Zero-Trust Security Architecture
Defense-in-depth security at every layer. From mTLS on all internal paths to database RLS for tenant isolation.
Security Matrix
Zero-trust by default on all Zen-managed internal paths. Customer-managed paths are secure by default and configurable.
mTLS + HMAC: Defense in Depth
Two layers of security on every internal connection.
mTLS (Mutual TLS)
Both client and server verify each other's certificates. Connection is only established if both parties present valid certificates signed by the trusted CA.
- Ingester ↔ Egress: Fail-closed in production. mTLS is mandatory.
- Agent ↔ SaaS: Workload identity via SPIFFE/SPIRE.
- BFF ↔ Backend: Certificate-based service authentication.
HMAC-SHA256
Message authentication codes verify the payload hasn't been tampered with and originates from a trusted source.
- Replay Protection: Nonce-based deduplication via Redis prevents replay attacks.
- Per-Cluster Keys: HKDF-derived keys stored securely per tenant.
- Header Verification: X-Zen-Signature header validation on all ingress.
Tenant Isolation
Multiple layers of isolation ensure your data stays isolated from other tenants.
Application-Layer Isolation
Primary isolation at the application level. All queries are scoped to the current tenant via context setting.
Database RLS
Row Level Security policies enforced on all tenant tables. Policies use transaction-scoped tenant context.
Encryption at Rest
All sensitive data encrypted at rest. Zen-Mesh's ZenLock secret management with centralized key rotation.
ZenLock — Zen-Mesh Secrets Management
Zen-Mesh's proprietary secrets management solution. Centralized, encrypted with automatic rotation support.
Encrypted Storage
All secrets encrypted at rest using industry-standard encryption. Keys are never stored in plaintext.
Automatic Rotation
Rotate secrets without downtime. Canary deployment with automatic rollback if issues detected.
Centralized Distribution
Secrets securely distributed to all components. One update propagates everywhere.
Audit Trail
Every secret access logged with tamper-evident audit trail.
Certificate Lifecycle Management
Automated certificate rotation with health checks and automatic rollback.
Canary Deployment
New certificates deployed to a subset of nodes first.
Health Check
System validates new certificates with automated probes.
Full Rollout
If healthy, certificates propagate to all nodes.
Auto-Rollback
If issues detected, system auto-rollbacks and notifies.
Comprehensive Audit Logging
Immutable audit trail with tamper detection for compliance and forensics.
Hash-Chain Verification
Each audit entry contains hash of previous entry, creating tamper-evident chain.
Event Tracking
All authentication, authorization, and data access events logged with full context.
Correlation IDs
Full flow correlation from webhook source through to delivery for debugging.
Retention Policies
Configurable retention with support for long-term archival.
Meets webhooks.fyi Best Practices
Built on infrastructure security standards that exceed typical webhook providers.
HMAC-SHA256 Verification
Signature verification for all webhook sources. GitHub, GitLab, Stripe, and more supported.
mTLS + SPIFFE
Mutual TLS on all internal paths with SPIFFE/SPIRE workload identity. Stronger than typical HMAC-only.
Dead Letter Queue
Failed events stored for replay. Manual and automated replay for reliability.
CloudEvents Native
Full CloudEvents (CNCF) format support. Vendor-neutral, interoperable.
Certificate Rotation
Zero-downtime canary rotation with auto-rollback. Proactive security.
Hash-Chain Audit
Tamper-evident logging with hash chaining for compliance.
Questions about security?
Our team is here to help you understand our security architecture.
Contact Security Team