Zolvay Systems
Security · Compliance · Privacy

Trust & Security Center

Bounded Surface Architecture — engineering-led privacy for enterprise scalable cognitive transformation.

SOC 2 Type 2 (Sub-processors)ISO/IEC 27001AES-256 at restTLS 1.2+ in transitEnterprise SAML SSONo-Training Default
Security Philosophy

Bounded Surface Architecture

Zolvay operates as a bounded surface platform — an isolated, high-fidelity cognitive training environment that delivers measurable capability development with a deliberately narrow data footprint. Our security profile is calibrated to our data surface. Financial records, customer databases, and systems of record are outside Zolvay’s environment.

01 — Infrastructure

Infrastructure Layer

Zolvay operates on a distributed serverless architecture leveraging hardened, independently attested infrastructure.

Production environment: Next.js application layer with a managed PostgreSQL data layer, deployed on a global edge network with serverless execution.

Infrastructure standards: Zolvay’s core sub-processor stack is limited to Tier-1 providers who maintain independent SOC 2 Type 2 and ISO/IEC 27001 attestations. Our infrastructure is architected to ensure that every third-party component in our data path meets or exceeds these enterprise security benchmarks.

Encryption posture: AES-256 at rest, TLS 1.2 or higher in transit, with cryptographic key management inherited from sub-processor key management infrastructure.

02 — Engineering

Zolvay Engineering

Dual-key encryption: Zolvay’s architecture cryptographically separates individual identity from behavioral and psychometric data. Identity records and performance records are encrypted and kept separate to mitigate unauthorized data reconstruction.

Row-level security (RLS): Data access is enforced at the database engine itself. Every query is scoped to a specific authenticated user, creating hard architectural boundaries between entities.

Personal Container architecture: To preserve the integrity of cognitive content within the training environment, user interactions, prompts, and scoring data are isolated in per-user data containers enforced at the application layer.

03 — Inference

Inference Integrity

Zolvay integrates with AGI platforms under their standard enterprise privacy commitments and Data Processing Addendum, which contractually exclude API data from model training and fine-tuning by default. Zolvay has not opted in to any data-sharing program and will not opt in without written client authorization.

Data sovereignty: Client cognitive training content remains client property. Zolvay acts as a secure conduit; client prompts and responses stay outside public foundation model training.

04 — Data Surface

Bounded Data Surface

Zolvay’s architecture is intentionally narrow in what it processes from enterprise clients.

CategoryZolvay’s Footprint
Enterprise systems of recordNot accessed
Customer databasesNot accessed
Financial systemsNot accessed
Internal company filesNot accessed
Employee identity dataIdentity credentials required for authentication; cryptographically isolated from behavioral data via dual-key architecture.
Behavioral and assessment dataGenerated within the Zolvay environment, isolated under dual-key encryption
Aggregate analyticsAnonymized and aggregated for organizational reporting only
05 — Configuration

Technical Configuration Summary

SpecificationImplementation
Data encryption at restAES-256
Data encryption in transitTLS 1.2 or higher
AuthenticationJWT-based with enterprise SAML SSO support
Database access controlPostgreSQL row-level security (RLS)
Identity separationDual-key encryption architecture
User data isolationPersonal Container architecture
Integration profileBounded surface
AI inference postureAPI integration under no-training default
06 — Risk Coverage

Insurance and Risk Coverage

Zolvay maintains active coverage across:

  • Directors and Officers Liability (D&O)
  • Errors and Omissions (E&O)
  • Cyber Liability
  • General Business Liability

Certificates of Insurance available upon request as part of standard vendor risk review.

07 — Frequently Asked

Security FAQ

Does Zolvay sit inside our enterprise network?

Zolvay is a standalone cognitive development and assessment platform. It operates outside the client’s internal databases, financial systems, customer records, and other enterprise systems of record. The only client-side integration touchpoint is enterprise SSO for authentication, configured on the client’s terms.

Is Zolvay SOC 2 attested?

Zolvay’s core infrastructure and sub-processor stack are 100% independently SOC 2 Type 2 attested. Zolvay’s bounded-surface architecture aligns security profile with data risk.

Does Zolvay use client data to train AI models?

Zolvay does not train, fine-tune, or otherwise improve any model on client data. Our integration with AGI platforms is governed by enterprise-tier agreements that contractually prohibit the use of API data for foundation model training.

Can Zolvay provide documentation for vendor risk review?

Standard documentation for enterprise due diligence—including the Platform Engineering Schematic, Certificates of Insurance (COI), and the Zolvay Data Processing Agreement (DPA)—is available to qualified prospects upon request.

Vendor Risk Review

Request additional documentation

For vendor risk review, security questionnaires, or DPA execution, contact our security team directly.

support@zolvay.com

Last updated: April 2026 · Zolvay Systems, Inc.

← Back to Zolvay