LEGAL

Security Policy

Last updated: February 1, 2026

Security is at the core of everything we do at Zalt.io. This document outlines our security practices and commitments.

1. Security Overview

Zalt.io is designed to be darkweb-resistant and protect against sophisticated threats including credential stuffing, phishing proxies, and nation-state level attacks.

Our security architecture is built on the principle of defense in depth, with multiple layers of protection at every level.

2. Encryption

In Transit

  • TLS 1.3 for all connections
  • HSTS enabled with preloading
  • Certificate transparency monitoring

At Rest

  • AES-256 encryption for all stored data
  • AWS KMS for key management
  • Automatic key rotation every 30 days

Password Hashing

  • Argon2id algorithm (winner of Password Hashing Competition)
  • 32MB memory cost, time cost 5, parallelism 2
  • Unique salt per password

3. Authentication Security

Token Security

  • RS256 (RSA-SHA256) JWT signing - FIPS compliant
  • 15-minute access token expiry
  • 7-day refresh tokens with rotation on each use
  • 30-second grace period for network retries

Multi-Factor Authentication

  • WebAuthn/Passkeys (phishing-proof, mandatory for healthcare)
  • TOTP (Google Authenticator compatible)
  • SMS MFA disabled by default due to SS7 vulnerabilities

Session Security

  • Device fingerprinting with 70% fuzzy matching
  • Session binding to device
  • Automatic invalidation on password change
  • Configurable concurrent session limits

4. Infrastructure Security

  • AWS infrastructure with VPC isolation
  • AWS WAF for attack protection
  • DDoS protection via AWS Shield
  • Regular penetration testing
  • Automated vulnerability scanning
  • Infrastructure as Code for reproducibility

5. Compliance

  • SOC 2 Type II: Annual audit of security controls
  • HIPAA: Healthcare data protection compliance
  • GDPR: EU data protection compliance
  • ISO 27001: Information security management

Compliance reports are available to enterprise customers upon request.

6. Incident Response

We maintain a comprehensive incident response plan including:

  • 24/7 security monitoring
  • Automated threat detection and alerting
  • Defined escalation procedures
  • Customer notification within 72 hours of confirmed breach
  • Post-incident analysis and remediation

7. Security Reporting

We welcome responsible disclosure of security vulnerabilities. Please report security issues to:

security@zalt.io

We commit to acknowledging reports within 24 hours and providing updates on remediation progress.