Compliance & Security.

Infrastructure

Websites and CRM instances run on major cloud providers (Vercel, Fly.io, AWS) with TLS 1.3, HSTS, and encryption at rest. Backups run daily with 30-day retention. Logs are retained 90 days. No credentials are ever stored in plaintext.

HIPAA

Our Enterprise HIPAA tier is for healthcare, finance, and regulated industries. It includes audit logs, RBAC, SSO, data residency, and BAA on request. We sign a Business Associate Agreement before any PHI touches our systems. HIPAA is not bolt-on. If you need it, you start on the Enterprise tier.

Access control

Every team member works with principle of least privilege. Access to production systems requires two-factor authentication, IP allowlisting, and SSH keys rotated quarterly. Contractor access is scoped, time-boxed, and revoked on engagement end.

Accessibility

New websites ship to WCAG 2.1 AA. Color contrast, keyboard navigation, screen reader labels, and semantic HTML are non-negotiable. We re-audit every six months with automated and manual testing.

Data ownership

Your data is yours. Full export any time, in standard formats (CSV, JSON, SQL dump). No vendor lock-in. If our engagement ends, you get everything inside 10 business days, then we purge our copies.

Incident response

Suspected breach triggers an immediate containment plan, notification to affected clients within 72 hours, and a written post-mortem within 14 days. We have not had one. We want to keep it that way.

Questions

For security, compliance, or BAA requests email hello@zayrev.com with subject "Compliance". We reply within one business day.