Security & Trust — Zero Assist

All candidate session data and company account data is stored on a self-hosted PostgreSQL database running on Oracle Cloud Infrastructure (OCI) in Mumbai, India. Backend application servers run on the same India infrastructure. See our Privacy Policy for full residency details.

  • In transit: all telemetry is transmitted over secure WebSocket (WSS) / HTTPS using TLS 1.2 or higher.
  • At rest: databases storing candidate session data and scan reports are encrypted with AES-256.
  • The agent pins our certificate chain to resist man-in-the-middle interception.
  • No screen, webcam, or audio recording. The agent checks microphone access status only — it never records audio or video.
  • No keystroke logging and no file-content scanning (only the names of running executables are read).
  • Forensic raw data is purged after 90 days; see the Privacy Policy retention table.
  • Raw scan reports are accessible only to the Interviewer account that initiated the session, enforced by role-based access control (RBAC).
  • Internal engineering/support do not have routine access to raw candidate data; any escalated access is logged and audited.
  • An append-only security audit log records authentication, report-access, and deletion events.
  • Dependencies are regularly scanned for known vulnerabilities (CVEs).
  • The agent does not open externally reachable listening ports.
  • HTTP security headers are enforced at the application edge.

In the event of a confirmed personal-data breach, Zero Assist notifies affected Customers and the relevant authorities within 72 hours of discovery, consistent with GDPR and applicable Indian law.

Zero Assist is built to GDPR, DPDPA 2023, and CCPA principles and is undergoing a SOC 2 readiness program. Enterprise customers can request our sub-processor register and policy summaries — see Sub-processors and the Data Processing Agreement.

If you believe you have found a security vulnerability, email with steps to reproduce. Please give us a reasonable time to remediate before any public disclosure, and do not access or modify data that is not yours. We do not pursue legal action against researchers who follow this policy in good faith. Our machine-readable contact is published at /.well-known/security.txt.