# Security Zuplo hosts mission-critical infrastructure for our customers and as such we take our security and your security very seriously. Zuplo was started with a security mindset and all team members are responsible for ensuring our services and infrastructure are secure. Services are designed with security in mind from the beginning and we rely on best-in-class security tooling to ensure our infrastructure is safe and secure. :::tip **Reporting Issues**: If you have a security concern or believe you have found a vulnerability in any part of Zuplo please contact us immediately by emailing us at [security@zuplo.com](mailto:security@zuplo.com). For full terms see our [Security Policy](https://zuplo.com/legal/security-policy). ::: ## Security Practices ### Corporate Security Zuplo implements a number of security controls to ensure that only authorized Zuplo team members have access to company infrastructure. This section is intended to give a high level of our security practices. - Access to services, applications, and infrastructure is controlled via SSO using our corporate identity provider. - We require strong, phishing-resistant 2FA on all identity accounts. - We rely on identity and device policy-enforced access controls for all services. - No access is the default, when access to systems is granted the least privilege required is granted. When possible temporary permission escalation is used. - Access controls are centralized, employee onboarding/offboarding is automated, and audit logs are kept for all business-critical services. Access grants are regularly audited. ### Network and Infrastructure Security Zuplo implements many layers of security to ensure our networks and infrastructure remain secure. - Our infrastructure runs on Google Cloud Platform and Cloudflare. - Zuplo only exposes traffic directly to the internet through Cloudflare. Internal infrastructure and services don't have public IP addresses and instead are connected to Cloudflare using outbound secure tunnels. - Each service that's exposed is protected by DDoS, Firewall, WAF, and other security measures. - Internal and external APIs are protected by Zuplo API Gateway. - Internal services can only be connected to by Zuplo employees using an identity and device policy-enforced proxy using secure tunnels. - Interconnected Zuplo services utilize mTLS authentication or gateway authorization for access control. - Traffic between Zuplo services or services Zuplo uses is encrypted in transit. - Customer data and compute is isolated in multiple ways (secure Kubernetes virtualization, V8 Isolates, etc.) - Logging data is centralized and configured for monitoring and alerting. - Customer data is encrypted at rest. ### Application Security At Zuplo, application security is considered at every phase of software development. We utilize multiple layers and tools to help us build secure software. - Changes are done via pull requests with code reviews. - Infrastructure is managed via Terraform, changes go through code reviews. - Third-party dependencies are continually scanned for vulnerabilities and patches are applied using automated tools whenever possible. - Containers are automatically scanned using GCP Container Scanning. - Penetration testing is performed regularly. - Builds and deployments are fully automated. ### Disaster Recovery We understand that if we go down, our customers' APIs go down too. While Zuplo has an excellent track record of uptime serving billions and billions of requests with zero downtime, the team also plans for the worst. We maintain a variety of measures to ensure we can quickly recover from any type of disaster. - Full data backups occur on regular schedules (usually every 6 hours) - Incremental backups occur frequently (usually every hour) - Event-based backups occur for customer APIs - for example, we save each production Gateway build/configuration so everything needed to recover customer services to a particular point in time is available. - Data recovery is tested regularly with full disaster recovery testing done every year. - Business critical configuration is managed via source code (mostly Terraform) to ensure that in the event portions of our infrastructure are taken offline they can be quickly restored. - Business critical services used by Zuplo have enterprise SLAs with at least 99.95% uptime guarantees. ### Compliance See our [Trust & Compliance Report](https://trust.zuplo.com/) for details on compliance including our SOC2 Type II accreditation status. ### Security Questionnaire If you have a custom security questionnaire, send it to us and we will get responses back to you as soon as possible.