Security certifications — what they mean for your firm

Zato's four security and AI certifications — ISO 27001:2022, ISO 42001, SOC 2, and GDPR — and what each one means in practice for your firm and your clients

Zato's certifications

Certification

What it covers

ISO 27001:2022

Information security management

ISO 42001

AI management systems

SOC 2

Security, availability, and confidentiality controls

GDPR

Personal data protection

Certificates are available on request. Email your PSM or contact security@zatohq.com.

ISO 27001:2022 — Information security management

ISO 27001:2022 is the international standard for information security management systems (ISMS). It is independently audited and certified.

In practice, this means Zato has a documented, tested, and continuously maintained system covering:

  • How client data is stored, accessed, and protected

  • How security risks are identified and managed

  • How security incidents are detected, responded to, and learned from

  • How the security programme evolves as threats change

This is not a self-assessment — it requires an independent third-party audit and annual review.

ISO 42001 — AI management systems

ISO 42001 is the international standard for AI management systems — the first of its kind. It governs how AI is developed, deployed, and governed responsibly.

For accounting firms, this matters because Zato's AI — Ziffy operates on your client's financial data. ISO 42001 certification means:

  • Zato's AI systems are governed by documented policies and controls

  • AI outputs are subject to human oversight and review processes

  • Risk management applies specifically to AI decision-making

  • Transparency and accountability are built into how AI is used within the platform

Very few platforms in the accounting technology space hold this certification.

SOC 2 — Security, availability, and confidentiality

SOC 2 is an independent audit standard developed by the American Institute of CPAs (AICPA). It evaluates security, availability, processing integrity, confidentiality, and privacy controls.

Zato's SOC 2 certification covers:

  • Security — protection against unauthorised access

  • Availability — the platform is available for operation as committed

  • Confidentiality — information designated as confidential is protected

SOC 2 reports are available to firms on request under NDA. Contact your PSM.

GDPR — Personal data protection

GDPR (General Data Protection Regulation) sets requirements for the collection, processing, storage, and protection of personal data. It applies to the personal data of your clients — names, contact details, financial information, and any other identifying data processed through Zato.

Zato's GDPR compliance means:

  • Personal data is processed only for defined, legitimate purposes

  • Data subjects have rights over their information

  • Data breaches are managed and reported in accordance with regulation

  • Data processing agreements are available on request

For firms requiring compliance documentation

If your firm requires any of the following for your own compliance or due diligence processes, contact your PSM or email security@zatohq.com:

  • ISO 27001:2022 certificate

  • ISO 42001 certificate

  • SOC 2 report (available under NDA)

  • Data processing agreement

  • Security overview documentation

All documentation is available at zatohq.com/trust-centre.