Security certifications — what they mean for your firm

Zato's four certifications — ISO 27001:2022, ISO 42001, SOC 2, and GDPR — and what each one means in practice.

Zato holds four independent security and governance certifications. All certificates are available on request.

Certification summary

CertificationWhat it covers
ISO 27001:2022Information security management
ISO 42001AI management systems
SOC 2Security, availability, and confidentiality controls
GDPRPersonal data protection

ISO 27001:2022 — information security management

The international standard for information security management systems (ISMS). Independently audited and certified. In practice this means Zato has a documented, tested, and continuously maintained system covering:

  • How client data is stored, accessed, and protected
  • How security risks are identified and managed
  • How security incidents are detected, responded to, and learned from
  • How the security programme evolves as threats change

ISO 42001 — AI management systems

The first international standard specifically for AI management systems. For accounting firms, this matters because Ziffy operates on your client's financial data. ISO 42001 certification means:

  • Zato's AI systems operate under documented policies and controls
  • AI outputs are subject to defined human oversight and review processes
  • Risk management applies specifically to AI decision-making
  • There is accountability and transparency in how AI is used across the platform

Very few platforms in the accounting technology space hold ISO 42001 certification. It is the most rigorous AI governance framework available and reflects the standard your firm should expect from any platform handling client financial data with AI.

SOC 2 — security, availability, and confidentiality

An independent audit standard developed by the AICPA. Zato's SOC 2 certification covers:

  • Security: Protection against unauthorised access
  • Availability: The platform is available for operation as committed
  • Confidentiality: Information designated as confidential is protected

SOC 2 reports are available to firms on request under NDA.

GDPR — personal data protection

Zato meets the requirements of the General Data Protection Regulation for handling personal data — including the personal data of your clients. This means:

  • Personal data is processed only for defined, legitimate purposes
  • Data subjects have rights over their information
  • Data breaches are managed and reported in accordance with regulation
  • Data processing agreements are available on request