Platform Security

Secure by Design

Zea is built around the concept that your CAD data should never leave your premises. Your CAD data is yours and yours only, and it should never be sent to cloud servers hosted by anyone else (including us). All the CAD data processing is handled locally on your premises, and the only data transferred is lightweight visualization data and descriptive metadata. You have full control over what data is stripped out or included.

 

Application Security

  • On-Premises File Processing. Never share your CAD with anyone again. With Zea, CAD data processing happens on-prem from within your secure network, where only lightweight visualization data is then stored in our cloud platform. No CAD data is ever uploaded, transferred, or in any way shared with the Zea cloud platform.
  • Data Privacy. We only gather the data we need in order to provide services to you. We store and process this information at Zea and through secure third-party platforms like HubSpot in full compliance with local regulations. Rest assured that you and your users are in good hands. We do not sell your data.
  • User Authentication. Zea leverages enterprise-grade authentication platforms, including OAuth2 and OIDC, to ensure secure access. Our system seamlessly integrates with renowned solutions like Google and Microsoft accounts for enhanced security and privacy.
  • Password-Less. Zea also supports password-less authentication, providing an additional layer of convenience and security. Phishing attacks trick users into exposing their usernames and passwords to malicious parties who then use those credentials to gain access to your company’s private data and take control of your cloud resources.
  • User Access Controls. Zea follows traditional enterprise-level software user access control models. Each user in Zea is assigned a role that determines the user’s capabilities within the platform. Access to data is managed via workspaces, allowing small or large organizations to manage teams working on different projects simultaneously.
  • Empower your team with Zea Identity and Access Management (ZIAM). Assign distinct roles such as owner, admin, editor, and viewer, granting appropriate access levels to your organization’s resources. With ZIAM, you can centralize user management and define granular access controls based on roles.
  • Secure Data Formats. You can be sure that what goes into the platform stays in the platform. The visualization data we generate from the CAD files is based on a proprietary binary file format that can only be viewed on Zea. This binary file format is both very small, making it fast to load, and extremely difficult to reverse engineer. It contains only optimized and compressed triangles, no BREP (Boundary Representation) data or other CAD surfaces which could be extracted for use in other applications.
  • Vulnerability and Penetration Testing. We have taken every measure to build a powerful and secure platform while also using third-party security firms to perform vulnerability assessments and penetration testing. Zea works with Vumetric to perform periodic third-party testing of this nature.
  • Incident Response. Zea maintains an incident response plan with defined escalation procedures and notification timelines for security events. Our engineering team operates 24/7 on-call rotations via PagerDuty, ensuring rapid detection and response to any incidents around the clock.

Cloud Security

  • Data Storage. Data retention and backup happen securely. All cloud services, including databases, storage, and computing, are provided by and hosted on DigitalOcean (DO). We run instances and backups in multiple zones and provide a service-level agreement to back it up.
  • Encryption. We encrypt data at rest and in transit between your location and our instances on DO, ensuring that it can only be accessed by authorized roles and services with audited access to the encryption keys.
  • Backups. At Zea, we prioritize the safety and integrity of your data. As part of our robust data management practices, we perform daily backups. These backups serve as an essential safeguard against data loss or corruption. In the event of any unforeseen incidents or data-related issues, we can leverage these backups to restore your data at any point.
  • Hosting. We collaborate with world-class Cloudflare and DigitalOcean hosting providers located in the United States. By leveraging their capabilities, implementing robust backup procedures, and incorporating redundancy into our services, we maintain a secure, fast, and resilient hosting environment. This approach safeguards your data, enhances reliability, and provides peace of mind, allowing you to focus on your core business operations.
  • Multi-Site Redundancy. Data stored on our infrastructure is automatically encrypted at rest and distributed for availability and reliability; this helps guard against unauthorized access and service interruptions. The former by accentuating protocols through different sites, and the latter by providing constant data backup in multiple locations.
  • Service Deployment. Any application that runs on DigitalOcean infrastructure is deployed with security in mind. We don’t assume any trust between services, and we use the multiple mechanisms that DO makes available to us to establish and maintain trust. Our infrastructure was designed to be multi-tenant from the start.

Network Security

  • Machine-to-Machine Communication (M2M). Zea ensures secure connectivity between APIs and services through robust measures like Transport Layer Security (TLS) and short-lived HTTPS only JSON Web Tokens (JWTs). TLS guarantees encrypted communication, while the short lifespan of JWTs prevents their misuse by potential attackers. This approach enhances the overall security of M2M communication, safeguarding data integrity and preventing unauthorized access.
  • Secure Communication. Zea ensures the highest level of security for your data by utilizing HTTPS and trusted certificates issued by Cloudflare origin CA; this enables secure connections, encrypting data transmitted between all parts of our infrastructure and assuring users that their information is protected from prying eyes at all times.
  • Rate Limiting & DDoS Mitigation. We have both global and per-route limits on mutations, which prevents abuse from malicious actors.
  • Audit Logging and Observability (o11y). We've implemented structured and audited logging with user attribution, plus OpenTelemetry (OTel). Our customers in regulated industries care a lot about this.
  • API Key Security. Zea supports time-limited API keys with automatic expiration for programmatic access. API keys can be rotated and revoked at any time through the platform.