Trust & Security — Zoriken Technologies Limited

Zoriken Technologies Limited operates as a data processor for Trinidad & Tobago public bodies. Client procurement records remain the property of the commissioning body at all times. This page describes the technical and organisational measures applied to that data.

Data Residency & Ownership

Primary Region

eu-west-1 · Ireland

Production database with continuous replication

Disaster Recovery

us-east-1 · Virginia

Encrypted point-in-time backups, 30-day retention

Client Data Ownership

Commissioning Public Body

Zoriken acts as processor under the Data Protection Act, 2011

Tenant Isolation

Row-Level Security

PostgreSQL RLS with per-tenant policies; no shared rows

Security Commitments

✓

Encryption in transit

TLS 1.2+ enforced via HSTS with a two-year max-age and preload submission. All administrative and portal traffic forced to HTTPS at the edge.

✓

Encryption at rest

AES-256 encryption applied to primary storage, backups, and object storage. Keys are managed by the managed-database provider with customer-accessible key rotation.

✓

Authentication

Email-based authentication with per-tenant session policies. Idle sessions expire after 30 minutes. Password reset flows use single-use signed tokens.

✓

Content Security Policy

Strict CSP headers applied platform-wide, restricting script, style, and connection sources. OWASP Top 10 mitigations audited quarterly.

✓

Immutable audit trail

Every workflow transition, approval, and amendment is written to a seven-year retention audit log. Records are append-only at the database layer.

✓

Token-gated external access

Supplier and public-facing portals use signed, scoped, time-limited tokens. Validation runs in constant time to prevent timing-based enumeration.

✓

Certificate Authority Authorisation

DNS CAA records restrict SSL certificate issuance for zoriken.com to authorised certificate authorities only. Unauthorised attempts generate an incident report.

✓

DNSSEC

DNS responses are cryptographically signed to prevent spoofing and cache-poisoning attacks against zoriken.com and its subdomains.

Data Protection & Subject Rights

Zoriken complies with the Data Protection Act, 2011 (Act No. 13 of 2011) of Trinidad & Tobago. Data subjects may exercise their rights by contacting privacy@zoriken.com.

Subject Access Requests

Requests to access personal data held about an individual are acknowledged within three business days and resolved within thirty days. Identity is verified before any disclosure.

Erasure Requests

Erasure requests are evaluated against statutory retention obligations. Where a procurement record is subject to the Exchequer & Audit Act’s retention requirements, the record is redacted rather than deleted, and the redaction is logged.

Breach Notification

In the event of a personal data breach affecting a client tenant, the commissioning public body is notified within seventy-two hours, with a preliminary impact assessment and a remediation plan.

Regulatory Alignment

Zoriken’s platforms are built to the published Trinidad & Tobago regulatory framework:

Public Procurement & Disposal of Public Property Act, 2015 (as amended)
Simplified Procurement Regulations, 2024
Methods & Procedures Regulations, 2021
Office of Procurement Regulation General Guidelines HGGE04 v2.0 (August 2023)
OPR Compliance Assessment Checklist, 2024 (58 checkpoints)
Evaluation Regulations, Regulation 7 (Standstill Period)
Exchequer & Audit Act, Chapter 69:01
Data Protection Act, 2011 (Act No. 13 of 2011)

Responsible Disclosure

Security researchers who identify a vulnerability in any Zoriken-operated system are invited to report it in confidence to security@zoriken.com. We acknowledge reports within seventy-two hours and work in good faith with researchers to resolve issues before public disclosure.

Vulnerability Disclosure Policy — /security/policy.html
PGP public key for encrypted submissions — /.well-known/security/pgp-key.asc
RFC 9116 security.txt — /.well-known/security.txt
Hall of Fame — /security/hall-of-fame.html

Reports that materially reduce risk to our clients are eligible for public acknowledgement in the Hall of Fame, at the reporter’s election.

Software Supply Chain

Every production deployment of PRIVI 2.0 publishes a software bill of materials and a Sigstore-signed build provenance attestation. Auditors can independently verify what code was deployed, by which workflow, and from which source revision.

CycloneDX SBOM — /.well-known/sbom/latest.cdx.json
SPDX SBOM — /.well-known/sbom/latest.spdx.json
Build manifest — /.well-known/build-manifest.json
Supply chain integrity overview — /security/supply-chain.html

Step-Up Authentication

Privileged operations within PRIVI 2.0 — mass exports, vendor debarment, bulk role changes, key rotation, tenant deletion, and critical control overrides — require a fresh authentication factor at the moment of execution. A successful step-up is valid for five minutes and is bound to the action class and the user. Every step-up event is logged with a seven-year retention horizon.

Availability & Continuity

Target Availability

99.9% monthly

Excluding scheduled maintenance windows

Recovery Time Objective

4 hours

From declaration of a disaster event

Recovery Point Objective

15 minutes

Continuous transaction log replication

Backup Retention

30 days point-in-time

Encrypted, geo-redundant, restorable per tenant

Certifications Roadmap

Zoriken operates on infrastructure providers that are themselves independently certified (SOC 2 Type II). The company’s own certification programme is scheduled as follows, subject to commercial and operational milestones:

Data Protection Act compliance attestation — 2026
ISO 27001 Information Security Management — in scope 2027
SOC 2 Type II independent assessment — in scope 2027

Contact

For questions relating to this Trust Centre:

Security disclosures — security@zoriken.com
Privacy & data-subject rights — privacy@zoriken.com
Legal & contractual — legal@zoriken.com
Platform support — support@zoriken.com

Last reviewed: April 2026