DevZero Logo
DevZero

Overview

Security and Compliance.

What data does the DevZero operator access?

To provide actionable insights, the operator reads a minimal set of non-sensitive data. Specifically, it collects:

  • Cluster resources such as nodes, pods, and deployments
  • Select metadata from pods, deployments, daemon sets, and stateful sets
  • CPU, memory, and storage consumption data to identify underutilization

For a list of all the metadata collectors, check out the source code here.

What is NOT collected?

At any point, a user can modify what the DevZero operator collects.

How is sensitive data handled?

Security is built into everything we do:

  • No access to secrets: The operator does not read secrets, config maps, or environment variables (see here).
  • Secure network transport: All data is transmitted over encrypted channels.
  • Data regionality: DevZero's control plane runs in US and EU.
  • Certified compliance: DevZero is SOC 2 Type II compliant, with strong practices in place for data protection and auditability.

Security, Compliance, and Operational Integrity

DevZero is SOC 2 Type II compliant and committed to maintaining the highest standards of data security, availability, and confidentiality. Our security program is built on layered controls, continuous monitoring, and customer transparency.

Data Collection, Storage, and Retention

All metadata collected by the DevZero operator is transmitted over encrypted channels and stored in logically isolated environments per customer. Data is retained according to default retention policies and can be deleted upon customer request.

Authentication and Access Controls

The operator authenticates to the DevZero platform using scoped credentials that are tied to your organization. All access is governed by strict role-based access controls (RBAC) to ensure only authorized users can view your data.

Namespace and Scope Limiting

While the operator can observe the full cluster by default, it can be configured to limit visibility to specific namespaces or workloads, supporting multi-tenant and compliance-sensitive deployments.

Audit Logging and Monitoring

All interactions between the operator and the platform are logged for traceability. DevZero continuously monitors infrastructure for anomalies and performs regular vulnerability scans and third-party penetration tests. Customers may request access to their audit logs to support reviews or investigations.

Change and Incident Management

Changes to infrastructure or software follow a formal change management process, with emergency changes logged and reviewed post-implementation. DevZero maintains a documented incident response plan and will notify customers within 24 hours of any incident affecting their data.

Customer Control and Operator Disablement

Customers retain complete control over the operator. It can be paused or uninstalled at any time with a single command, immediately stopping all data collection and communication.

Vendor and Subprocessor Management

DevZero uses a limited set of trusted subprocessors—all of whom are SOC 2 compliant—to operate the platform. Vendors are reviewed for security compliance before onboarding and reassessed annually. A list of subprocessors is available upon request. DevZero does not sell or share customer data with third parties outside of subprocessors used strictly for operational purposes.

Employee Awareness and Training

All employees undergo security training within 30 days of hire and annually thereafter. Confidentiality agreements and a security-oriented code of conduct are mandatory.

Risk Management

DevZero conducts annual risk assessments to identify and mitigate threats. Risk mitigation plans are tracked and reviewed to ensure alignment with evolving security standards.

We view compliance as an ongoing commitment, not a one-time certification. Our SOC 2 Type II framework reflects a continuous investment in securing customer data and maintaining operational excellence.