following secure procedures
4. Key Access: Encryption keys are only accessible to the application and are never exposed in logs or error messages

Sensitive Data Encryption

1. Algorithm: AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode)
2. What’s Encrypted: All sensitive credentials including:
AWS access keys and secret keys
GCP service account credentials
Azure client IDs and client secrets
GitHub/GitLab/Bitbucket access tokens
Docker Hub credentials
Wazuh API keys and passwords
Database passwords and authentication tokens
Edit Content

TLS/SSL Encryption

1. Protocol: All network communications use TLS 1.2 or higher
2. Certificate Management: Valid SSL/TLS certificates ensure secure connections
3. API Communications: All API requests and responses are encrypted
4. Database Connections: Database connections use encrypted channels
5. Cloud Provider APIs: All communications with cloud provider APIs use HTTPS

Secure Protocols

1. HTTPS: All web traffic is encrypted using HTTPS
2. Secure WebSockets: Real-time communications use secure WebSocket connections (WSS)
3. VPN Support: Support for VPN connections when required
Edit Content

Application-Level Security

1. Input Validation: All user inputs are validated and sanitized
2. Output Encoding: All outputs are properly encoded to prevent injection attacks
3. Session Security: Secure session management with encrypted session tokens
4. Authentication: Strong authentication mechanisms with optional MFA

Database-Level Security

1. Connection Encryption: Database connections are encrypted
2. Query Parameterization: All database queries use parameterized statements
3. Access Controls: Database access is restricted to authorized application components
4. Audit Logging: All database operations are logged for security auditing

Infrastructure Security

1. Network Segmentation: Network-level isolation between components
2. Firewall Rules: Strict firewall rules control network access
3. Intrusion Detection: Monitoring for suspicious network activity
4. DDoS Protection: Protection against distributed denial-of-service attacks
Edit Content

Multi-Tenant Security

1. Organization Isolation: All data is isolated by organization ID at the database level
2. Encryption Per Organization: Each organization’s data is encrypted independently
3. No Cross-Access: Technical safeguards prevent cross-organization data access
4. Secure Deletion: When organizations are deleted, all associated encrypted data is securely purged
Edit Content

Encryption Standards

1. AES-256: Industry-standard encryption algorithm approved for government and enterprise use
2. GCM Mode: Provides both confidentiality and authenticity (integrity protection)
3. FIPS 140-2: Encryption implementation follows FIPS 140-2 guidelines where applicable

Security Best Practices

1. Defense in Depth: Multiple layers of security controls
2. Least Privilege: Minimum necessary access to data
3. Regular Audits: Regular security audits and assessments
4. Incident Response: Comprehensive incident response procedures
Edit Content

Data Access

1. You Control Connections: You decide which data sources to connect
2. You Control Access: You manage user access within your organization
3. You Control Deletion: You can disconnect data sources and request data deletion at any time
4. Transparency: You can view what data is being collected through the dashboard

Encryption Verification

1. Encrypted Storage: All sensitive credentials are stored in encrypted format
2. No Plain Text: Sensitive data is never stored in plain text
3. Secure Transmission: All data transmission uses encrypted channels
4. Audit Trail: All encryption/decryption operations are logged for auditing

Summary

Your data in Zero-X is protected by:

  •  AES-256-GCM encryption for all sensitive data at rest
  •  TLS 1.2+ encryption for all data in transit
  •  Secure key management with separate key storage
  •  Multi-tenant isolation preventing cross-organization access
  •  Industry-standard encryption algorithms and practices
  •  Comprehensive security controls and monitoring
Edit Content
Edit Content
  • You retain full ownership of all your data
  • Zero-X acts as a data processor, not a data owner
  • You can export your data at any time
  • You can request complete data deletion at any time
Edit Content
  • Data is stored in secure, compliant data centers
  • Data residency options may be available based on your subscription plan
  • Contact support for specific data location requirements
Edit Content
  • Zero-X integrates with cloud providers and security tools
  • All integrations use secure, encrypted connections
  • Third-party credentials are encrypted and stored securely
  • You control which integrations are enabled
Edit Content
  • For questions about data handling, contact: 
  • For security concerns, contact: 
  • For compliance inquiries, contact
Edit Content
  • This FAQ is reviewed and updated regularly
  • Significant changes will be communicated to customers
  • Last updated: 08-Dec-2025

Note:

This FAQ provides a high-level overview of Zero-X’s data handling practices. For detailed technical documentation, please refer to our technical documentation or contact our support team.

Create your account