🚀 zCloud is launching soon — join the waitlist and be first to deploy →
zCloudzCloud
Sign inGet started
Legal

Security

Last updated: 11 June 2026

1. Our Commitment to Security

At zCloud, operated by Runstate Ltd, security is a foundational concern — not an afterthought. We apply layered technical and organisational controls to protect the infrastructure, data, and accounts of every customer on the platform.

This page describes the security practices we follow and explains how to report potential vulnerabilities responsibly.

2. Physical and Environmental Security

  • zCloud workloads run on enterprise-grade cloud infrastructure whose data centres provide 24/7 on-site security, biometric access controls, CCTV surveillance, and multiple independent power feeds.
  • These facilities hold industry-standard certifications and are engineered for high availability and physical security for all customers.
  • Physical access to the underlying servers is restricted to the infrastructure operator's authorised, audited personnel. zCloud staff do not have physical access to the facilities.

3. Network Security

  • Perimeter firewalls and stateful packet inspection are applied to all infrastructure boundaries.
  • Network traffic is continuously monitored, and abusive or malicious traffic is investigated and mitigated by our team.
  • Internal management networks are segregated from customer-facing networks using network segmentation and strict access-control lists.
  • All control-plane and API traffic is encrypted in transit using TLS 1.2 or higher. TLS 1.0 and 1.1 are disabled.

4. Platform and Application Security

  • The zCloud dashboard and API are protected by multi-factor authentication (MFA), rate limiting, and session management controls.
  • Customer passwords are never stored in plaintext. We use industry-standard adaptive hashing (bcrypt/Argon2) with appropriate cost factors.
  • API keys are hashed at rest. Exposed keys can be revoked instantly from the dashboard.
  • Dependency updates and security patches are reviewed and applied on a rolling basis. Critical patches are applied within 72 hours of a public advisory.
  • Our engineering team follows a secure development lifecycle (SDLC) that includes peer code review, automated static analysis, and pre-production testing in isolated environments.

5. Data Security

  • Customer data is encrypted at rest using AES-256 for block storage volumes where technically feasible.
  • Backups (where included in your plan) are encrypted and stored in a geographically separate location from the primary data.
  • Access to customer data by Runstate staff is limited to specific roles and purposes (e.g., incident response), is logged, and requires manager approval.

6. Access Control and Identity

  • Internal systems follow the principle of least privilege. Staff are granted only the permissions required to perform their role.
  • Administrative access to production systems requires MFA and is conducted over encrypted channels.
  • Access rights are reviewed quarterly and immediately upon staff offboarding.

7. Incident Response

We maintain a documented incident response plan that is tested periodically. In the event of a confirmed security incident affecting customer data, we will:

  • Contain and remediate the incident as quickly as possible.
  • Notify affected customers by email within 72 hours of discovery, in accordance with the Mauritius Data Protection Act 2017.
  • Provide a post-incident report describing the cause, impact, and corrective actions taken.

8. Responsible Disclosure

We welcome reports from security researchers, customers, and the broader community. If you believe you have discovered a security vulnerability in the zCloud platform, please disclose it responsibly:

  • Email your findings to security@zcloud.mu with a clear description of the issue and steps to reproduce it.
  • Include your contact details so we can follow up with you.
  • Do not exploit the vulnerability beyond what is necessary to demonstrate its existence.
  • Do not access, modify, or delete data belonging to other customers.
  • Do not disclose the vulnerability publicly until we have had a reasonable opportunity to investigate and remediate.

Our commitment to researchers: We will acknowledge receipt of your report within 2 business days, keep you informed of our investigation progress, and notify you when the issue has been resolved. We will not take legal action against researchers who act in good faith and follow these guidelines.

We do not currently operate a paid bug-bounty programme, but we do publicly acknowledge researchers who make material disclosures (with their permission).

9. Certifications and Audits

Runstate conducts periodic internal security reviews of its infrastructure and application stack. We are working towards formal third-party certifications and will update this page as those are obtained.

10. Contact

For all security queries and responsible disclosure reports, contact us at security@zcloud.mu.
For general enquiries: our contact form