SECURITY & SOVEREIGNTY

Your data, your servers.

ZRO is the sovereign alternative to US cloud construction platforms. Self-hostable anywhere in the world. Your infrastructure, your jurisdiction, your data.

SOVEREIGNTY PILLARS

Six principles. No compromise.

SELF-HOST

Run it on your own hardware

Docker Compose and Kubernetes manifests for full on-premise deployment. Air-gapped installations supported. No internet dependency required after setup.

SWISS nFADP

New Federal Act on Data Protection

ZRO is built to comply with the Swiss nFADP. Data processing agreements, data minimization, and purpose limitation are built into the platform architecture.

GDPR

EU General Data Protection Regulation

Full GDPR compliance for EU customers. Data portability, right to erasure, and consent management are native platform features.

ENCRYPTION

AES-256 at rest, TLS 1.3 in transit

All data encrypted at rest with AES-256. All connections enforce TLS 1.3. No plaintext data at any point in the pipeline.

AUDIT LOGGING

Every action, append-only

Every write operation and every access to sensitive data is logged in an append-only audit trail. Exportable for compliance review.

SOVEREIGN AI

Local models, no foreign dependencies

A sovereign local AI model handles text reasoning and vision — one model, no cloud dependency. No prompts, no context, no project data ever sent to third-party AI providers.

CONTROLS

Every control, documented.

ControlStandardStatus

Encryption at restAES-256Enabled

Encryption in transitTLS 1.3Enforced

GDPREUCompliant

nFADPCHCompliant

Data residencyCH / EUGuaranteed

MFATOTP / WebAuthnAvailable

Audit logAppend-onlyEnabled

BackupDaily30-day retention

SSO / SAMLEnterpriseAvailable

Self-hostDocker / K8sAvailable

DATA RESIDENCY

Your data. Your region. Your jurisdiction.

All managed ZRO instances store data in Swiss data centers. No replication to US servers, ever. Enterprise customers can self-host on their own infrastructure for full air-gapped sovereignty.

Every AI feature runs on your own infrastructure. No prompts leave your environment. No project data is sent to OpenAI, Google, or any other third-party lab.

nFADP compliantGDPR compliantCH/EU data centers

SOVEREIGNTY MATRIX · WHAT'S WHERE

We don't claim 100% sovereign — we tell you exactly which seams aren't.

Most "sovereign EU" vendors have non-EU dependencies they don't disclose. Here's the unfiltered map of what runs where on our stack today, so you can decide if it fits your DPA.

CapabilityStatusDetail

Postgres database (RLS, all tenant data)EUHetzner CH/DE; self-hostable on-premise; tenant rows isolated by Postgres RLS.

AI inference (Ollama + SenseVoice)EURuns on the same VPS as your data. No prompt or response ever leaves Switzerland.

ZRO ERP (Frappe / MariaDB)EUSame VPS as ZRO Site; private network only; mirrored backups inside the EU restic bucket.

Voice transcriptionEUSenseVoice on port 8100; multipart audio never leaves the box.

BackupsEUrestic encrypted bucket, default Hetzner Storage Box (DE). Configurable to any S3-compatible target.

GlitchTip error captureEUSelf-hosted GlitchTip on the same VPS — your stacktraces don't go to Sentry US.

Email — branded send-from-domain (Business+)EUPostmark EU region or Postfix relay, configurable per org.

Email — default outbound (Artisan / Pro)MixedFalls back to Postmark US until you configure your own SMTP. Plain English DPA covering this is part of every contract.

HLS camera CDNMixedStream origin lives on your VPS; CDN edge cache hits global PoPs for latency. Disable CDN per-camera if cache is unacceptable.

Stripe Connect paymentsNon-EUStripe Inc. is US-headquartered with a GDPR-compliant DPA + EU data residency for Stripe Connect Europe accounts. Payment processing is opt-in per estimate.

Cloudflare DNS / WAF (zrolab.com)Non-EUEdge-only TLS termination; payload encrypted to origin. Swap for Bunny.net (EU) on Enterprise.

AI fallback (Anthropic / OpenAI)Non-EUDisabled by default. Some Pro+ features can opt in for premium models — explicit per-call consent.

All Non-EU and Mixed dependencies are switchable on Enterprise: we publish the swap list (Bunny.net for CDN, Stripe Connect EU for payments, self-hosted MTA for email, fully-disabled fallback AI) so your DPA can be 100% EU-resident on day one.

CONTACT

Talk to the security team.

Security questionnaires, penetration tests, architecture reviews, and self-host discussions. Direct line to our engineers.

Contact security