Security Policy

Scope

This policy covers the security aspects of Zerolake, including the CLI tool, supporting libraries, and automation scripts used to deploy and manage data lakehouse infrastructure on customer-owned cloud environments (AWS, GCP, Azure). This policy applies to all versions of our software and services.

Shared Responsibility Model

Zerolake operates under a shared responsibility model where both we and our customers have specific security obligations.

Our Responsibilities

• Secure software development practices and code quality
• Supply chain and dependency management
• Code signing and release integrity
• Preventing malicious code and data exfiltration risks
• Regular security updates and vulnerability patching
• Secure distribution of CLI tools and scripts

Customer Responsibilities

• Secure cloud configuration (IAM, network security, etc.)
• Access control within their environment
• Cloud data encryption and protection
• Credential management and secure storage
• Monitoring and logging of deployed infrastructure
• Compliance with industry-specific regulations

Secure Software Development Practices

• Use of secure coding standards and guidelines
• Automated security scanning (SAST/DAST) in CI/CD pipeline
• Regular dependency vulnerability scans via automated tools
• Code reviews with security considerations
• Version control and CI/CD pipeline integrity
• Internal penetration testing before major releases

Release and Distribution Security

We ensure the integrity and authenticity of all Zerolake releases through multiple security measures:

• Code signing of all executable files and packages
• SHA-256 checksums provided for all downloads
• Secure distribution through official channels (GitHub releases, package managers)
• Verification instructions provided with each release
• GPG key verification for source code integrity

Data Handling

What We Do Not Collect

• No telemetry or usage data is sent back to our servers
• No customer data or configurations are transmitted
• No cloud credentials are stored or transmitted
• No deployment logs are sent to external systems

Local Data Storage

• Configuration files stored locally in user-specified locations
• Cache directories for temporary files (automatically cleaned)
• Log files stored locally with configurable retention
• All local data is encrypted at rest when possible

Credential Handling

Zerolake follows security best practices for credential management:

• Credentials accessed via standard cloud provider methods (environment variables, profiles, service accounts)
• No credentials stored in plain text or transmitted over networks
• Support for AWS IAM roles, Azure managed identities, and GCP service accounts
• Integration with cloud provider secret management services
• Automatic credential rotation support

Cloud Permissions (Least Privilege)

Zerolake follows the principle of least privilege for cloud permissions:

• Minimal IAM policies required for deployment and management
• Granular permissions for specific resource types
• No administrative or root-level access required
• Sample IAM roles provided with minimal necessary permissions
• Support for temporary credentials and session tokens

Dependency Security

We maintain strict control over all dependencies used in Zerolake:

• Regular automated vulnerability scanning of all dependencies
• Software Bill of Materials (SBOM) provided with each release
• Immediate patching of critical security vulnerabilities
• Transparent disclosure of third-party dependencies
• Vendor security assessment for major dependencies

Security Vulnerability Reporting

We welcome security researchers and customers to report vulnerabilities. Please report security issues to: security@zerolake.io

Response Timeline

• Critical vulnerabilities: Acknowledgment within 24 hours, fix within 7 days
• High severity: Acknowledgment within 48 hours, fix within 14 days
• Medium severity: Acknowledgment within 72 hours, fix within 30 days
• Low severity: Acknowledgment within 1 week, fix within 90 days

Incident Response

In the event of a security incident affecting Zerolake:

• Immediate assessment and containment of the incident
• Notification to affected customers within 24 hours
• Detailed incident report provided within 72 hours
• Root cause analysis and preventive measures
• Transparent communication throughout the process

Supported Versions and Patch Policy

We maintain security updates for Zerolake according to the following policy:

• Current version: Full security support and updates
• Previous major version: Security patches only (12 months)
• Older versions: End-of-life, no security updates
• Security patches released as needed, typically within 24-48 hours
• Major version updates include security improvements

Compliance and Standards

Zerolake adheres to industry security standards and best practices:

• OWASP Secure Coding Practices
• NIST Cybersecurity Framework alignment
• Cloud Security Alliance (CSA) guidelines
• Regular third-party security assessments
• Compliance with major cloud provider security requirements

Limitation of Liability

Zerolake provides the Service "as is" without warranties of any kind. We are not liable for:

• Security incidents resulting from customer misconfiguration
• Cloud provider security breaches or vulnerabilities
• Third-party dependency security issues beyond our control
• Data loss or corruption in customer environments
• Indirect, incidental, or consequential damages

While we implement comprehensive security measures, customers remain responsible for securing their own environments and following security best practices.

Contact Information

For security-related questions or to report vulnerabilities, please contact us: security@zerolake.io

For general support inquiries: support@zerolake.io