Security by design
Security and tenant isolation are non-negotiable at ZUNJ. Every data path is scoped by company, and data never crosses a company boundary.
Per-company encryption
Each company's captured data lives in its own encrypted S3 bucket under a customer-managed KMS key. Optional BYO bucket / BYO key and a strict zero-access BYOK mode let you retain full cryptographic control.
Hard multi-tenant isolation
Company → team → user with enforced isolation at every layer: Postgres row-level security, per-company scoped IAM roles, and cross-tenant abuse tests that run on every change.
Least privilege & auditability
- Credentials live only in AWS Secrets Manager; workers assume scoped, session-tagged roles.
- Capture is read-only against providers and fully audited.
- No secrets in code, logs, or object tags; secret scanning enforced in CI.