Table of Contents
- Security Highlights
- Do We Store Any Customer Data?
- On-Prem vs SaaS Security Comparison
- Internal Security & Engineering Practices
- Product Integrity & Quality
- Artificial Intelligence (AI) Usage
- Third-Party Software & Dependency Management
- Fourth-Party & Supply Chain Risk
- Vulnerability Reporting & Disclosure
- Security Testing Scope
- Compliance & Security Standards Alignment
- SOC 2 / ISO 27001 Reporting
- ZappySys Architecture Overview & Diagrams
- Need Help?
ZappySys PowerPack is designed to run entirely inside your environment (on-premises server, VM, or workstation). No customer data is ever sent to ZappySys servers. Only limited licensing and registration information is exchanged during activation, and even that is not required when using offline activation.
Our products are used by organizations of all sizes, including enterprises, government agencies, and regulated industries. Independent reviews on Capterra and Trustpilot reflect this trust.
Security Highlights
- No data sent to ZappySys: All processing happens in your environment. We do not access, transmit, or store your business data.
- Not a SaaS product: PowerPack is installed locally and operates without requiring cloud connectivity for normal usage.
- Optional full offline mode: You can activate and operate the product without any internet connection. See: Offline Activation Guide.
- Digitally signed installers: All installer packages are digitally signed so any tampering can be detected by Windows or antivirus tools.
- Encrypted credentials: All passwords and secret fields stored in our UI are encrypted by default.
- Modern encryption standards: Network communication uses industry-standard encryption (TLS 1.2 / 1.3).
- Minimal communication: The product may occasionally perform license status or version checks. This may include basic technical information such as product version and an encrypted machine identifier.
- Optional anonymous telemetry: You can optionally enable anonymous feature usage reporting to help improve the product. This contains no PII (Personally Identifiable Information) and can be disabled at any time from the License Manager.
- No automatic updates: The product never updates itself automatically. All upgrades are initiated and approved by the customer, giving your IT team full control over change management.
- Data Gateway behavior: When using ODBC PowerPack, the optional Data Gateway service listens on a local port (default 5000). This service operates entirely within your network and does not expose public endpoints. The port can be restricted or changed according to your IT policy.
- No external data transmission: Even when Data Gateway is running, no customer data is sent to ZappySys. The product only communicates with the systems you explicitly configure (e.g., REST APIs, SQL databases, SFTP servers).
- Firewall-friendly: Inbound and outbound rules can be controlled by your IT/security team, and the product can operate fully in offline environments.
- Service privileges: Installation requires administrative rights (standard for Windows services). At runtime, components execute under the user or service account you configure.
Do We Store Any Customer Data?
No. ZappySys does not store, process, or transmit your business data or any PII (Personally Identifiable Information). Only limited licensing and registration details are exchanged, and even that is not required when you use offline activation.
On-Prem vs SaaS Security Comparison
The table below highlights key security advantages of using an on-premise solution like ZappySys PowerPack.
| Security Benefit | SaaS Vendor | ZappySys (On-Prem) |
|---|---|---|
| Your data stays fully inside your network | ❌ No | ✔️ Yes |
| No customer data stored by vendor | ❌ No | ✔️ Yes |
| No customer data processed by vendor | ❌ No | ✔️ Yes |
| No dependency on vendor cloud services | ❌ No | ✔️ Yes |
| Can run fully offline / air-gapped | ❌ No | ✔️ Yes |
| Customer controls installation & updates | ❌ No | ✔️ Yes |
| No automatic data transmission outside your environment | ❌ No | ✔️ Yes |
| Supports strict firewall & network governance | ❌ Limited | ✔️ Full support |
| No exposure to vendor cloud breaches | ❌ No | ✔️ Yes |
| Suitable for regulated and high-security environments | ❌ Often restricted | ✔️ Yes |
Internal Security & Engineering Practices
Although PowerPack is an on-premise product and does not handle customer data in our infrastructure, we still follow strong internal security and engineering practices:
- Secure source control: Source code is stored in secured repositories protected with MFA/2FA and IP-based restrictions.
- Restricted access: Only authorized engineers have access to source code; build environments are isolated and tightly controlled.
- Code review: Every significant code change is reviewed by senior engineers or architects to maintain quality and consistency.
- Testing before release: We run extensive automated and manual tests before each public release, with a strong emphasis on regression and backward compatibility.
- Proactive updates: We regularly update components to align with current security standards and platform changes.
- Vulnerability response commitment: We actively monitor security advisories for third-party libraries and platform components used in our products. When a relevant vulnerability is identified, we evaluate its impact on our software and prioritize fixes accordingly. Security-related updates are released as part of our regular update cycles or expedited when necessary.
Product Integrity & Quality
- Regular updates to maintain security, compatibility, and functionality.
- Digitally signed binaries to ensure authenticity and integrity.
- Extensive automated and manual testing prior to public release.
- Backward compatibility maintained wherever possible; any rare breaking changes are documented in release notes.
Artificial Intelligence (AI) Usage
ZappySys PowerPack does not use, embed, rely on, or integrate with any artificial intelligence (AI), machine learning (ML), large language models (LLMs), or foundation models for its operation.
ZappySys does not train, fine-tune, or evaluate any AI models using customer data. No customer data, metadata, or telemetry is used for AI or ML purposes.
As a result, AI governance frameworks, model lifecycle management, and AI-specific controls are not applicable to ZappySys PowerPack.
Third-Party Software & Dependency Management
ZappySys PowerPack uses a limited set of third-party and open-source software components as part of normal product development (e.g., .NET libraries and framework dependencies).
ZappySys maintains an internal inventory of third-party software components and dependencies used in product development, build, and distribution. Dependencies are reviewed periodically, and relevant security advisories are monitored.
No third-party components transmit customer data to ZappySys or external services.
Fourth-Party & Supply Chain Risk
ZappySys uses select third-party vendors for development, build, code signing, distribution, licensing, and customer support tooling. These vendors may, in turn, rely on their own infrastructure or service providers.
No fourth-party vendors have access to customer data, as ZappySys does not host, process, or store customer data. Fourth-party risk is limited to internal tooling and software supply-chain operations.
Vulnerability Reporting & Disclosure
ZappySys welcomes responsible disclosure of security vulnerabilities. Security issues can be reported directly to support@zappysys.com.
Reported vulnerabilities are reviewed by engineering and prioritized based on severity and impact. Fixes are delivered through regular or expedited releases as appropriate.
Security Testing Scope
ZappySys PowerPack is an on-premises software component and not a network-exposed SaaS application. As such, traditional external penetration testing designed for hosted web services is not directly applicable.
Security testing focuses on secure development practices, dependency analysis, static code review, installer integrity, and controlled execution within the customer’s environment.
Compliance & Security Standards Alignment
ZappySys PowerPack is an installer-based, on-premises software product and does not operate as a hosted or managed service. As a result, ZappySys does not currently maintain formal third-party certifications such as SOC 2 Type II or ISO/IEC 27001, which are typically applicable to organizations that host or process customer data.
Although formal certification is not applicable, ZappySys aligns its internal security, engineering, and operational practices with the intent of common industry frameworks, including access controls, secure development practices, change management, vulnerability response, and software supply-chain integrity.
Customers retain full control over deployment, configuration, access control, data residency, and compliance within their own environments.
Do you provide SOC 2 or ISO 27001 reports?
ZappySys does not currently provide SOC 2 or ISO 27001 reports, as the product does not involve hosting or processing customer data. Security controls are instead implemented at the software and development lifecycle level, while customers maintain operational and compliance control within their own environments.
ZappySys Architecture Overview & Diagrams
If you are interested in a more detailed technical architecture overview and diagrams, then refer to this post.
Need Help?
If you have questions or require additional documentation for security reviews or vendor onboarding, contact us via live chat or email support@zappysys.com.
Comments
0 comments
Please sign in to leave a comment.