Skip to main content
Security & Compliance

Compliance

Our commitment to security and data protection

Current Status

ZewstID is actively working toward formal security certifications. Below is an overview of our current security controls and compliance roadmap.

Security Controls in Place

ZewstID implements industry-standard security controls across every layer of the platform.

Encryption at Rest & in Transit

AES-256 encryption for stored data and TLS 1.3 for all network communication.

Role-Based Access Control

Granular RBAC ensuring users and services only access what they need.

Comprehensive Audit Logging

27 event types tracked, including logins, token issuance, and admin actions.

Brute Force Protection

Automatic account lockout and progressive delays on failed authentication attempts.

Multi-Factor Authentication

Support for TOTP, push authentication, WebAuthn/passkeys, and email OTP.

Secure Token Handling

RS256-signed JWTs with PKCE for OAuth flows and JWKS-verifiable tokens.

Rate Limiting on All Endpoints

Per-client rate limiting to protect against abuse and denial-of-service attacks.

Session Management

Secure httpOnly cookies, CSRF protection, and configurable session lifetimes.

Compliance Roadmap

Our path toward formal certifications and compliance standards.

SOC 2 Type II

Planned

Planned — actively working toward a formal audit to demonstrate security, availability, and confidentiality controls.

GDPR

In Progress

Data handling practices aligned with GDPR requirements. Data Processing Agreement (DPA) available on request for enterprise customers.

Data Residency

Available

Available for enterprise customers. Contact our team to discuss data residency requirements for your region.

Penetration Testing

Planned

Regular third-party penetration testing planned to validate platform security posture.

Data Handling

How we handle, store, and protect your data.

Privacy Policy

All data is processed in accordance with our Privacy Policy. We are transparent about what we collect and why.

View Privacy Policy

Data Processing Agreement

A Data Processing Agreement (DPA) is available on request for enterprise customers who require formal data processing terms.

Contact for DPA

Data Export

You can request a full export of your data at any time. We support standard formats to ensure portability.

Data Deletion

Upon account closure, all associated data is permanently deleted within 30 days. Deletion requests can also be submitted at any time.

Compliance Questions?

For questions about our security practices, compliance roadmap, or to request a DPA, reach out to our compliance team.

[email protected]