Zinye.
Start free trial
Security & Trust

Your data, looked after like it's ours.

Visit trust center Request SOC 2 report

Zinye is built on ERPNext — the open ERP that runs tens of thousands of businesses worldwide. The standard we hold ourselves to: your data should be as safe with us as it would be with a finance team that's worked at your company for ten years.

SOC
SOC 2 Type II

Annual third-party audit of our security, availability, confidentiality and processing-integrity controls.

Renewed · Jan 2026
ISO
ISO 27001 / 27018

Information security management system certified by an accredited registrar. 27018 covers PII in the cloud.

Renewed · Mar 2026
GDPR
GDPR, CCPA, LGPD

Data processing addendum, EU-US DPF, sub-processor list and DPO contact published. Region pinning on Scale+.

Always current
HI
HIPAA · PCI-DSS

HIPAA BAA available on healthcare tenancies. PCI-DSS SAQ-A for retail and POS. Sector add-ons.

By request

Trust isn't a badge.
It's a habit — practiced every week,
audited every year.

Pillars

How we protect what you put in.

Encryption everywhere.

AES-256 at rest, TLS 1.3 in transit, perfect forward secrecy. Customer-owned encryption keys (BYOK via AWS KMS, GCP KMS, Azure Key Vault) on Enterprise.

AES-256 TLS 1.3 BYOK HSM-backed

Identity without the friction.

SAML 2.0 and OIDC single sign-on, time-based OTP, hardware keys, biometric. Field-level RBAC with "view as" testing. SCIM provisioning for joiners and leavers.

SAML 2.0 OIDC WebAuthn SCIM 2.0 Field-level RBAC

Residency you choose.

Three regions by default — EU (Frankfurt), US (Virginia), APAC (Singapore). Scale and Enterprise plans pick specific regions; Enterprise can deploy single-tenant in your AWS, GCP or Azure subscription.

EU · Frankfurt US · Virginia APAC · Singapore LATAM · ME · AF on request

Recovery — boring by design.

Encrypted snapshots every 6 hours, retained 30 days. Point-in-time restore on Scale+. Off-site copy to a different cloud and region. RPO < 1 hour; RTO < 4 hours.

6-hourly snapshots PITR Cross-cloud replication RPO < 1h · RTO < 4h
Trust ledger

The recent security receipts.

Audits, pen tests and third-party reviews — the actual dates and the actual findings. We publish them because trust without documentation is just a feeling.

DateEventAuditor / SourceStatus
2026 · Jan 18
SOC 2 Type II report renewed
Schellman & Co. Passed
2026 · Mar 04
ISO 27001 surveillance audit
BSI Group Passed
2026 · Mar 22
Penetration test · web + API
Cure53 (independent) Findings closed
2026 · Apr 11
Vulnerability disclosure · CVE-2026-2841
External researcher Patched · 48 h
2026 · Apr 28
Disaster recovery exercise · APAC failover
Internal · SRE RTO 2h 41m
2026 · Jun 02
Q2 access review & SCIM reconciliation
Internal · Security Scheduled
2026 · Aug 15
Annual red-team engagement
NCC Group Scheduled
Regulations

Mapped to the frameworks your auditor asks about.

Zinye's controls are explicitly mapped to the regulatory frameworks that govern modern businesses. We publish the mappings; your auditor or DPO can pull the evidence directly.

Privacy · EU
GDPR
DPA, EU data residency, DPO contact, breach notification within 72 h.
Privacy · US
CCPA
Consumer rights, opt-out, data-subject request workflow built in.
Privacy · BR
LGPD
Brazilian data protection law, processor obligations, registered ANPD contact.
Privacy · NG
NDPC
Nigeria Data Protection Commission compliance with local residency option.
Health · US
HIPAA
Business Associate Agreement available on healthcare tenancies. PHI safeguards.
Payments
PCI-DSS
SAQ-A for tokenized payments via Stripe, Adyen, Paystack. No card data stored.
Pharma · US
FDA 21 CFR Part 11
Electronic records and signatures for FDA-regulated life-sciences customers.
Accounting
IFRS · US GAAP
Financial statements compliant with both frameworks. Audit trail · 7-year retention.
E-invoicing · EU
Peppol
Certified Peppol Access Point. EN 16931 schema.
E-invoicing · APAC
India IRN
Real-time IRN generation via GST e-invoicing API.
E-invoicing · ME
Saudi ZATCA
Phase 2 integrated invoicing with cryptographic stamps.
E-invoicing · LATAM
Mexico CFDI
PAC integration for CFDI 4.0 stamping.
Commitments

Six things we'll never do.

01

Sell your data. Ever.

Your transaction data isn't a product. It isn't training data. It isn't shared with advertisers. You're the customer — not the merchandise.

02

Hold your data hostage.

Export your full database any time, from the UI, in SQL, CSV or JSON. Standard schema. If you leave, we keep a copy for 60 days then permanently delete.

03

Move your data without consent.

The region you pick on signup is where your data lives. Migrating between regions requires written authorisation from your designated admins.

04

Hide a breach.

Material incidents are disclosed to affected customers within 72 hours, with a written post-mortem within 14 days. Always. Even when it's embarrassing.

05

Charge for security.

SOC 2, ISO 27001, encryption, backups, audit logs and MFA are in every plan. Security is the floor, not an upsell.

06

Ghost you in an incident.

Status page updates every 30 minutes during an incident. Real engineers, not bots. Status.zinye.com is public and uncensored.

Trust center

Documents, on request.

The full evidence set is available behind a short security review — your name, your company, your reason. We reply within one business day. NDA already on file? You can pull the latest reports immediately.

SOC 2 Type II reportRenewed January 2026 · 142 pages
NDA required Request →
ISO 27001 certificateIssued by BSI Group · valid through 2027
Public Download →
Penetration test summaryCure53 · March 2026 · all findings closed
NDA required Request →
Data processing addendum (DPA)GDPR · UK GDPR · CCPA · LGPD
Public Download →
Sub-processor list16 sub-processors · updated quarterly
Public Download →
Business continuity & DR planAnnual review · last run April 2026
NDA required Request →
Incident response runbookLast red-team validation · August 2025
NDA required Request →
Security whitepaper22 pages · architecture overview · no NDA
Public Download →

Your security team's shortest
review, guaranteed.

Most enterprise security reviews close in under two weeks with Zinye. Our team has done hundreds; we know what your CISO is going to ask before they ask it.

Book security review See pricing