Security Certifications
Zūm Rails conducts several recurring audits to ensure continuous compliance with industry standards and best practices.
Zūm Rails works with an independent auditor to maintain a SOC 2 report, which objectively certifies our controls to ensure the continuous security of our customers’ data.
SOC 2 is a comprehensive reporting framework in which independent third-party auditors conduct an assessment and subsequent testing of controls relating to the security, availability, processing integrity of information and systems, confidentiality or privacy of the information processed.
Zũm Rails has been audited by an independent PCI Qualified Security Assessor (QSA) and is certified as a PCI Service Provider. PCI is The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.
Security Controls
Zūm Rails continuously monitors 140+ security controls across the organization.
Automated alerts and evidence collection allows Zūm Rails to reliably prove its security and compliance status any day of the year, while fostering a security-first mindset and culture of compliance across the organization.
Zũm Rails clients can request a detailed report containing several audited controls, which are monitored every day.
Security Policies
Zūm Rail’s security policies are managed, communicated, and approved by senior management to ensure everyone knows their security responsibilities. Policies are audited annually as part of SOC 2 and PCI certification.
Code development is done through a documented Secure Development Life Cycle process. Design of all new product functionality is reviewed by its security team. Zūm Rails conducts mandatory code reviews for code changes and periodic in-depth security review of architecture and sensitive code. The Zūm Rails development and testing environments are separate from the production environment.
Engineers participate in annual secure code training and all new team members are required to pass a comprehensive criminal background check.
Application Monitoring
Access to all Zūm Rails applications are logged and audited. Logs are kept for two years and Zūm Rails maintains a formal incident response plan for major events including appropriate user notification.
Data Center & Network Security
Zūm Rails hosts all its software in Amazon Web Services (AWS) facilities in Canada. Amazon provides an extensive list of compliance and regulatory assurances, including SOC 2, and ISO 27001.
All of Zūm Rails servers are located within its own virtual private cloud (VPC), protected by restricted security groups allowing only the minimal required communication to and between the servers. All access are protected with a Virtual Private Network (VPN).
Zūm Rails conducts third-party network vulnerability scans every quarter.
Data Security
All connections to Zūm Rails are encrypted using SSL, and all traffic external and internal is encrypted using strong TLS Cipher (1.2 and over). All customer data is encrypted at rest and in transit.
System passwords and sensitive data are encrypted.
We use industry-standard data storage systems hosted at AWS.
Data access and authorizations are provided on a need-to-know basis, and based on the principle of least privilege. Access to the AWS production system is restricted to authorized personnel. Zūm Rail clients may configure a data retention duration and customer data can be deleted from Zūm Rails systems before contract termination.
Application Security
Web application architecture and implementation follow OWASP ASVS guidelines.
In addition to Zūm Rails internal testing program, application penetration testing is conduced by a third-party annually.
Audit logging lets administrators see when users last logged in and what features they used.
Any account changes are made only by re-entering passwords, which needs to be defined following a strong-password criteria. All Zũm Rails API are securely protected, and requires an authentication token, which expires after its usage.
Report an Issue or Bug
If you have discovered a security issue or bug that you think we should know about please email us at: security@zumrails.com