Security
1. Zero Trust Architecture
Our platform is built on a complete Zero Trust architecture. Each service is isolated through network micro-segmentation. Inter-service communications use mutual authentication (mTLS). Each component only has access to strictly necessary resources (least privilege). Every request is authenticated and authorized, with no implicit trust.
2. Encryption
All stored data is encrypted with AES-256 at rest (databases, files, backups). All communications use TLS 1.3 in transit. Encryption key management is centralized with automatic rotation. Backups are encrypted with KMS envelope and stored following the 3-2-1 rule.
3. Data Sovereignty
Deployable entirely on-premise on your infrastructure. You maintain full control over your data and your AI models. No data leaves your perimeter. Zaxyr offers several hosting options: EU sovereign cloud (France, Germany), MENA cloud (Qatar, UAE), Sovereign Cloud (Morocco, Saudi Arabia), on-premise deployment (Docker, Kubernetes), hybrid mode, and air-gapped for the most sensitive environments. Clients choose their region. AI models are trained and deployed within your infrastructure.
4. Certifications
Certification processes in progress. ISO 27001 and SOC 2 Type II audits are planned for 2026. Our AI engines are designed to comply with the European AI regulation (EU AI Act). A complete security dossier is available upon request for Enterprise clients.
5. Security Testing
We perform quarterly internal security audits, annual penetration tests by independent firms, and SAST/DAST analysis integrated into our CI/CD pipeline. Automated vulnerability scans run daily on infrastructure, and dependencies are continuously checked (SCA).
6. Responsible Disclosure
If you discover a security vulnerability, we encourage you to report it responsibly to [email protected]. We will acknowledge receipt within 48h and work with you to understand and fix the vulnerability. We will not pursue researchers acting in good faith. We ask that you do not access third-party data, do not degrade performance, do not disclose before fix, and allow us reasonable time (90 days).
7. Data Residency
Europe (France): GDPR, NIS2, DORA compliance. Middle East (Qatar): PDPL, PDPPL, NCA compliance. North Africa (Morocco): Law 09-08, DNSSI compliance. On-premise (client infrastructure): per local requirements.
8. Contact
Vulnerabilities: [email protected]. General questions: [email protected]. This policy may be updated. Last revised: March 2026.
Zaxyr LLC — QFC 04626
Tornado Tower, West Bay, Doha, Qatar
[email protected]