Security
Defense-in-depth security architecture for the ZexRail platform.
Trust Model
ZexRail operates on a zero-trust architecture where every request is authenticated, every action is audited, and every settlement is cryptographically verified.
Defense-in-Depth Layers
Transport Security
- •TLS 1.3 on all API endpoints
- •Certificate pinning for SDK connections
- •HSTS with 1-year max-age and preload
Authentication & Authorization
- •API key scoping with read/write/admin permissions
- •Organization-level tenant isolation
- •IP allowlisting for production keys
- •Key rotation without downtime
Data Protection
- •AES-256-GCM encryption at rest
- •Row-level security in PostgreSQL
- •WORM evidence storage for audit trails
- •Automatic PII redaction in logs
Cryptographic Integrity
- •Ed25519 signatures on all Verity receipts
- •SHA-256 hash chains on negotiation events
- •Argon2id for key derivation
- •Deterministic receipt recomputation
Compliance & Certifications
| Standard | Status |
|---|---|
| SOC 2 Type II | Planned (Q4 2026) |
| GDPR | Compliant |
| CCPA | Compliant |
| ISO 27001 | In Progress |
| PCI DSS Level 1 | Via Stripe |
Responsible Disclosure
If you discover a security vulnerability, please report it to security@zexrail.com. We respond within 24 hours and aim to resolve critical issues within 72 hours. We do not pursue legal action against good-faith security researchers.