At Zealys, we take the security of customer data very seriously. This Security Practices Page details the administrative, technical and organizational security measures implemented by Zealys to safeguard customer data.

Infrastructure

Zealys uses infrastructure provided by Amazon Web Services, Inc. (“AWS”) to host or process customer data submitted to Zealys services. Information about the security provided by AWS is available from the AWS Security website. Information about security and privacy-related audits and certifications received by AWS, including information on ISO 27001 certification and SOC reports, is available from the AWS Compliance website.

Architecture and Data Segregation

Zealys services are operated on a multitenant architecture at both the platform and infrastructure layers that are designed to segregate and restrict access to the data our customers make available via Zealys services, as more specifically defined in the Terms of Services.

Data Encryption

Zealys services use industry-standard encryption to protect customer data during transmissions between a customer’s network and Zealys services. This is done by using secure protocols such as SSL/TSL and HTTPS.

Authentication

All services follow the principle of least privilege and authentication towards services and their APIs are secured using industry standard mechanisms. OpenID Connect and the underlying oAuth 2.0 protocol is used to securely perform authentication of users and/or client services with trusted parties and validate identity and access using claims-based tokens.

Access Control

Customers using Zealys services are fully empowered to conduct front-end access control to their application, including adding employees/users up to the number of headcounts subscribed and restricting access according to the roles and permissions assigned to the user.

Confidentiality

The operation of Zealys services requires that some employees have access to the systems which store and process customer data. Zealys employs access controls and procedures to ensure that only authorized employees have access to customer data. Access by Zealys employees to customer data shall be strictly limited to activities necessary to provide the services, such as installing, implementing, maintaining, repairing, troubleshooting, or upgrading the services. All Zealys employees and contract personnel are bound to the policies applicable to the handling of customer data.

Backup of Customer Data

Zealys backs up customer data in the production environment on a daily basis. Customers may request that Zealys restore the database to a state up to seven days prior.

Deletion of Customer Data

Once customer terminates subscription to Zealys services, customer data will be deleted from the production environment after 30 days from the termination date. Zealys shall, within 14 days, delete and ensure that all of its affiliates and the permitted third-party hosting providers delete, all copies of customer data.

Data Breach Notification

Should there be any indications of a possible data breach, we will assess it swiftly within a 30-day period. Upon assessment that the data breach is likely to result in significant damage or impact to the individuals whose personal data was involved, the impacted customer will be notified no later than 24 hours after it has been determined that the data breach is likely to result in significant damage or impact to the individuals or of a significant scale (i.e. if the data breach involves personal data of 500 or more individuals).