Overview
Security and Compliance.
What data does the DevZero operator access?
To provide actionable insights, the operator reads a minimal set of non-sensitive data. Specifically, it collects:
- Cluster resources such as nodes, pods, and deployments
- Select metadata from pods, deployments, daemon sets, and stateful sets
- CPU, memory, and storage consumption data to identify underutilization
For a list of all the metadata collectors, check out the source code here.
What is NOT collected?
- Container-level secrets and envs are explicilty sanitized at collection-time {
func sanitize(podCloned *corev1.Pod)
}. - CRDs are not accessed at all
At any point, a user can modify what the DevZero operator collects.
How is sensitive data handled?
Security is built into everything we do:
- No access to secrets: The operator does not read secrets, config maps, or environment variables (see here).
- Secure network transport: All data is transmitted over encrypted channels.
- Data regionality: DevZero's control plane runs in US and EU.
- Certified compliance: DevZero is SOC 2 Type II compliant, with strong practices in place for data protection and auditability.
Security, Compliance, and Operational Integrity
DevZero is SOC 2 Type II compliant and committed to maintaining the highest standards of data security, availability, and confidentiality. Our security program is built on layered controls, continuous monitoring, and customer transparency.
Data Collection, Storage, and Retention
All metadata collected by the DevZero operator is transmitted over encrypted channels and stored in logically isolated environments per customer. Data is retained according to default retention policies and can be deleted upon customer request.
Authentication and Access Controls
The operator authenticates to the DevZero platform using scoped credentials that are tied to your organization. All access is governed by strict role-based access controls (RBAC) to ensure only authorized users can view your data.
Namespace and Scope Limiting
While the operator can observe the full cluster by default, it can be configured to limit visibility to specific namespaces or workloads, supporting multi-tenant and compliance-sensitive deployments.
Audit Logging and Monitoring
All interactions between the operator and the platform are logged for traceability. DevZero continuously monitors infrastructure for anomalies and performs regular vulnerability scans and third-party penetration tests. Customers may request access to their audit logs to support reviews or investigations.
Change and Incident Management
Changes to infrastructure or software follow a formal change management process, with emergency changes logged and reviewed post-implementation. DevZero maintains a documented incident response plan and will notify customers within 24 hours of any incident affecting their data.
Customer Control and Operator Disablement
Customers retain complete control over the operator. It can be paused or uninstalled at any time with a single command, immediately stopping all data collection and communication.
Vendor and Subprocessor Management
DevZero uses a limited set of trusted subprocessors—all of whom are SOC 2 compliant—to operate the platform. Vendors are reviewed for security compliance before onboarding and reassessed annually. A list of subprocessors is available upon request. DevZero does not sell or share customer data with third parties outside of subprocessors used strictly for operational purposes.
Employee Awareness and Training
All employees undergo security training within 30 days of hire and annually thereafter. Confidentiality agreements and a security-oriented code of conduct are mandatory.
Risk Management
DevZero conducts annual risk assessments to identify and mitigate threats. Risk mitigation plans are tracked and reviewed to ensure alignment with evolving security standards.
We view compliance as an ongoing commitment, not a one-time certification. Our SOC 2 Type II framework reflects a continuous investment in securing customer data and maintaining operational excellence.