zAccess
Log inGet started
Trust Center · updated weekly

Security that earns its place in high‑stakes testing.

Universities, government bodies, and global certification programs trust zAccess with millions of exam sessions. Here's exactly how we protect them — and how you can verify it yourself.

Browse documents Talk to security
99.97%
Uptime · trailing 90 days
<11m
Mean time to resolve
5
Data‑residency regions
24/7
Security operations

Certifications & frameworks

Audited by independent third parties — not self‑attested.

SOC 2 Type II
Annually audited
ISO 27001
Information security
ISO 27701
Privacy management
GDPR
EU data protection
FERPA
US student records
WCAG 2.2 AA
Accessible by design

How we protect your data

Six pillars that show up in every product decision we make.

Encryption everywhere

AES‑256 at rest, TLS 1.3 in transit, envelope keys rotated quarterly. Per‑tenant data keys with isolated KMS scopes.

  • AES‑256 at rest
  • TLS 1.3 in transit
  • Per‑tenant KMS scopes

Tenant isolation

Multi‑tenant by design: schema‑level isolation, row‑level security, and dedicated workers for high‑sensitivity workloads.

  • Postgres RLS on every table
  • Per‑tenant queue partitions
  • Optional dedicated cluster

Regional residency

Pin tenant data to US, EU, UK, India or Australia regions. No cross‑region replication unless explicitly enabled.

  • 5 residency regions
  • No silent replication
  • Audit‑ready data‑map

Identity & access

SAML/OIDC SSO, SCIM provisioning, hardware‑key MFA, fine‑grained roles, and just‑in‑time elevation with full audit.

  • SSO + SCIM
  • Phishing‑resistant MFA
  • JIT admin elevation

Continuous monitoring

24/7 SOC, anomaly detection, runtime EDR, and weekly third‑party penetration testing on production surfaces.

  • 24/7 SOC coverage
  • Continuous EDR
  • Weekly pen‑tests

Privacy by default

Biometric templates are stored as one‑way embeddings. Candidate evidence auto‑deletes per institutional policy.

  • Embeddings, not images
  • Configurable retention
  • DSAR self‑service
Defense in depth

Every request crosses five guard rails.

From the candidate browser to encrypted storage, every hop is authenticated, rate‑limited, and observable.

Read the whitepaper
  1. 1
    Edge
    DDoS shield, WAF, geo‑routing
  2. 2
    Identity
    SSO, MFA, JIT elevation
  3. 3
    Application
    Per‑tenant request scoping
  4. 4
    Data
    Postgres RLS + per‑tenant KMS
  5. 5
    Observability
    Tamper‑evident audit log
Incident response

When something goes wrong, here's what happens.

A documented, rehearsed runbook — not a hope.

  1. T+0
    Detection

    Automated signals or human report opens an incident in minutes.

  2. T+15m
    Triage

    On‑call security engineer assigns severity and assembles response team.

  3. T+1h
    Containment

    Affected systems isolated; customer impact assessed and logged.

  4. T+24h
    Customer notice

    Affected admins notified with scope, timeline, and remediation.

  5. T+7d
    Post‑mortem

    Public RCA published; corrective actions tracked to closure.

Compliance documents

Available under NDA via our trust portal.

Frequently asked

Report a vulnerability

We'd rather hear from you first.

Coordinated disclosure with researcher recognition and bounty awards.

security@zaccess.examplePGP key/.well-known/security.txt
Subscribe to changes

Get notified when sub‑processors or policies change.

One short email when the trust posture changes — never marketing.

View change history