ZigiWave Security Overview

ISO 27001 
ZigiWave is ISO 27001 certified. The ISO 27001 is an international standard for information security. It is awarded to companies that meet a vast number of criteria in terms of how data is managed, stored, and maintained.  
 
FIPS 140-2  
ZigiOps encrypts the integration configuration data in full compliance with the FIPS 140-2. 

ZigiOps is designed with security in mind. Along with following industry best practices for platform development, we have built our product to align with data security by not storing any of the transferred data on a disk or database. ZigiOps keeps only a very small amount of it for troubleshooting purposes for a limited period, which can be controlled by the users. 

ZigiOps comes in On-Premises and Cloud versions. The IPaaS version is hosted on public cloud infrastructure from Amazon Web Services (AWS). Amazon maintains high standards of security for its data centers. You can read further about the AWS security practices here: 
aws.amazon.com/security/ 

The ZigiOps cloud version is only accessible over HTTPS protocols. Traffic over HTTPS is encrypted and protected from interception by unauthorized parties. ZigiWave follows current best practices for security, including the use of industry-standard TLS 1.3 and TLS 1.2 encryption algorithms with a key length of at least 128 bits. 
 
ZigiOps uses secure protocols for communication with third-party systems: usually HTTPS, but other protocols such as SFTP and FTPS are also supported. For connecting to on-premises systems, access requires the installation of an agent, which can be installed behind the firewalls. It communicates outbound to ZigiOps over an encrypted link, using TLS 1.2. 
The on-premises version of ZigiOps is installed behind the firewalls in the customer’s environment and only authenticated users can access it. 

Customers login to their ZigiOps cloud instance using a password that is know only to them. Password length and complexity are advised to all customers. Passwords are not stored; instead, as is standard practice, only a secure hash of the password is stored. 
ZigiOps supports automatic session logout after a period of time. The timeout can be set from 15 minutes up to 14 days. Each company can set the appropriate timeout period according to their security needs. 
ZigiOps establishes an integration by connecting to the systems using user-supplied credentials, where possible this is done using OAuth. This is done only in the preliminary configuration and customers fill-in this data by themselves. This information is encrypted. 

ZigiWave has established a set of software development lifecycle processes that incorporate security and privacy by design. Design and code reviews, as well as unit and integration testing, are part of the process. 
The R&D team go through regular training on Best Secure Coding Practices and performs Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). 

ZigiOps undergoes regular vulnerability assessments, accompanied with penetration tests, conducted by third-party companies.  
The results are further analyzed and vulnerabilities are addressed based on their level of risk and severity. 

ZigiWave has a public Data Processing Agreement, which details the types of personal information we collect, our handling of this information, and our customers’ privacy rights. 

ZigiOps provides high availability to ensure that integrations continue their operation in the event of a server failure or in case of maintenance. The high availability solution consists of a Primary ZigiOps server and at least one backup server, which continues serving the integrations after a manual failover for the On-premises and automatic failover to a backup server in a different physical data center for the SaaS version of ZigiOps. 
For more information, visit our documentation on high availability. 

ZigiWave has a Network Operations Center (NOC) which operates on a 24×7 basis to handle any incidents for the SaaS version of the product. ZigiWave has deployed security and monitoring tools for its production systems. Automated alerts are configured for security and performance issues. 

All ZigiWave employees sign NDAs and are subject to background checks that cover education, employment and criminal history, to the extent permitted by local law.  
ZigiWave applies to the principle of least privilege for access. All access and authorization rights are reviewed regularly. Access or authorization rights will be withdrawn or modified, as appropriate, promptly upon termination or change of roles. 
All employees go through mandatory information security training program during their first week at ZigiWave. 

If you would like to acquire more information, regarding the security practices ZigiWave undertake, please reach out to [email protected]