Zorge LabZorge Lab
Security

Compliance — detail

What your security team will actually see.

A single page to send to your security, legal, or procurement reviewer. Evidence inventory, subprocessor list, and what we can sign today.

Evidence inventory

What we share with an auditor or security review

These artifacts exist today. We share them under NDA on request.

Architecture diagrams

Cross-repo architecture and per-service diagrams covering the central, on-prem, and kiosk deployment shapes. Updated with every release.

Audit log schema

Table schema and event taxonomy for the audit log. Every administrative mutation, worker registration, and session attestation event has a defined row.

Certificate authority and mTLS policy

Internal CA design, certificate issuance and rotation cadence, mTLS cipher suite policy, and revocation handling.

GPG bundle protocol

Credential bundle format, encryption parameters, key custody chain, and runtime decryption into tmpfs-backed secrets.

Policy documents

Information security policy, access control policy, incident response runbook, vulnerability management process, and DPA template — under active maintenance.

Subprocessors

Who processes data on our behalf

Current as of the date below. Subprocessors change rarely; when they do, customers are notified before the change takes effect.

  • Google Cloud Platform
    Compute, storage, networking
    EU / US (customer-selected)
    Signed
  • Runpod
    GPU compute pool (optional)
    Multi-region
    Signed
  • Vast.ai
    GPU compute pool (optional)
    Multi-region
    Signed
  • Google reCAPTCHA
    Bot mitigation on lead forms
    Global
    Standard
  • OpenAI (opt-in)
    LLM inference when customer selects
    US
    On request
  • Anthropic (opt-in)
    LLM inference when customer selects
    US
    On request

List effective May 2026. Optional LLM providers (OpenAI, Anthropic, Google, Mistral) only process data if the customer enables them; the central platform does not call them by default.

Review process

What we can do this week

We move fast on security reviews. If your team has a procurement checklist, send it; we'll respond with status, evidence, and any open gaps.

  • Architecture review call with our engineering lead
  • Signed DPA, subprocessor list, and policy bundle
  • Walkthrough of the audit log and on-prem isolation model

What we can do this week

We move fast on security reviews. If your team has a procurement checklist, send it; we'll respond with status, evidence, and any open gaps.

Compliance — detail — AIvatars