Skip to main content

Customer Compliance Coverage

This page maps where Zen Mesh can help customers produce or organize evidence for compliance activities. It does not claim Zen Mesh is certified. It does not determine whether a customer is compliant. Customers remain responsible for their own policies, controls, scope, auditors, and compliance conclusions.

Coverage Levels

LevelMeaning
StrongZen Mesh directly generates evidence that maps to this control area
PartialZen Mesh contributes supporting evidence; customers may need additional measures
PlannedEvidence generation is in development or on the roadmap
Not applicableThis control area is outside Zen Mesh's scope

ISO/IEC 27001 / 27002

Control / AreaCustomer ObjectiveHow Zen Mesh HelpsEvidence SourceCustomer ResponsibilityZen Mesh LimitationCoverage LevelPlan / Export Note
A.8.15 — LoggingCapture and review event logsDelivery receipts, delivery status API, structured audit logTRUST-PROOF-003, delivery status APIConfigure logging retention per policyLogs retained for plan-dependent period (7d Free, 30d Pro)StrongExport via API; S3 export planned for Business+
A.8.16 — MonitoringDetect anomalous activityWebhook delivery monitoring, delivery status, circuit breaker alertsRuntime proof ledger, delivery status APISet up alerting on delivery failuresMonitoring is delivery-scoped, not infrastructure-scopedPartial
A.8.24 — Information transferSecure webhook payload deliverymTLS enforcement, HMAC payload signing, TLS 1.3TRUST-PROOF-006, TRUST-PROOF-003Customer-side mTLS configurationmTLS requires agent deployment; HMAC covers payload integrity, not confidentialityStrong
A.9.4 — Access controlRestrict access to event dataAPI token authentication, tenant isolation, IP allowlistingTRUST-PROOF-001, TRUST-PROOF-002Token lifecycle management (rotation, revocation)Tokens are customer-managed; Zen Mesh enforces at API layerStrong
A.10.1 — Change managementTrack changes to delivery configurationFlow versioning, draft/publish workflow, audit trailFlow API, event historyEstablish change approval process outside Zen MeshZen Mesh tracks configuration changes; no external approval workflowPartial
A.12.3 — BackupRetain evidence of event deliveryDelivery receipts retained per plan retention windowDelivery status APIExport evidence before retention expiryRetention window is plan-dependent (7d–90d); no long-term archivePartialS3 export planned for Business+
A.14.2 — Supplier monitoringMonitor service provider deliveryDelivery receipts, status API, delivery status webhookDelivery status APIMonitor Zen Mesh status page and delivery healthZen Mesh is the supplier; customers monitor their own delivery flowsPartial

SOC 2

Control / AreaCustomer ObjectiveHow Zen Mesh HelpsEvidence SourceCustomer ResponsibilityZen Mesh LimitationCoverage LevelPlan / Export Note
CC3.x — CommunicationEvidence of delivery for customer reportingDelivery receipts, evidence ledgerRuntime proof ledger, evidence integrityRetain evidence for audit periodEvidence retention is plan-dependentStrongExport via API; S3 export planned
CC6.1 — Access controlLogical and physical access controlsAPI token auth, tenant isolation, mTLS between componentsTRUST-PROOF-001, TRUST-PROOF-002Manage API tokens, review access periodicallyToken lifecycle is customer-managedStrong
CC6.x — Security monitoringMonitor delivery securityHMAC payload signing, delivery receipts, anomaly detectionTRUST-PROOF-003, delivery statusMonitor delivery failures and signing mismatchesHMAC covers integrity, not delivery guaranteeStrong
CC7.x — Change managementTrack configuration changesFlow versioning, draft/publish workflow, audit trailFlow API, event historyReview configuration changes periodicallyNo external approval gatePartial
A1.2 — AvailabilityService availability for deliveryStatus page, delivery receipts confirm deliveryStatus page, delivery receiptsMonitor availability; maintain backup delivery pathNo formal SLA on Free/Pro plansPartialActive monitoring via status page

PCI DSS

Control / AreaCustomer ObjectiveHow Zen Mesh HelpsEvidence SourceCustomer ResponsibilityZen Mesh LimitationCoverage LevelPlan / Export Note
4.2.1 — Transmission securitySecure transmission of cardholder dataHMAC payload signing, TLS 1.3 transport, mTLSTRUST-PROOF-003, implementationEnsure cardholder data is not transmitted unencryptedZen Mesh provides transport security; customer controls data contentStrong
7.x — Access controlRestrict access to cardholder data environmentsAPI token auth, IP allowlisting, tenant isolationTRUST-PROOF-001, TRUST-PROOF-002Scope CDE boundaries; restrict token permissionsZen Mesh is not PCI assessed; customer must validate CDE boundariesStrong
10.x — LoggingTrack access to CDEDelivery receipts, audit log, delivery status APIDelivery status APIRetain logs per PCI requirementsLog retention is plan-dependentStrong
6.4.x — Change managementTrack changes in CDEFlow versioning, draft/publish workflowFlow API, event historyApprove configuration changes outside Zen MeshNo external approval workflowPartial
1.x — SegmentationSegment CDE from untrusted networksTenant isolation, mTLS component boundariesTRUST-PROOF-001, trust lifecycleValidate network segmentation in scopeZen Mesh provides logical isolation; physical segmentation is customer-responsibilityPlannedSegmentation evidence is planned for v1.1+

PCI DSS important note: These mappings describe evidence that may support a PCI assessment. Zen Mesh is not PCI assessed or validated. Customers must not rely on Zen Mesh as the sole control for PCI compliance. A full PCI assessment requires a QSA and scope validation.

NIST Cybersecurity Framework (CSF)

Control / AreaCustomer ObjectiveHow Zen Mesh HelpsEvidence SourceCustomer ResponsibilityZen Mesh LimitationCoverage Level
ID.AM — Asset managementIdentify delivery flows and componentsFlow inventory, endpoint configuration, destination registryFlow API, deployment configMaintain inventory of external destinationsZen Mesh maps flows; customer maps full attack surfacePartial
PR.AC — Access controlRestrict delivery configurationAPI token auth, tenant isolation, IP allowlistingTRUST-PROOF-001, TRUST-PROOF-002Manage credentials, review accessToken lifecycle is customer-managedStrong
PR.DS — Data securityProtect delivery payloadsTLS 1.3, mTLS, HMAC payload signingTRUST-PROOF-003, TRUST-PROOF-006Encrypt payloads at rest if requiredPayload encryption in transit; at-rest is customer responsibilityStrong
PR.IP — Information protectionConfiguration change managementFlow versioning, draft/publish workflowFlow API, event historyImplement external change approvalNo external approval workflowPartial
DE.CM — Continuous monitoringMonitor delivery healthDelivery status, circuit breaker, delivery receiptsRuntime proof ledgerMonitor alerts and delivery failuresMonitoring is delivery-scopedPartial
RS.CO — Response communicationEvidence for incident responseDelivery receipts, audit log, evidence integrityDelivery status API, evidence ledgerInclude Zen Mesh evidence in IR planEvidence is delivery-scoped; no SIEM integrationPartial

CIS Controls

Control / AreaCustomer ObjectiveHow Zen Mesh HelpsEvidence SourceCustomer ResponsibilityZen Mesh LimitationCoverage Level
8 — Audit log managementRetain and review delivery audit logsDelivery receipts, delivery status API, structured audit logDelivery status APIExport logs to SIEM or audit systemLog retention is plan-dependentStrong
6 — Access controlRestrict access to delivery managementAPI token auth, IP allowlisting, tenant isolationTRUST-PROOF-001, TRUST-PROOF-002Token lifecycle managementTokens are customer-managedStrong
4 — Secure configurationMaintain secure delivery configurationFlow templates, default secure configs, draft validationFlow API, security docsReview and approve configuration changesConfiguration is customer-managedStrong
12 — Service provider managementMonitor service provider deliveryStatus page, delivery receipts, SLAsStatus page, delivery receiptsMonitor Zen Mesh status and performanceNo formal SLA on Free/ProPartial
7 — Vulnerability managementRemediate vulnerabilitiesDependency scanning, secure build pipelineSecurity docs, vulnerability policyKeep agent software updatedVulnerability scanning covers Zen Mesh componentsPartial

Non-Claims

  • Zen Mesh is not SOC 2, ISO 27001, PCI DSS, HIPAA, or FedRAMP certified.
  • Zen Mesh does not determine whether a customer is compliant with any framework.
  • Mappings are technical capability indicators only. Evidence is local/mock or validated on specific environments unless stated otherwise.
  • Customers must engage their own auditors, compliance teams, and legal counsel.