Security at zMesh
Your data is the backbone of your application. We treat its security with the seriousness it deserves — encryption everywhere, zero third-party access, and complete data sovereignty.
Our Security Promise
We believe security is not a feature — it's a foundation. Every layer of zMesh is built with security-first principles:
- Your data is never read by us — we have no technical ability to view your database contents or stored files without your explicit permission.
- Your data is never shared — not with investors, partners, advertisers, or AI model providers. Ever.
- Your data never leaves your region — data sovereignty is enforced at the infrastructure level, not just policy.
- We don't cut corners — we use modern encryption standards, isolated infrastructure, and audit every access.
Six pillars of security
How we protect your data at every layer.
Encryption Everywhere
- TLS 1.3 for all data in transit — no exceptions, no fallback to older protocols
- AES-256 encryption at rest for all databases, storage objects, and backups
- Encryption keys are managed per-tenant — your keys are never shared with other customers
- Edge Functions communicate over encrypted internal channels
Data Sovereignty
- Your data stays in the region you choose — India, EU, US, or Asia-Pacific
- No cross-border data transfers without explicit consent
- Backups and replicas are created only within the same geographic region
- Compliant with India DPDPA 2023, EU GDPR, and regional data protection laws
Authentication & Access
- OAuth 2.0 and JWT-based authentication for all API access
- Multi-factor authentication (MFA) available for all accounts
- API keys with granular scoping — read-only, write, admin
- Role-based access control (RBAC) for team organizations
- Session tokens with configurable expiry and automatic rotation
Infrastructure Security
- Isolated compute environments — your functions run in sandboxed containers
- DDoS protection via Cloudflare on all endpoints
- Automated OS patching and security updates on all servers
- Network-level isolation between tenant databases — no shared database instances
- Rate limiting and throttling on all public APIs
Monitoring & Incident Response
- 24/7 automated monitoring of all platform services
- Anomaly detection for unusual API patterns and potential breaches
- All infrastructure access is logged and auditable
- Incident response team with documented playbooks
- Public status page at status.zmesh.in with real-time uptime tracking
Internal Access Controls
- Zero-trust internal architecture — no implicit trust between services
- Strict principle of least privilege for all team members
- No employee can access customer data without a documented, customer-initiated support request
- All employee access to production systems requires MFA and is logged
- Regular access reviews and revocation of unused permissions
Ongoing security practices
Security is never done — here's how we stay vigilant.
Security Audits
Regular third-party penetration testing and vulnerability assessments.
Vulnerability Disclosure
Responsible disclosure program — report issues to security@zmesh.in.
Backup Security
Encrypted backups with integrity checks, stored in the same region as your data.
Dependency Scanning
Automated scanning of all dependencies for known vulnerabilities (CVEs).
Responsible Disclosure
We welcome security researchers to report vulnerabilities responsibly. If you discover a security issue:
- Email us at security@zmesh.in with details of the vulnerability.
- Give us reasonable time (at least 90 days) to investigate and fix before public disclosure.
- Do not access, modify, or delete other users' data during your research.
- Do not perform denial-of-service testing on production systems.
We acknowledge all valid reports within 48 hours and will credit researchers (with permission) in our security advisories.
Questions about security?
Our team is happy to answer any security-related questions or discuss compliance requirements for your use case.
Contact Security Team