Skip to main content
trust · security

We're built for teams that can't afford to get security wrong.

Read-only by default. SOC 2 Type II certified. Zero data storage. Every action logged, auditable, reversible.

01 · posture

A security posture built for regulated infrastructure.

zopnight is designed from first principles for enterprises that can't afford a breach, a leak, or an audit surprise. Every architectural decision defaults to the least-privileged, least-intrusive option.

01

Read-only access

zopnight never requests write, modify, or delete permissions on your cloud accounts. We connect through read-only IAM roles you create and control. You can revoke access in seconds from your cloud console, no call required.

02

No data storage

We do not copy, cache, or persist your cloud resource data. Every scan runs in real time and results are surfaced to you directly. We store metadata about findings, never the underlying resource payloads.

03

Full audit trail

Every action taken in zopnight, every scan, every recommendation viewed, every remediation initiated, is logged with timestamp, actor identity, and outcome. Logs are immutable and exportable to your SIEM.

04

RBAC + SSO

Role-based access control is enforced at every layer. Viewer, Editor, and Admin roles map cleanly to least-privilege. SAML 2.0 and OIDC SSO are available on Enterprise, your identity provider, your rules.

05

Encryption at rest & transit

All data transmitted between zopnight and your cloud accounts is encrypted via TLS 1.3. Any metadata we retain (finding records, audit logs) is encrypted at rest using AES-256 with customer-managed key option on Enterprise.

read-only data flow, architectural overview
zopnight read-only scanner READ-ONLY IAM ROLE READ ONLY READ ONLY READ ONLY AWS ec2 · rds · s3 lambda · cloudwatch AZURE vms · aks · sql storage · functions GCP gce · gke · bigquery cloud run · storage NO *:WRITE · NO *:DELETE · EVER findings only
Remediation runs in a separate, explicitly scoped role you opt into per action, never automatically.
02 · certifications

Compliance you can reference in your own audits.

Our certification posture is designed to reduce your compliance burden, not add to it. We maintain current certifications and publish our reports on request.

SOC 2 Type II

AICPA · Annual audit · current

Our SOC 2 Type II report covers Security, Availability, and Confidentiality trust service criteria. Audit period: trailing 12 months. Report available under NDA to enterprise prospects.

ISO 27001

BSI · Information security management

ISO 27001 certification covers our information security management system (ISMS) across all product and infrastructure operations. Certificate available on request.

03 · iam policy

The exact policy we ask for.

Here is the complete IAM policy zopnight requests when you connect an AWS account. Copy it verbatim. Audit it against our codebase. Every action is read-only.

No *:Write. No *:Delete. Remediation runs in a separate, explicitly-scoped role that you opt into per action, and only if you enable it. That role is scoped to the specific resource type and action you approve, nothing broader.

For Azure, we use a custom role with Reader + Cost Management Reader permissions on the subscription scope. For GCP, we use a custom IAM role with Viewer + Cloud Asset Viewer + Billing Account Viewer on the project scope.

Any policy change is announced in the changelog with 30-day notice.

aws iam policy · json read-only · verified
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ZopNightReadOnly",
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*",
        "rds:Describe*",
        "rds:ListTagsForResource",
        "s3:List*",
        "s3:GetBucketTagging",
        "s3:GetBucketLocation",
        "cloudwatch:GetMetricData",
        "cloudwatch:ListMetrics",
        "ce:GetCostAndUsage",
        "ce:GetCostForecast",
        "ce:GetRightsizingRecommendation",
        "lambda:List*",
        "lambda:GetFunction",
        "ecs:Describe*",
        "ecs:List*",
        "eks:Describe*",
        "eks:List*",
        "elasticloadbalancing:Describe*",
        "autoscaling:Describe*",
        "tag:GetResources",
        "tag:GetTagKeys",
        "organizations:Describe*",
        "organizations:List*"
      ],
      "Resource": "*"
    }
    /* No *:Write. No *:Delete.       */
    /* Remediation role is separate.  */
    /* You opt in per action.         */
  ]
}
05 · pentest + reporting

Security issues? We want to know.

zopnight undergoes annual third-party penetration testing by an independent security firm. We publish our most recent pentest summary (executive findings only, not the full report) to enterprise customers under NDA.

We also operate an ongoing responsible disclosure program. If you find a vulnerability in any zopnight product or infrastructure, we want to hear about it before anyone else does. We will never pursue legal action against good-faith researchers.

To report a vulnerability: email security@zop.dev with a description of the issue, steps to reproduce, and any supporting evidence. Encrypt sensitive reports using our PGP key.

We do not currently operate a bug bounty program, but we recognize significant findings with public credit (with researcher consent) and may offer discretionary rewards at our security team's determination.

Contact our security team

Security disclosures security@zop.dev
General security questions Via your account's Trust & Security settings, or book a call
Legal / privacy inquiries legal@zop.dev
Disclosure response SLA
Milestone Commitment Status
Initial acknowledgementWithin 48 hourson track
Initial severity assessmentWithin 7 dayson track
Critical vulnerability patchWithin 14 dayson track
High vulnerability patchWithin 30 dayson track
Researcher notificationBefore public disclosureon track

See the full security documentation.
Talk to our security team.

Enterprise customers get direct access to our security engineering team, pentest reports under NDA, and a dedicated trust review before onboarding.

Multi-cloud automation· Production-ready in 30 min· SOC 2 · ISO 27001 · zero-trust· 30% average cloud cost cut· 4 platforms · 1 console· Multi-cloud automation· Production-ready in 30 min· SOC 2 · ISO 27001 · zero-trust· 30% average cloud cost cut· 4 platforms · 1 console·