Skip to main content

Security & Trust

How Zation protects your data — technically and organizationally.

Customer Isolation

  • Your data is logically isolated from every other customer's data.
  • Every data access is scoped to your organization and enforced on the server — no client request can reach another customer's data.
  • Cross-customer access is covered by automated tests on every release.

Data Residency — Switzerland

  • All customer content and personal data is stored and processed in Switzerland North.
  • Backups stay within Switzerland.
  • Limited operational metadata required to authenticate and route requests may be processed by Microsoft identity services within the EEA under appropriate safeguards (see Sub-Processors).

Encryption

  • Customer data is encrypted in transit (TLS 1.2 or higher).
  • Customer data is encrypted at rest.

Secrets Management

  • Secrets and credentials are held in a dedicated, managed secrets store.
  • No secrets live in application code or configuration files.
  • Services authenticate using managed identities rather than shared credentials.
  • Secrets are rotated on a regular schedule.

Logging

  • No personal data in logs — logs capture only operational fields.
  • Where an identifier is unavoidable, it is hashed.
  • Logs are retained for a limited period and then deleted automatically.

Audit Trail

  • Every write operation produces an audit log entry.
  • Audit entries are permanent and cannot be modified or deleted.
  • They record the action and the operator who performed it — not the personal data of your end users.
  • Customer admins can view their own audit trail in the Portal.

Data breach notification

If we become aware of a personal data breach affecting your data, we notify your admin contact without undue delay, as required by the DPA. The notification covers the nature of the breach, the data categories affected, and the measures we have taken. This supports your duty to notify the Federal Data Protection and Information Commissioner (FDPIC) under Art. 24 revDSG.

Confidentiality

Everyone we authorize to process your data is bound by confidentiality obligations. Access is limited to personnel who need it to deliver the Platform services.

Data subject requests

If you receive a request from a data subject (for example, access or deletion), we assist you in responding. Because we process data only on your instructions, such requests are handled through you as the controller.

For detailed questions on auth and permissions, see Permissions.