Penetration testing and security assurance
How frequently Zato tests for vulnerabilities, the standards it follows, and how to request security reports for your own due diligence.
Independent penetration testing
Zato undergoes independent third-party penetration testing after every major release and, at a minimum, every six months β whichever comes first.
Testing follows OWASP (Open Web Application Security Project) standards β the recognised international framework for identifying and addressing web application security vulnerabilities.
What happens with the results
All identified vulnerabilities are triaged, prioritised, and addressed before the next release. Critical findings are addressed immediately β not deferred to scheduled releases.
Broader security assurance programme
Penetration testing sits within a broader security assurance programme:
Continuous monitoring via AWS security tooling across all regional infrastructure
Regular internal security reviews aligned with ISO 27001:2022 requirements
AI system governance reviews aligned with ISO 42001
SOC 2 controls assessment covering security, availability, and confidentiality
Annual recertification across all four frameworks
Requesting documentation
The following are available to firms for due diligence:
Penetration test summary reports
SOC 2 report (available under NDA)
ISO 27001:2022 and ISO 42001 certificates
Security overview documentation
Data processing agreements
Contact your PSM or email security@zatohq.com. Full documentation at zatohq.com/trust-centre.