ZentraLink

Security posture

Security posture

What we implement, what we do not claim.

What we implement

EU / Germany hosting

ZentraLink can be self-hosted on your own German or EU infrastructure. The default install runs on a single Ubuntu 24.04 host you control - no third-party SaaS in the data path.

Read-only first

Every provider connection starts in read-only mode. Switching to live write requires an explicit acknowledgement, a real connection test and a write-permission probe.

Approval workflow

Critical DNS changes (MX, NS, TXT, CAA, SOA), deletions, bulk edits and rollbacks can be approval-gated per workspace. The request creator cannot self-approve.

Encrypted secrets

Provider credentials, 2FA secrets and SMTP passwords are encrypted at rest with AES-256-GCM using the PLATFORM_ENCRYPTION_KEY. Secrets are never returned in API responses and never written to audit metadata.

Two-factor authentication

TOTP (RFC 6238) with 10 single-use backup codes. Backup codes are argon2id-hashed. Disabling 2FA wipes both the secret and the backup codes.

Audit log

Every action - login, DNS change, provider test, ticket comment, template edit - is recorded with actor, IP, user-agent and structured metadata. The viewer is gated by MANAGER+ role.

DNS diff & snapshots

Snapshots are automatic before every executed change and on-demand. Rollback is a controlled change request with a per-record diff, not a blind overwrite.

Backups

scripts/backup.sh produces a pg_dump and tarballs /opt/zentralink. We recommend cron + an off-server copy, retention by your policy.

Tenant isolation

Every API route resolves an active tenant from the session cookie and matches tenantId in every database query. Cross-tenant reads return 404.

Roles & permissions

Owner, Admin, Manager, Member and Viewer. Approval requires a configured approver role; destructive actions are gated by USER_MANAGE; tenant policy editing requires TENANT_MANAGE.

Statuspage

The /status page is public and renders incidents from the database. No third-party statuspage service.

Email notifications

Notification subscriptions are per-user and per-channel (in-app, email). Email delivery uses your SMTP - platform-wide or per tenant. When SMTP isn't configured we say so honestly.

Support system

Built-in ticketing with comments, internal notes, role-gated transitions and Server-Sent-Events live updates. Domain-bound and customer-bound tickets are first-class.

What we do not claim

We are not certified to ISO 27001 or SOC 2. The controls below are implemented in software; the certifications themselves are the operator's responsibility. We do not publish a fake compliance badge.

DPA / data processing agreement

A DPA is available on request via privacy@zentralink.net. The full agreement is also linked from the public DPA page.

Technical & organisational measures

See the TOMs page for the current list of technical and organisational measures. The list mirrors what is implemented in this codebase.