Security by design

Security and tenant isolation are non-negotiable at ZUNJ. Every data path is scoped by company, and data never crosses a company boundary.

Per-company encryption

Each company's captured data lives in its own encrypted S3 bucket under a customer-managed KMS key. Optional BYO bucket / BYO key and a strict zero-access BYOK mode let you retain full cryptographic control.

Hard multi-tenant isolation

Company → team → user with enforced isolation at every layer: Postgres row-level security, per-company scoped IAM roles, and cross-tenant abuse tests that run on every change.

Least privilege & auditability

  • Credentials live only in AWS Secrets Manager; workers assume scoped, session-tagged roles.
  • Capture is read-only against providers and fully audited.
  • No secrets in code, logs, or object tags; secret scanning enforced in CI.

Compliance & regulatory · Request access