Zobrx
Trust Center

Security you can audit,
not just trust.

Zobrx is built on enterprise-grade cryptography, consent-aware data handling, tamper-evident audit logs, and regional data residency. Every claim on this page is verifiable under NDA via our security portal.

Request security portalSub-processor list
Compliance posture

Honest status, not vanity badges

Certifications in progress are labeled as such. We won't display a badge until the audit report is in our hand.

SOC 2 Type II
In audit
ISO 27001
In progress
ISO 27701 (Privacy)
In progress
GDPR (EU)
Compliant
CCPA + CPRA (US)
Compliant
DPDP 2023 (India)
Compliant
HIPAA
Ready
PCI-DSS
Via Stripe / Razorpay

SOC 2 Type II audit window opens 2026-Q3, report expected 2027-Q1. ISO 27001 surveillance kicking off 2026-Q4.

Controls

Six pillars of platform security

Encryption

AES-256-GCM field-level envelope encryption for integration credentials and PII. TLS 1.3 in transit. AWS KMS with per-tenant data-encryption keys rotated quarterly.

BYOK / CMK

Enterprise tenants bring their own KMS key. Zobrx can decrypt only when your key is presented. Revoke at any time.

Tamper-evident audit log

Every privileged action hashes into a SHA-256 chain. 7-year retention in S3 with Object Lock. Chain verification available on request.

SSO, SCIM & RBAC

WorkOS-powered SSO (Okta, Azure AD, Google, Ping) + SCIM 2.0 user provisioning. 13 built-in roles + ABAC policies on Enterprise.

Enforced MFA

TOTP or WebAuthn required on all tenants. SSO-only mode available. IP allowlisting on Scale and above.

Quarterly access reviews

Automated quarterly reviews of user access, integration scopes and API keys. Drata-automated evidence collection.

Data residency

Your data, where you want it.

Five regions at GA, immutable per tenant at signup. Cross-region transfers only on your explicit write. No covert replication.

Enterprise tenants can request additional regions (AU, JP, BR, UAE) subject to ~60 days provisioning.

US
Virginia (us-east-1)
Default
EU
Frankfurt (eu-central-1)
UK
London (eu-west-2)
APAC
Singapore (ap-southeast-1)
IN
Mumbai (ap-south-1)
Privacy & data governance

Your customers' data, your rules

No AI training on your data

Groq + Gemini endpoints run on enterprise no-retention contracts. Your data is never used for training.

DSR endpoints

GDPR Articles 15–22 implemented: access, rectification, erasure, portability, restriction. 30-day SLA.

Consent framework

GDPR TCF, DPDP notice-and-consent, and CCPA 'do not sell' supported end-to-end.

Sub-processor transparency

Live public list of every sub-processor, region, and purpose — updated with 30-day notice.

Automated decisioning controls

GDPR Article 22 opt-outs; AI recommendations are advisory by default with human approval.

Resilience

Incident response, disaster recovery, chaos testing

24×7 monitoring

OpenTelemetry + Grafana Cloud + Panther SIEM. P1 response SLA 15 min (Enterprise).

RPO / RTO

15-min RPO with PBM Point-in-Time Recovery. 1-hour RTO on standard; 15-min on Enterprise active-passive.

Chaos game-days

Quarterly AWS FIS exercises: region failover, KMS revocation, credential rotation, CAPI backpressure.

Tenant isolation

Per-tenant Percona Server for MongoDB on Enterprise. Network + compute isolation.

Pen testing

Annual external pen test (HackerOne) + continuous Burp-driven scans. Reports under NDA.

Vendor risk

Every sub-processor carries SIG Lite + SOC 2 + DPA. Quarterly vendor reviews.

Security FAQ

Security questions, direct answers

Yes — once issued. SOC 2 Type I evidence is available under NDA today; Type II report is expected 2027-Q1. Request via the security portal or email security@zobrx.com.
Get started

Need a security deep-dive?

Our security team hosts weekly Q&A sessions for prospective enterprise customers. Bring your CISO.

Book a security reviewEmail security@zobrx.com
  • ✓ 14-day free trial
  • ✓ No credit card
  • ✓ Cancel anytime