Security
Last updated: 3 May 2026
Zabt is engineered for the integrity demands of high-stakes selection. Every layer of the platform — from infrastructure to access control — is designed around the assumption that committee deliberations and evaluation outcomes must remain confidential, tamper-evident, and fully owned by you.
Encryption at Every Layer
- At rest: AES-256 encryption applied to all stored evaluation data, attachments, and audit logs.
- In transit: TLS 1.3 for every client and server connection.
- Secrets: Service credentials are sealed in a managed key vault and never exposed to client bundles.
Row-Level Security (RLS) Isolation
Workspace, event, and participant data are isolated at the database layer through Postgres Row-Level Security policies. Membership, role, and round assignment are validated on every read and write — there is no application path that can bypass workspace boundaries.
Data Sovereignty
You retain absolute ownership of your Evaluation Data. Zabt acts as a Service Provider (Processor) only. We do not sell data, do not use private committee evaluations to train external AI models, and provide structured export at any time.
Operational Controls
- Least-privilege access for the Zabt operations team, gated by SSO and audit logging.
- Continuous monitoring with alerting on anomalous access patterns.
- Backups encrypted with independent keys and restored under quarterly disaster-recovery drills.
- 90-day decommissioning window with cryptographic deletion on workspace termination.
Reporting a Vulnerability
We welcome responsible disclosure. Please contact security@zabt.io with any findings. We commit to acknowledging reports within one business day.