Built to be trusted with B2B data.

Data residency

All Zygnal data is hosted in AWS ap-southeast-2 (Sydney). Customer data does not leave the region by default. Multi-region deployment is available on the Scale tier for customers with cross-region disaster-recovery requirements.

Tenant isolation

Multi-tenancy is enforced at the query layer via a tenant-aware middleware. Every query that reads or writes tenant data is scoped to the authenticated tenant; the application code cannot read tenant_id from request bodies. Vector and full-text indexes are partitioned by (tenant_id, product_id) — no cross-tenant or cross-product retrieval bleed.

On the Scale tier, this is reinforced with PostgreSQL row-level security policies and per-tenant customer-managed KMS keys.

Authentication and access

Staff users sign in with email-and-password today, with TOTP MFA. The Scale tier adds SSO and SCIM via Microsoft Entra ID, Google Workspace, and SAML 2.0. Per-product staff permissions (admin / editor / viewer) gate access to product-scoped data.

The in-product drawer authenticates customers with HMAC-signed boot tokens issued by your backend. There are no shared secrets in the browser, and no separate Zygnal account is required for end-customers.

Audit logging

Every mutating action — article edits, ticket transitions, configuration changes, integration connections — is recorded via middleware. Audit log entries are immutable from the application layer. On the Scale tier, audit events stream to your SIEM in near real-time.

AI providers and data handling

Zygnal uses Anthropic and OpenAI for chunk summarisation, embedding generation, and drawer chat. Both providers are used under enterprise zero-retention agreements — your content is not retained beyond the request and is not used to train external models. The Zygnal Agent layer is powered internally by KernelService under a white-label OEM arrangement and is invisible to your end-customers.

Encryption

In transit: TLS 1.2+ on every public endpoint. At rest: AES-256 on RDS, S3, and EBS. Customer-managed KMS keys available on the Scale tier.

Compliance roadmap

Today: Australian Privacy Act, GDPR data-handling principles, ISO 27001-aligned controls (informal). Phase 2: SOC 2 Type II audit, ISO 27001 certification, EU multi-region option.

Reporting a security issue

If you believe you have found a security issue, please email security@zygnal.com. Please give us a reasonable window to investigate and fix before public disclosure. We do not currently run a paid bug bounty.