We build authorization software — being trustworthy with your data is the product. Here's our current posture, stated plainly, including what we haven't done yet.
LAST REVIEWED JULY 4, 2026
The security story starts with the design: authorization decisions never leave your infrastructure. Sidecars evaluate policies locally; the principals, resources, and context of your requests are not sent to our cloud by default.
The control plane holds only what it needs — policies, entity schemas, sync configuration — and sidecars keep serving decisions from local state if it becomes unreachable. Our outage doesn't become your outage.
All traffic between SDKs, sidecars, and the control plane is mutually authenticated. Backups are encrypted and tested. Access to production data is limited to the engineers who operate it, logged, and reviewed.
Staff access runs through SSO with hardware-key MFA, scoped to role, and expires automatically. Admin actions on the control plane are audit-logged.
And yes — we use ZStrike to authorize ZStrike. Every internal admin action passes through the same Cedar policies we ship to you.
Every change is peer-reviewed, passes automated tests and dependency scanning in CI, and deploys through short-lived credentials — no long-lived keys on laptops. The policy engine itself is fuzz-tested against the Cedar conformance suite.
Straight answer: we're not certified yet. We're an early-stage company and won't claim badges we haven't earned. Formal audits are planned, and reports will be published on this page as they complete.
In the meantime, we'll gladly complete your security questionnaire and walk your team through our architecture — security@zstrikehq.com.
Report vulnerabilities to security@zstrikehq.com. We acknowledge within 72 hours, keep you updated, and won't pursue good-faith research. Coordinated disclosure after a fix, credited if you'd like.