We're built for teams that can't afford to get security wrong.
Read-only by default. SOC 2 Type II certified. Zero data storage. Every action logged, auditable, reversible.
A security posture built for regulated infrastructure.
ZopNight is designed from first principles for enterprises that can't afford a breach, a leak, or an audit surprise. Every architectural decision defaults to the least-privileged, least-intrusive option.
Read-only access
ZopNight never requests write, modify, or delete permissions on your cloud accounts. We connect through read-only IAM roles you create and control. You can revoke access in seconds from your cloud console, no call required.
No data storage
We do not copy, cache, or persist your cloud resource data. Every scan runs in real time and results are surfaced to you directly. We store metadata about findings, never the underlying resource payloads.
Full audit trail
Every action taken in ZopNight, every scan, every recommendation viewed, every remediation initiated, is logged with timestamp, actor identity, and outcome. Logs are immutable and exportable to your SIEM.
RBAC + SSO
Role-based access control is enforced at every layer. Viewer, Editor, and Admin roles map cleanly to least-privilege. SAML 2.0 and OIDC SSO are available on Enterprise, your identity provider, your rules.
Encryption at rest & transit
All data transmitted between ZopNight and your cloud accounts is encrypted via TLS 1.3. Any metadata we retain (finding records, audit logs) is encrypted at rest using AES-256 with customer-managed key option on Enterprise.
Compliance you can reference in your own audits.
Our certification posture is designed to reduce your compliance burden, not add to it. We maintain current certifications and publish our reports on request.
SOC 2 Type II
Our SOC 2 Type II report covers Security, Availability, and Confidentiality trust service criteria. Audit period: trailing 12 months. Report available under NDA to enterprise prospects.
ISO 27001
ISO 27001 certification covers our information security management system (ISMS) across all product and infrastructure operations. Certificate available on request.
GDPR Compliant
ZopNight processes no EU personal data by design, we read cloud resource metadata, not user data. Our DPA is available for EU customers and covers all processing sub-activities.
HIPAA Ready
ZopNight supports HIPAA-covered entity customers through architecture review and BAA execution. We do not process ePHI, our read-only posture ensures that by design.
CCPA Compliant
We maintain full CCPA compliance for California residents. Our privacy notice covers all categories of data we collect, the purposes for collection, and your rights under CCPA Section 1798.
The exact policy we ask for.
Here is the complete IAM policy ZopNight requests when you connect an AWS account. Copy it verbatim. Audit it against our codebase. Every action is read-only.
No *:Write. No *:Delete. Remediation runs in a separate, explicitly-scoped role that you opt into per action, and only if you enable it. That role is scoped to the specific resource type and action you approve, nothing broader.
For Azure, we use a custom role with Reader + Cost Management Reader permissions on the subscription scope. For GCP, we use a custom IAM role with Viewer + Cloud Asset Viewer + Billing Account Viewer on the project scope.
Any policy change is announced in the changelog with 30-day notice.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ZopNightReadOnly",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"rds:Describe*",
"rds:ListTagsForResource",
"s3:List*",
"s3:GetBucketTagging",
"s3:GetBucketLocation",
"cloudwatch:GetMetricData",
"cloudwatch:ListMetrics",
"ce:GetCostAndUsage",
"ce:GetCostForecast",
"ce:GetRightsizingRecommendation",
"lambda:List*",
"lambda:GetFunction",
"ecs:Describe*",
"ecs:List*",
"eks:Describe*",
"eks:List*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*",
"tag:GetResources",
"tag:GetTagKeys",
"organizations:Describe*",
"organizations:List*"
],
"Resource": "*"
}
/* No *:Write. No *:Delete. */
/* Remediation role is separate. */
/* You opt in per action. */
]
}Security and legal documentation.
Every document you need for security review, procurement, and compliance, in one place.
Data Processing Agreement
GDPR Article 28 DPA for EU customers. Covers all sub-processors and processing activities.
→Service Level Agreement
99.9% uptime commitment. Incident response times. Credits for downtime on Pro and Enterprise.
→AI Usage Policy
How ZopNight uses AI/ML for recommendations. Data usage boundaries and model governance.
→Subprocessors
Complete list of infrastructure, analytics, and support vendors with whom we share data.
→Privacy Policy
What we collect, why we collect it, your rights under GDPR and CCPA, and how to contact us.
→Terms of Service
Subscription terms, acceptable use policy, liability limits, and governing law.
→Cookie Policy
What cookies we set, which are essential vs. optional, and how to manage your preferences.
→Accessibility
WCAG 2.1 AA conformance statement and our commitments to inclusive product design.
→Security issues? We want to know.
ZopNight undergoes annual third-party penetration testing by an independent security firm. We publish our most recent pentest summary (executive findings only, not the full report) to enterprise customers under NDA.
We also operate an ongoing responsible disclosure program. If you find a vulnerability in any ZopNight product or infrastructure, we want to hear about it before anyone else does. We will never pursue legal action against good-faith researchers.
To report a vulnerability: email security@zop.dev with a description of the issue, steps to reproduce, and any supporting evidence. Encrypt sensitive reports using our PGP key.
We do not currently operate a bug bounty program, but we recognize significant findings with public credit (with researcher consent) and may offer discretionary rewards at our security team's determination.
Contact our security team
| Milestone | Commitment | Status |
|---|---|---|
| Initial acknowledgement | Within 48 hours | on track |
| Initial severity assessment | Within 7 days | on track |
| Critical vulnerability patch | Within 14 days | on track |
| High vulnerability patch | Within 30 days | on track |
| Researcher notification | Before public disclosure | on track |
See the full security documentation. Talk to our security team.
Enterprise customers get direct access to our security engineering team, pentest reports under NDA, and a dedicated trust review before onboarding.
Request security review →Stop watching the waste.
Start cutting it.
See. Find. Fix. Automatic.
Connect your first cloud account in under 5 minutes. See your first remediation in under 7. No credit card required.