Security

1. Security controls

• Encryption in transit using TLS for data exchange.
• Access controls and least-privilege permissions for internal systems.
• Operational monitoring for reliability and abuse detection.

2. Data handling

Audit data is handled on a need-to-know basis. We recommend using secure file sharing once scope is confirmed, rather than sending invoices or exports by email.

3. Retention and deletion

We retain data only for as long as needed to deliver the audit scope and comply with legal obligations. Deletion requests are honored where applicable.

4. Incident response

We maintain an incident response process to investigate, contain, and remediate potential security issues. Impacted parties are notified as required by law.

5. Responsible disclosure

If you believe you have found a security issue, email security@zelstrom.io. We will review reports promptly.

6. Certifications

We are building toward enterprise-grade controls and may pursue formal certifications as we scale. We do not claim compliance certifications unless explicitly verified.