Enterprise security is not a feature.
It is infrastructure.
Zeal processes sensitive commercial contracts and legal data on behalf of enterprise clients. This page documents the technical and organizational controls that govern how that data is stored, processed, transmitted, accessed, and protected. These are not marketing claims. They are audited, documented commitments.
Certification
SOC 2 Type II
Certification
ISO 27001
Compliance
GDPR / CCPA / CPRA
Audit
SOC 2 Type II
SOC 2 Type II is an independent audit conducted by a licensed CPA firm. Unlike Type I, which evaluates controls at a single point in time, Type II assesses whether controls operate effectively over an observation period -- typically six to twelve months. Zeal's annual SOC 2 Type II audit covers the Trust Service Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. The audit examines access controls, change management procedures, incident response processes, monitoring systems, and vendor management, among other control domains. The report is available to enterprise customers and prospects under NDA.
Standard
ISO 27001
ISO 27001 is the international standard for Information Security Management Systems. Certification requires establishing a documented ISMS, performing a formal risk assessment, implementing a defined set of controls from Annex A, and passing an initial certification audit by an accredited third-party registrar. Ongoing certification requires annual surveillance audits and a full recertification audit every three years. Zeal maintains ISO 27001 certification across its production infrastructure, development environment, and core business processes. The certificate can be verified directly with our certifying registrar.
Data Protection
Encryption
At rest
All customer data is encrypted at rest using AES-256. This applies to primary databases, backup stores, file storage, and any derived data sets produced during AI processing. Encryption is applied at the storage layer and does not depend on application-level controls.
In transit
All data transmitted between clients and Zeal's servers, and between internal services, uses TLS 1.3. TLS 1.0 and 1.1 are disabled. Cipher suites are restricted to those providing forward secrecy. HSTS is enforced with a minimum one-year max-age on all public endpoints.
Key management
Encryption keys are managed through a dedicated key management service. Customer data keys are unique per tenant and are never stored alongside the data they protect. Key rotation is performed on a defined schedule. Access to key material is restricted to authorized services and logged. Enterprise customers may optionally bring their own key (BYOK) for an additional layer of customer-controlled encryption over their data.
Infrastructure
Data residency
Zeal's production infrastructure is hosted on AWS. By default, customer data is stored in the US East (N. Virginia) region. Enterprise customers with data residency requirements may elect to have their data processed and stored in the EU West (Ireland) region or the US West (Oregon) region. Region selection is configured at the time of contract execution and applies to primary storage, backup storage, and AI processing pipelines.
Zeal does not replicate customer data across regions without explicit customer authorization. Sub-processors that handle customer data are listed in the Data Processing Addendum provided with enterprise agreements. That list is maintained and updated when sub-processors change, with advance notice provided to affected customers as required by applicable data protection law.
Identity and Access
Access control
Role-based access control (RBAC)
Access within Zeal is governed by role-based permissions. Roles are defined at the organization level and can be scoped to specific contract repositories, matter types, or business units. Administrators can create custom roles with granular read, write, export, and administration permissions. Role assignments are logged and included in the audit trail.
Single sign-on (SSO)
Zeal supports SAML 2.0 and OIDC-based SSO. Pre-built integrations are available for Okta, Azure Active Directory, and Google Workspace. Enterprise customers can enforce SSO as the exclusive authentication method, preventing password-based login for all users in their organization. SSO provisioning and deprovisioning via SCIM 2.0 is supported for Okta and Azure AD.
Multi-factor authentication
MFA is required for all Zeal accounts not authenticating through an SSO provider. TOTP-based authenticator apps and hardware security keys (WebAuthn/FIDO2) are supported. SMS-based MFA is not offered. Organizations may enforce MFA requirements and restrict which second factors are permitted.
Audit logs
All authentication events, data access events, configuration changes, and administrative actions are recorded in an immutable audit log. Logs are retained for a minimum of twelve months and are available for export via the admin console or the Zeal API. Enterprise customers may configure log streaming to a SIEM of their choice over a supported webhook or direct integration.
Critical: How AI Processing Works
What happens to your contract data when AI processes it
What is sent to AI models
When Zeal processes a contract, relevant clauses or document segments are submitted to a large language model for analysis. These are the minimum segments needed to answer the specific query or perform the specific extraction task. Zeal does not submit entire contract corpora in bulk. Segments are submitted with a tenant-isolated context -- no data from another customer's documents is present in the same inference call.
Tenant isolation
Each customer's data is processed within an isolated context. Inference calls do not share conversation history, retrieved context, or cached state across tenant boundaries. There is no mechanism by which one customer's contract language influences the output produced for another customer's query.
Model training
Zeal does not use customer contract data to train, fine-tune, or otherwise update shared AI models. Customer data submitted during processing is not retained by Zeal's AI infrastructure beyond the immediate inference call. Enterprise Data Processing Addenda include explicit contractual prohibitions on training use of customer data.
LLM provider agreements
Zeal maintains data processing agreements with each AI model provider used in production. These agreements include zero data retention commitments for inference calls, confidentiality obligations, and prohibitions on the use of submitted data for provider-side model improvements. The list of AI sub-processors is disclosed in Zeal's Data Processing Addendum.
Operations
Incident response
Zeal maintains a documented Incident Response Plan that defines detection, classification, containment, eradication, recovery, and post-incident review procedures. Incidents are classified by severity based on potential impact to customer data and service availability.
Notification SLAs
Customer communication during an active incident occurs through the primary contact designated in the customer's account settings. Status updates are posted to Zeal's public status page. Post-incident reports include a root cause analysis, timeline, and description of remediation steps taken.
Security Testing
Penetration testing and vulnerability disclosure
Zeal engages an independent third-party security firm to conduct a full-scope penetration test of its production environment on an annual basis. The scope covers the web application, API layer, authentication systems, and network perimeter. Penetration test findings are remediated according to severity-based SLAs, and summary reports are available to enterprise customers under NDA upon request.
In addition to third-party testing, Zeal operates a continuous vulnerability scanning program covering container images, dependencies, and infrastructure configurations. Critical and high-severity findings are tracked in a dedicated security backlog with defined remediation timelines.
Responsible disclosure: Security researchers who identify a potential vulnerability in Zeal's systems may report it to security@zeal.us. Zeal commits to acknowledging receipt within two business days and coordinating disclosure timing with the reporter. Zeal does not pursue legal action against good-faith security researchers operating under this policy.
Regulation
GDPR
Zeal operates as a data processor under GDPR for customer data submitted through the platform. Zeal maintains a Data Processing Addendum (DPA) that is available for execution with all enterprise customers. The DPA includes Standard Contractual Clauses for international transfers, sub-processor disclosure requirements, data subject rights support obligations, and breach notification commitments. Zeal appoints a Data Protection Officer who can be reached at privacy@zeal.us.
Regulation
CCPA and CPRA
Zeal supports customer obligations under the California Consumer Privacy Act and the California Privacy Rights Act. Zeal does not sell or share personal information as defined under CCPA/CPRA. For customers operating as businesses under California law, Zeal executes a Service Provider Agreement that includes the required statutory limitations on use of personal information. Zeal's Data Processing Addendum incorporates CPRA-compliant terms for customers who require them.
Enterprise
Enterprise security features
The following capabilities are available to enterprise customers in addition to the controls described elsewhere on this page.
Custom data retention policies
Administrators can configure per-repository data retention windows. Data past the retention horizon is permanently deleted on a defined schedule, with deletion verified and logged.
Bring your own key (BYOK)
Enterprise customers may provide their own encryption key via AWS KMS or Azure Key Vault. Zeal's systems use the customer-managed key to encrypt tenant data, ensuring that key revocation by the customer immediately renders the data inaccessible.
IP allowlisting
Access to the Zeal platform can be restricted to specific IP ranges at the organizational level. Any authentication attempt originating from outside the allowlist is rejected before credentials are evaluated.
Private link and VPC peering
Enterprise deployments can connect to Zeal's infrastructure over AWS PrivateLink or VPC peering, eliminating traffic traversal over the public internet for API and data access operations.
SIEM integration and log export
Audit log data can be streamed in real time to Splunk, Datadog, or any SIEM that accepts webhook or S3-based log delivery. Log format is structured JSON with documented schema.
Dedicated security review
Enterprise customers may request a security review session with Zeal's security team, including access to penetration test summaries, control evidence, and questionnaire completion support.
Security questions and documentation requests
If you have specific security questions, would like to complete a vendor security questionnaire, or need access to Zeal's SOC 2 report, penetration test summary, DPA, or ISO 27001 certificate, contact the Zeal security team directly. Dedicated security review calls are available for enterprise prospects.