At Zenable, security is foundational. Our architecture and processes are designed from first principles to minimize risk, enforce least privilege, and maintain transparency with our customers.
Nothing in our system has permission to make direct changes to your environment; Zenable systems can create comments on Pull Requests with code suggestions and provide feedback directly into your IDEs and to your AI coding assitants, but any changes to customer environments are directly managed by users.
We do not store customer code beyond the life of the review itself.
All systems, including test systems, use TLS 1.2+ to encrypt all data in transit.
All dependencies are updated at least weekly.
We have hundreds (and growing) of different requirements which are automatically enforced via Policy as Code. In order for code to be merged and released, it must pass all of our Policy as Code automation, as well as the appropriate automated testing and validation.
Every service in our platform has an independent execution permissions which are managed on a service-by-service basis, and runs with the minimum permissions required to perform its job.
Additionally, we enforce that all code changes to the Zenable platform must be peer reviewed by the appropriate parties using code owners, rulesets, and other techniques to ensure our own development processes meet high security and reliability standards.
In addition to internal reviews, we now perform self-reviews of automated PR comments as a secondary layer of defense against low-quality or inaccurate suggestions.
We run all of our systems in AWS using cloud-native principles: all compute workloads are short-lived, and all deployment pipeline credentials are retrieved just-in-time using least privilege OIDC.
Every resource in our environments is deployed using fully automated and declarative systems via Infrastructure as Code and their dependencies are updated on a weekly basis.
We're preparing for a SOC 2 Type II audit, with expected attestation in 2026.
Think you found a security issue? Please follow responsible disclosure guidelines and report it to security@zenable.io.
No.
Regardless of if you're on a free or paid tier, we do not train or fine-tune using our user's code.
Good question, here's the backstory:
The problem Zenable solves has clearly been an issue for many years. Our founding team had designed, built, and re-built numerous solutions to this problem, but there was always one issue - usability.
Even when using fairly advanced Machine Learning and Natural Language Processing techniques, it just wasn't really that usable... The prior solutions required users that were very technical - and that wouldn't work. Governance needs to be usable by everybody.
AI (or really, Large Language Models) solve this final usability issue of the system. So, it's not just a buzzword, it's also a key way to make this highly technical system work for anybody, not only engineers.
