How a security vendor earns the right to be one
A security tool you do not trust is not a security tool. This page is the unfiltered view of Zero Hunt's own security posture: what we hold, what we are working on, who processes what data on our behalf, and how you report a vulnerability against us.
Certifications and assurance
Where we are today, not where we want to be. Status reflects current reality — we update it as audits progress.
ISO/IEC 27001:2022
In progressInformation security management system in scope. Stage 1 audit planned H2 2026.
SOC 2 Type II
PlannedScoped for 2027 once 12-month observation window is feasible.
Annual third-party pentest on the appliance
LiveExternal offensive engagement against the Zero Hunt appliance image performed annually by an independent firm. Findings remediated under our own disclosure policy.
EU AI Act conformity assessment
LiveHigh-risk AI system documentation (Annex III) maintained per Articles 9-19. Risk management system, technical documentation, logging, human-oversight kill-switch and post-market monitoring all in place. Detailed conformity artefacts available to customers under NDA.
GDPR compliance (Regulation (EU) 2016/679)
LivePrivacy policy, DPO designated, DPA template available on request. On-premise architecture minimises data flows by design.
Subprocessors (website only)
These subprocessors handle only the zerohunt.ai website, sales contact and analytics. The Zero Hunt appliance itself runs entirely on-premise inside the customer perimeter and has zero subprocessors by design — that is the architecture, not a marketing claim. Notification of material changes to the website subprocessors is sent to the address you used to contact us, with at least 30 days notice.
| Subprocessor | Jurisdiction | Safeguards |
|---|---|---|
Cloudflare, Inc. Website hosting (zerohunt.ai), CDN, Cloudflare Web Analytics (cookieless). | USA | EU-US Data Privacy Framework + Standard Contractual Clauses. |
Google LLC / Google Ireland Limited Google Analytics 4 with anonymised IP, advertising signals disabled. Loaded only after user opt-in via the cookie banner. | USA / Ireland | EU-US Data Privacy Framework + Standard Contractual Clauses. Consent Mode v2. |
Self-hosted EU mail infrastructure Email correspondence (info@, partners@, security@, dpo@, legal@). | EU (Italy) | Operated within the data controller perimeter; no third-party processor. |
Vulnerability disclosure
Found a security issue affecting zerohunt.ai, the Zero Hunt appliance, or a downstream service? We follow a coordinated disclosure model:
- Report via [email protected] or via the machine-readable /.well-known/security.txt.
- We acknowledge receipt within 5 business days.
- Default disclosure window is 90 days from acknowledgement; we extend it on request when remediation requires more time.
- Researchers acting in good faith will not face legal action. Out-of-scope: social engineering, physical attacks, denial-of-service.
- Acknowledged reporters are credited on this page upon request.
We run our own engine against ourselves
The Zero Hunt appliance image is pentested annually by an independent third party. Internally, the same 10-agent generative engine we sell to customers runs nightly against a representative deployment of the appliance plus the website and email infrastructure. Findings flow into the same Trust Center artefact store and the same ECDSA-signed evidence chain that customer deployments use. We eat our own dog food.
EU AI Act — high-risk system documentation
The Zero Hunt offensive engine is classified as a high-risk AI system under Annex III of Regulation (EU) 2024/1689 (critical infrastructure security). Technical documentation, risk management system, logging, human-oversight kill-switch, and post-market monitoring are maintained per Articles 9-19. Detailed conformity artefacts are available to customers under NDA on request to [email protected].
How we handle data
- Customer telemetry from the appliance: never leaves the customer perimeter. Zero Hunt does not see, collect, or process data from production appliances. The on-prem architecture is the safeguard.
- Website / sales contact data: stored in EU-hosted infrastructure; minimum necessary retention; full rights surface via our Privacy Policy.
- Update telemetry (optional): when customers opt in to anonymous update-success telemetry from the sync server, the payload is limited to release ID + status + timestamp. Air-gap deployments do not transmit anything.
Security and privacy contacts
- Vulnerability disclosure: security(at)zerohunt.ai
- Data protection officer (GDPR): dpo(at)zerohunt.ai
- Legal / DPA: legal(at)zerohunt.ai
Last reviewed: May 18, 2026